Azure Files: No Active Directory Setup
Storage
Jul 17, 2026 7:23 PM

Azure Files: No Active Directory Setup

by HubSite 365 about Jonathan Edwards

No-Faffing Managed IT Support & Cyber Security Support. Made in Yorkshire, built for the UK.

Azure Files with Microsoft Entra RBAC and Intune for secure file shares, no AD or storage keys, Microsoft ThreeSixtyFive

Key insights

  • Azure Files with Entra ID Kerberos: Use cloud-only Entra ID identities to authenticate SMB file shares without deploying Active Directory or Entra Domain Services.
    This gives identity-based access while removing domain controllers and on-prem sync requirements.

  • Core setup steps: Create a StorageV2 account and resource group, make file shares (one per department), enable Entra ID Kerberos on the share, then disable storage account key access.
    Assign appropriate Azure RBAC roles to control who can mount and manage each share.

  • Authentication and permissions: Clients authenticate with Kerberos tickets issued by Entra ID and Azure Files enforces Windows ACLs on folders and files.
    Use share-level RBAC roles such as Storage File Data SMB Share Contributor for granular access control.

  • Device and access controls: Grant necessary admin consent in Entra ID and apply device policies via Intune so only compliant devices can connect.
    Protect file access with Conditional Access and multifactor authentication for stronger security.

  • Redundancy, backup and cost: Pick the right redundancy (LRS/ZRS/GRS/GZRS) for durability and latency needs, enable Azure Backup for file-level recovery, and use the Azure Pricing Calculator to estimate costs.
    Balance performance, resilience and budget for a production deployment.

  • Testing and production checklist: Test from a Windows device to validate authentication and simulate denied-access scenarios before rollout.
    Follow best practices: one share per department, disable account keys, enable backup, audit access logs, and monitor performance for a secure production-ready setup.

Overview

The YouTube video by Jonathan Edwards explains how to set up Azure Files with Microsoft Entra native permissions without using Active Directory. It aims to give IT teams a production-ready path that removes the need for domain controllers while keeping file-level control. Moreover, the presentation balances practical steps with explanations about pricing and redundancy choices.


In addition, the presenter walks viewers through real-world decisions for a fictional law firm, which helps illustrate common administrative concerns. He also uses clear demos to show how permissions and access behave in practice. As a result, the guidance feels applicable to both cloud-first organizations and teams migrating from on-premises file servers.


Finally, the video includes structured chapters that break the setup into manageable tasks such as storage creation, key management, and device configuration. This chapter structure aids viewers who want to follow the process step by step. Consequently, the tutorial supports both quick reference and deeper review.


Step-by-step Setup Walkthrough

First, Jonathan shows how to create a StorageV2 account and recommends performance tiers based on latency needs. Then he explains how to create separate file shares for departments to keep data organized and manageable. Next, he demonstrates disabling storage account key access and enabling identity-based authentication to reduce static credential exposure.


Following that, the video covers turning on Entra ID Kerberos for SMB access and granting the appropriate roles through the portal. He also assigns specific RBAC roles such as Storage File Data SMB Share Contributor to control share-level permissions. Finally, he shows how to configure Intune device policies so managed devices can acquire Kerberos tickets for seamless access.


Testing completes the workflow when the presenter mounts the share from a Windows device and walks through an access-denied demo before and after permissions are applied. This hands-on test highlights how identity-based access differs from key-based or AD-joined models. Therefore, teams get both the configuration steps and the verification method in one run-through.


Security and Access Control

The video emphasizes that identity-based SMB access lets organizations leverage modern controls like multi-factor authentication and conditional access. In particular, replacing storage keys with Entra authentication reduces long-lived secrets and improves auditability. As a result, security teams can apply centralized policies across file access in a familiar way.


Moreover, the presenter notes that Windows ACLs still work, so administrators can maintain granular directory and file permissions. However, he also points out the need to map Entra groups carefully to avoid over-permissioning. Thus, administrators must plan group membership and role assignments to keep the principle of least privilege.


Backup and redundancy are also covered, with suggestions to evaluate service tiers and geo-replication based on business continuity needs. He demonstrates using Azure Backup for Files to protect against accidental deletions and ransomware. Consequently, teams should pair the identity model with robust backup policies to balance agility and risk.


Tradeoffs and Operational Challenges

Removing Active Directory simplifies architecture but introduces tradeoffs in hybrid scenarios that still rely on on-prem identities. For example, organizations that depend on legacy NTFS tools or complex AD group nesting will face migration tasks and possible permission gaps. Therefore, planning the cutover and mapping ACLs requires careful testing and possibly migration tooling.


Another challenge is client compatibility and Kerberos ticketing behavior across VPNs and non-managed endpoints. While Intune-managed devices work smoothly in the demo, unmanaged or third-party clients may need additional configuration. Consequently, teams must evaluate their device mix and possibly enforce managed-device access through conditional access policies.


Finally, scaling and monitoring can create operational overhead when many shares and groups exist, because RBAC assignment and auditing become more complex. He recommends naming conventions and tag-based organization to simplify management. Thus, operations teams should invest in documentation and monitoring to keep the environment sustainable.


Testing, Best Practices, and Recommendations

Jonathan encourages testing in a development subscription before rolling out to production to validate access flows and backup restores. He also suggests disabling storage account keys early in the process to force identity-based access and reduce accidental key exposure. As a result, teams gain confidence that permissions behave as intended under real conditions.


Furthermore, he advises using separate shares per department and assigning RBAC roles at the appropriate scope to limit blast radius. In addition, pairing Entra conditional access with Intune device compliance helps ensure that only authorized, managed devices can mount shares. Therefore, organizations should combine identity, device, and data controls for a layered defense.


In conclusion, the video by Jonathan Edwards provides a clear, actionable path to run Azure Files without Active Directory, while acknowledging the tradeoffs and operational work needed for hybrid and large-scale environments. By following his step-by-step configuration and testing guidance, IT teams can adopt a modern file access model that reduces key management and leverages Entra security features. Ultimately, the approach works well for cloud-first organizations that are ready to plan for migration and governance.


Storage - Azure Files: No Active Directory Setup

Keywords

Azure Files setup, Azure Files without Active Directory, Configure Azure file share, Mount Azure file share Windows, Mount Azure file share Linux, Azure Files SMB setup, Azure Files NFS setup, Azure Files authentication options