I followed the guidance at Azure Storage article and whilst I am able to connect a VM in Azure to my shares over SMB with AAD authentication, I am unable to connect a PC from my premises without the storage access key. We would like to use Azure Files in a 100% cloud environment with authentication handled by Azure AD/AD DS. We don't have any on-premises servers and so Azure File Sync isn't an option.
Steps I followed:
- Set up Azure AD Domain Services. This has now been online around 48 hours.
- Set up a completely new storage account for my users in Australia - abaustralia.
- Set up a security group - 'SEC-AU-AllStaff- in Azure AD. Waited for those to synchronise to AD DS.
- I added myself as a member of SEC-AU-AllStaff.
- I went to Storage Accounts\abaustralia\Access Control (IAM) and added myself to have the 'Storage File Data SMB Share Elevated Contributor' role.
- I spun up a Windows Server 2016 VM in Azure on the same Vnet as AD DS. I then domain joined it and connected to the file share using the storage access key and used icacls to grant read permission to SEC-AU-AllUsers at the root level of the file share: icacls Z: /grant "DOMAINNAME\SEC-AU-AllStaff:(R)". This succeeded.
- I used cmdkey /delete to remove the stored access key for the storage account and rebooted.
- Upon restarting the VM I was able to connect with net use on the domain-joined Windows Server 2016 VM.
That is all good and works as per the guidance. However three separate Azure AD-joined VMs running Windows 10 signed into my account or a test account which is also a member of DOMAINNAME\SEC-AU-AllStaff, are unable to access the file share. Running net use asks for a password; when the correct one is provided, System error 86 is returned:
net use z: \\(link: http://abaustralia.file.core.windows.net)abaustralia.file.core.windows.net\australia
Enter the username for '(link: http://abaustralia.file.core.windows.net)abaustralia.file.core.windows.net': aus.test@aqualisbraemar.com
Enter the password for (link: http://abaustralia.file.core.windows.net)abaustralia.file.core.windows.net: System error 86 has occurred The specified network password is not correct.
I tried providing credentials in both DOMAINNAME\user, and domain.com\user formats. Nothing works.
The documentation does not stipulate that on-premises machines cannot use Azure Files with AAD authentication over SMB. I did find it mentioned in a few other places, e.g.here where it says "Azure AD authentication over SMB is not supported for on-prem machines accessing Azure Files using either AD or AAD credentials." This however isn't listed on the current Microsoft Docs documentation so presumably that restriction has gone away. In which case, what am I doing wrong?