- All of Microsoft
Azure Active Directory & Files Preview: Maximizing Hybrid Identities
Revolutionize hybrid identity authentication with Azure AD Kerberos! Seamless Azure Files integration now open to all!
Microsoft recently unveiled the General Availability of Azure's cutting-edge feature which integrates Azure Files with Azure Active Directory (Azure AD) Kerberos catering to hybrid identities. This integration facilitates identities within Azure AD to access and mount Azure file shares, thus eliminating the necessity of line-of-sight to an Active Directory domain controller.
In previous iterations, Azure Files offered identity-based authentication using Server Message Block (SMB) over two distinct Domain Services - the on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). The former necessitated line-of-sight to the domain controller, and the latter mandated the deployment of domain services onto Azure AD with domain joining to Azure AD DS.
In a bid to innovate and streamline, Azure AD Kerberos, a novel introduction, lets Azure AD release Kerberos service tickets via HTTPS to service applications within Azure, thus negating the need for a separate domain service and the line-of-sight requirement to the domain controller during Azure Files authentication. However, to facilitate this, clients connecting to Azure Files must be Azure AD-joined or hybrid Azure AD-joined, the user identities are required to be hybrid, and managed in Active Directory.
Azure AD Kerberos and Azure Files can be utilized based on your authentication requirements. Suppose your organization already utilizes Azure AD - this same authentication solution can now be applied to Azure Files without necessitating further domain service management. For organizations with on-premises AD and file servers, Azure AD enables the commencement and facilitation of migrations by syncing to Azure AD, thereby transitioning your file servers to Azure Files and leveraging the cloud advantage for file server scenarios.
Entities preferring to maintain AD on-premises can continue to manage permissions via on-premises domain services, without requiring syncing to Azure AD, by setting a universal share-level permission for all authenticated users. Azure AD Kerberos and Azure Files tend to handle default share-level permissions well. A simplified Azure Portal experience was implemented with this announcement for default share-level permissions.
Microsoft has provided comprehensive guidelines to enable and configure Azure AD Kerberos for Azure Files, and to set default share-level permissions. Visit the official documentation page for further information.
Further Insights Into The Main Topic
The introduction of Azure AD Kerberos marks a significant advancement in the domain of hybrid identities. It is designed to streamline operations, reduce the need for additional domain services, and improve the overall user experience. With its seamless integration with Azure Files, it provides a leveraged ecosystem for organizations in managing their files and permissions, promoting a whole new level of operational efficiency. It presents immense potential for businesses in enhancing their file server scenarios and managing identities either on-premises or via cloud infrastructure.
Read the full article Maximizing Hybrid Identities: Azure Active Directory Kerberos & Azure Files Preview
Learn about Maximizing Hybrid Identities: Azure Active Directory Kerberos & Azure Files Preview
The Azure Active Directory platform is rapidly evolving and one standout feature in its roster is the support for Kerberos tickets over HTTP(S), which makes accessing Azure Files across hybrid infrastructure seamless. This groundbreaking development is tied to Azure Active Directory and Azure Files, so let's break down what this integration offers and how to leverage its benefits.
Firstly, it's important to mention that Azure Active Directory and Azure Files previously supported accessing files over the Server Message Block (SMB) only with two types of Domain Services - the on-premises Active Directory Domain Services and Azure Active Directory Domain Services. However, both had their limitations such as a need for a line-of-sight to the domain controller or extra deployment on Azure AD. But, with Kerberos over HTTP(S), these issues are history.
This cutting-edge feature not only eliminates the need for setting up another domain service but also does away with the requirement for a line-of-sight to the domain controller when accessing Azure file shares. The key to this experience is that the clients connecting to cloud file shares need to be Azure AD-joined or hybrid Azure AD-joined and the user identities should be hybrid in nature, originating from and managed in Active Directory.
How is this beneficial?
- For companies already on Azure AD, the Kerberos over HTTP(S) feature simplifies the process of leveraging the same identity solution with Azure Files. For instance, if your setup includes Office 365, no additional domain management is needed.
- For on-premises AD, you can commence by syncing to Azure AD and migrating file servers afterward, opening the way to leveraging cloud for diverse file server scenarios. Once cloud-based identities are supported, more steps towards switching to Azure AD can follow.
- If for certain policy reasons, such as in some financial institutions, on-premises AD is ideal, the feature supports preserving on-premises AD and managing identities therein. This method allows the management of permissions through on-premises domain services and reduces sync requirements to Azure AD.
To get up and running, one has to set up the Azure AD Kerberos, configure it for Azure Files, and set default share-level permissions. Further relevant information, including a demo of configuring the platform with Azure AD Kerberos and understanding more on default share level permissions, can be accessed from the relevant pages. Lastly, information about FSLogix user profile support can also be obtained.
In closing, the Azure Active Directory's provision for issuing Kerberos tickets over HTTP(S) is a milestone in the platform's evolution and it opens the path for seamless file access and streamlined domain management across hybrid infrastructure.
More links on about Maximizing Hybrid Identities: Azure Active Directory Kerberos & Azure Files Preview
- Enable Microsoft Entra Kerberos authentication for hybrid ...
- This article focuses on enabling and configuring Microsoft Entra ID (formerly Azure AD) for authenticating hybrid user identities, which are on-premises AD ...
- Maximizing Hybrid Identities: Azure Active Directory ...
- Sep 8, 2022 — We are excited to announce Azure Files integration with Azure Active Directory (Azure AD) Kerberos for hybrid identities.
- Azure Active Directory Kerberos with Azure Files for hybrid ...
- Aug 30, 2022 — With this release, identities in Azure AD can mount and access Azure file shares without the need for line-of-sight to an Active Directory ...
Keywords
Maximizing Hybrid Identities, Azure Active Directory, Kerberos, Azure Files Preview, Hybrid Identities, Active Directory, Azure AD Kerberos, Azure AD Hybrid, Azure Files Hybrid, Kerberos Azure Files.