Microsoft recently unveiled the General Availability of Azure's cutting-edge feature which integrates Azure Files with Azure Active Directory (Azure AD) Kerberos catering to hybrid identities. This integration facilitates identities within Azure AD to access and mount Azure file shares, thus eliminating the necessity of line-of-sight to an Active Directory domain controller.
In previous iterations, Azure Files offered identity-based authentication using Server Message Block (SMB) over two distinct Domain Services - the on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). The former necessitated line-of-sight to the domain controller, and the latter mandated the deployment of domain services onto Azure AD with domain joining to Azure AD DS.
In a bid to innovate and streamline, Azure AD Kerberos, a novel introduction, lets Azure AD release Kerberos service tickets via HTTPS to service applications within Azure, thus negating the need for a separate domain service and the line-of-sight requirement to the domain controller during Azure Files authentication. However, to facilitate this, clients connecting to Azure Files must be Azure AD-joined or hybrid Azure AD-joined, the user identities are required to be hybrid, and managed in Active Directory.
Azure AD Kerberos and Azure Files can be utilized based on your authentication requirements. Suppose your organization already utilizes Azure AD - this same authentication solution can now be applied to Azure Files without necessitating further domain service management. For organizations with on-premises AD and file servers, Azure AD enables the commencement and facilitation of migrations by syncing to Azure AD, thereby transitioning your file servers to Azure Files and leveraging the cloud advantage for file server scenarios.
Entities preferring to maintain AD on-premises can continue to manage permissions via on-premises domain services, without requiring syncing to Azure AD, by setting a universal share-level permission for all authenticated users. Azure AD Kerberos and Azure Files tend to handle default share-level permissions well. A simplified Azure Portal experience was implemented with this announcement for default share-level permissions.
Microsoft has provided comprehensive guidelines to enable and configure Azure AD Kerberos for Azure Files, and to set default share-level permissions. Visit the official documentation page for further information.
The introduction of Azure AD Kerberos marks a significant advancement in the domain of hybrid identities. It is designed to streamline operations, reduce the need for additional domain services, and improve the overall user experience. With its seamless integration with Azure Files, it provides a leveraged ecosystem for organizations in managing their files and permissions, promoting a whole new level of operational efficiency. It presents immense potential for businesses in enhancing their file server scenarios and managing identities either on-premises or via cloud infrastructure.
Read the full article Maximizing Hybrid Identities: Azure Active Directory Kerberos & Azure Files Preview
The Azure Active Directory platform is rapidly evolving and one standout feature in its roster is the support for Kerberos tickets over HTTP(S), which makes accessing Azure Files across hybrid infrastructure seamless. This groundbreaking development is tied to Azure Active Directory and Azure Files, so let's break down what this integration offers and how to leverage its benefits.
Firstly, it's important to mention that Azure Active Directory and Azure Files previously supported accessing files over the Server Message Block (SMB) only with two types of Domain Services - the on-premises Active Directory Domain Services and Azure Active Directory Domain Services. However, both had their limitations such as a need for a line-of-sight to the domain controller or extra deployment on Azure AD. But, with Kerberos over HTTP(S), these issues are history.
This cutting-edge feature not only eliminates the need for setting up another domain service but also does away with the requirement for a line-of-sight to the domain controller when accessing Azure file shares. The key to this experience is that the clients connecting to cloud file shares need to be Azure AD-joined or hybrid Azure AD-joined and the user identities should be hybrid in nature, originating from and managed in Active Directory.
How is this beneficial?
To get up and running, one has to set up the Azure AD Kerberos, configure it for Azure Files, and set default share-level permissions. Further relevant information, including a demo of configuring the platform with Azure AD Kerberos and understanding more on default share level permissions, can be accessed from the relevant pages. Lastly, information about FSLogix user profile support can also be obtained.
In closing, the Azure Active Directory's provision for issuing Kerberos tickets over HTTP(S) is a milestone in the platform's evolution and it opens the path for seamless file access and streamlined domain management across hybrid infrastructure.
Maximizing Hybrid Identities, Azure Active Directory, Kerberos, Azure Files Preview, Hybrid Identities, Active Directory, Azure AD Kerberos, Azure AD Hybrid, Azure Files Hybrid, Kerberos Azure Files.