Azure Files – Create File Shares in Azure and Authenticate via Azure AD Domain Services

Almost everyone is familiar with the traditional Windows file servers/ shared drives concepts and its a heavily used Windows Service. Users are very familiar with how to access those directories, request access to certain files and folders and request for file recovery if it’s deleted.
So far this mechanism has been used/ still using with on-premises files servers. 1 or 2 if not many file servers.

My guide includes
Create a Storage Account
Enable Azure Files feature
Enable Azure Active Directory Domain Services For a Hybrid Env. and map the Storage Account
Manage Files and Folders via Azure File Explorer
Map drives to client computers
Enable Azure Backup to protect Files

Traditional File Share Servers are good, but…..

  • Sometimes file shares are running in the server that runs AD DS. If the admin needs to restart the server for any issue, that needs to be pushed back until after hours or need to get all the users out of the servers. Save their documents and all the hassle
  • On going server maintenance on-prem or IaaS method. Adding more servers in to the mix is more footprint and more admin overhead
  • Disk space issues – managing the space. Add more hardware as an ongoing operation

Benefits of using Azure Files

  • Azure Files feature uses SMB 3.0 and uses it’s underlying Storage Account for Local Redundancy Storage (LRS) or Geo-Redundant Storage (GRS) options
    Network boundaries – Few options to limit access over selected networks and it won’t be exposed to outside. This can be via pre-configured Vnets and with Firewall rules for the Storage Account.

Requirements

  • An Azure Tenant with a subscription

How to Create a Storage Account

  • Go to the Recourse Group > Add > Search for Storage and select “Storage account – blob, file, table, queue” > Create
  • Select the Subscription
  • Enter a name for the Storage Account
  • Select the location, performance, Account Kind, Replication Type and access tier
  • Next page will be Networking. Select the options according to your requirement. This will limit access to the Storage Account from selected networks only. This can be setup later as well.
  • Check the Security tab for Advanced Security features. Also available to set later
  • Review and create

Enable Azure Files Feature & Create File Shares

  • Go in to the Storage Account just created in the previous step
  • Search for File Shares or click on the File Shares box
  • Click on + File Share button and enter the name and the drive size. Drive quota max size is 102400 GBs.
  • Press Create and the File Share will be created in few seconds.
  • Click on the File Share just created below options will be available
  • Connect – Provides the powershell string admins can use to map this to the user’s computer
  • Upload – Upload files from the admin panel
  • Add Directory – create folders
  • Edit Quota – Change the previously allocated size (up or down)

Connect the File Share with a logon script

The more traditional way is to add this as a logon script GPO for the user configuration and that will map the drives when the respective user logs in to the computer.
The file share in the storage account will provide you a UNC path which can be mapped via a GPO if required.
net use <desired-drive-letter>: \\<storage-account name>.file.core.windows.net\<share-name>

Manage File Permissions via Azure AD Domain Services in a Hybrid Environment

  • How Azure ADDS Works
    Briefly put, Azure ADDS is the managed service by Azure. This eliminates the admin overhead of extending the Windows domain infrastructure to the cloud with Site-to-site VPN or Express route and setting up Domain Controllers to authenticate DNS/ GPOs/ Security groups, permissions and authentication requests for the services that’s provisioned inside the Azure infrastructure.
    Azure ADDS is a feature that can be provisioned in the Azure tenant once you have the subscription and a Recourse Group.

More on Azure AD DS, check here

  • Authenticate the Storage Account to Azure ADDS
    I’m taking the common scenario where the organization is already on On-Premises AD DS services and have an Office 365 portal with Azure AD Connect Sync installed so the user objects will sync from the On-premises AD to Azure AD.

What wee need to understand here is we habe the user objects and the group objects synced so the Identity can be used to other apps and services, but to that method will bot be able to give the opportunity to use On-premises ACLs, GPOs and the traditional Windows elements on the cloud.
Thats where the use of Azure AD Domain Services feature comes into play.

Steps to authenticate the local AD ACLs to AADDS

  • Prereqs – Download AzFilesHybrid module from this LINK
  • Run the below commands from the domain joined computer. Makes sure you have the elevated permissions for Powershelll

    Run Import-Module -Name AzFilesHybrid
    Run Connect-AzAccount
    Run Select-AzSubscription -SubscriptionId “<your-subscription-id-here>”
    Join-AzStorageAccountForAuth -ResourceGroupName <RGname> -Name <StorageAccountName> -DomainAccountType ComputerAccount
  • Run the below script to enable the feature on the previously created Storage Account in the local AD

    Set-AzStorageAccount -ResourceGroupName “<your-resource-group-name-here>” -Name “<your-storage-account-name-here>”
    -EnableActiveDirectoryDomainServicesForFile $true
    -ActiveDirectoryDomainName “<your-domain-name-here>”
    -ActiveDirectoryNetBiosDomainName “<your-netbios-domain-name-here>” -ActiveDirectoryForestName “<your-forest-name-here>” -ActiveDirectoryDomainGuid “<your-guid-here>”
    -ActiveDirectoryDomainsid “<your-domain-sid-here>”
    -ActiveDirectoryAzureStorageSid “<your-storage-account-sid>”

    Run get-addomain to get the ActiveDirectoryDomainsid and ActiveDirectoryDomainGuid
  • Enable Share Root Level permissions so the users will be able to access the top-level shares before they access the NTFS level
    To perform this – go to the file share > Access Control (IAM) > Role Assignments > Add > Add Role Assignments > Select a Role as below.
    And Select the AD User or the AD Group so they will be be allocated with the top level share access.
  • When you setting up the Shares 1st, you can provide Storage File Data SMB Share Elevated Contributor role and can access the NTFS permissions to other users as you normally do by right-cicking the share folder.
  • From this point on wards, its all normal traditional windows method of providing access to the users.
Selecting the role for the Root Level Access

End result on the user computer after setting up appropriate permissions

 

Connect Azure Backup and Site Recovery

  • Add the feature from the Azure Marketplace. Look for Backup and Site Recovery
  • Create the Recovery Services Vault in the same previous Resource Group
  • Review and Create

Adding the Service to the Fie Shars

  • Go to the Vault in the Resource Group
  • Click on Backup
  • Select What you need to backup. In this case “Azure FileShare”
  • Hit Backup

Next steps of backup

  • Select the Storage Account
  • Select the File Shares to be backed up
  • Create the backup policy (Hourly or Custom)
  • Click on Enable Backup
  • Now when you go to the Backupp Items, you’ll see the status
  • There are more reports, alerts and other options and specially restore files and folders in the Recovery Service Vault which can be useful

Note – A lock in the Storage Account will be created for the backups after you setup backups. This is to protect the file deletions.

Pricing

More details on Azure ADDS Pricing will be available here
More details on Azure Backup Pricing will be available here

I’m keen on testing Windows Storage Migration Service that comes in the new Windows Admin Console and migrate the hosted file shares to Azure Files and see how easily you can get rid of the local file servers and maintain the same file/ folder level NTFS permission in Azure. Looking forward to share my experience soon!
Until then.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.