Configure identity-based access for Azure Files

Configure access to storage

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

Part 1: Configure Identity-Based Access for Azure Files

Identity-based access means that access to the file share is controlled using user or computer identities instead of fixed passwords or storage keys. This is the recommended and most secure method.

Azure supports three identity methods for Azure Files:

1. Azure AD DS Authentication for SMB (Classic AD DS Method)

This method is used when:

  • Your company uses Active Directory Domain Services (AD DS) on-premises.
  • You need Kerberos authentication for servers accessing Azure File shares.
  • You connect to Azure through VPN or ExpressRoute.

How it works:

  • Your on-prem AD DS is synced to Azure using Azure AD Connect.
  • Azure Files is domain-joined to AD DS.
  • User permissions are assigned using NTFS ACLs.

Where it is used:

  • For Windows Server virtual machines in Azure.
  • For on-prem servers that need cloud file shares.
  • For lift-and-shift file server implementations.

Steps (High-Level):

  1. Sync on-prem AD to Azure AD using Azure AD Connect.
  2. Enable AD DS authentication for the storage account.
  3. Domain-join the storage account.
  4. Configure NTFS permissions using:
    • Windows File Explorer, or
    • icacls, or
    • Set-Acl PowerShell cmdlets.
  5. Mount the share using SMB (example: net use Z:).

2. Azure Active Directory (Azure AD) Kerberos Authentication for SMB

This is a modern, cloud-only identity option.

Use this method when:

  • You do NOT have on-prem AD.
  • You want to use Azure AD identities directly to access SMB shares.
  • Your environment includes Azure AD-joined or hybrid-joined machines.

How it works:

  • Azure AD issues Kerberos tickets to authenticate users.
  • No domain controller is needed—it’s fully cloud-based.

Requirements:

  • Windows 10/11 or Windows Server 2022.
  • Azure AD-joined or hybrid-joined machines.
  • SMB 3.1.1.

Steps (High-Level):

  1. Enable Azure AD Kerberos for the tenant.
  2. Enable Azure AD authentication on the storage account.
  3. Assign Azure RBAC roles:
    • Storage File Data SMB Share Reader
    • Storage File Data SMB Share Contributor
    • Storage File Data SMB Share Elevated Contributor
  4. Configure NTFS permissions.
  5. Mount the share normally using SMB.

Important Notes for Exam:

  • Azure AD RBAC grants permission to the file share, NOT NTFS.
  • NTFS ACLs still apply inside the share.
  • You need both:
    RBAC + NTFS ACLs for full access.

3. SAS Access for Non-SMB & Applications (For REST Access)

If an application accesses Azure Files using REST API instead of SMB, you may configure:

  • Shared Access Signatures (SAS)
  • Stored access policies
  • Access keys

But this is NOT identity-based, so it is less secure.

Identity-based access is always preferred for users.

Azure RBAC Roles for Azure Files

These roles control access at the storage account or file share level:

1. Storage File Data SMB Share Reader

  • Read files and list directory contents.

2. Storage File Data SMB Share Contributor

  • Read, write, and delete files.
  • Cannot modify share-level properties.

3. Storage File Data SMB Share Elevated Contributor

  • Full control including setting NTFS permissions.

4. Storage File Data Privileged Contributor

  • Manage share-level settings.

RBAC works together with NTFS permissions.

⛔ Exam Warning: Dual Permission Model

To access an Azure File share using SMB, the user must have:

  1. RBAC permission at the Azure level, AND
  2. NTFS ACL permissions inside the share

If either one is missing, access is denied.

Mounting Azure File Shares

Windows (with identity-based access)

net use Z: \\storageaccountname.file.core.windows.net\sharename

Linux (SMB)

sudo mount -t cifs //storageaccountname.file.core.windows.net/sharename /mnt/share

Part 2: Manage Access Keys (AZ-104 Exam Requirement)

Every storage account has two access keys:

  • Key1
  • Key2

These keys provide full access to:

  • Blobs
  • Files
  • Queues
  • Tables

Access keys act like root passwords for the storage account.

Why Do You Have Two Keys?

Two keys allow you to rotate (regenerate) keys without downtime.

Example:

  • Applications use Key1.
  • You regenerate Key1.
  • Update applications to use Key2.
  • Then regenerate Key2.

This is a best practice for security.

Where to Manage Access Keys

Azure Portal → Storage Account → Security + networkingAccess keys

From here you can:

  • View connection strings
  • Regenerate keys
  • Copy keys

Regenerating Access Keys

When you regenerate a key:

  • All applications using that key stop working until you update their configuration.
  • This is why rotation planning is important.

Azure CLI:

az storage account keys list -g MyRG -n MyStorage
az storage account keys renew -g MyRG -n MyStorage --key primary

PowerShell:

Get-AzStorageAccountKey -ResourceGroupName MyRG -Name mystorageaccount
New-AzStorageAccountKey -ResourceGroupName MyRG -Name mystorageaccount -KeyName key1

Best Practices for Managing Access Keys (Exam Critical)

  1. Avoid using account keys whenever possible.
    Use identity-based access instead.
  2. Rotate keys regularly.
  3. Use Key Vault to store secrets.
  4. Use SAS tokens instead of sharing access keys.
  5. Never hardcode storage account keys in application code.
  6. Disable Shared Key access (Preview Feature)
    • Enforces Azure AD authentication only.
    • Improves security.

Identity-Based Access vs Access Keys (Exam Comparison Table)

FeatureIdentity-Based AccessAccess Keys
AuthenticationAzure AD / AD DSShared key
SecurityVery highMedium
Supports granular permissionsYes (RBAC + NTFS)No
Recommended for usersYesNo
Recommended for appsYes (Managed Identity)Sometimes
RotatableNot neededRequired

When to Use What? (Exam View)

ScenarioRecommended Method
Users accessing SMB shareIdentity-based + NTFS
Azure VM accessing file shareIdentity-based
On-prem server via VPNAD DS authentication
Application needing temporary REST accessSAS token
Legacy application requiring storage keysAccess keys

Final Summary for AZ-104 Exam

You should understand:

✔ Identity-based SMB access

  • Azure AD Kerberos
  • Azure AD DS
  • NTFS permissions
  • RBAC roles
  • Dual-permission model

✔ Managing access keys

  • Key rotation
  • Two-key system
  • CLI/PowerShell commands
  • Best practices

✔ Difference between identity authentication and key-based authentication

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by