Microsoft Entra Kerberos Authentication for Azure Files
Here’s a concise, GitBook-ready summary of the article, preserving structure and links. I converted multi-step numbered instructions into steppers where appropriate.
Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files — Summary
Applies to: SMB Azure file shares
Overview
Enables Microsoft Entra ID (formerly Azure AD) to issue Kerberos tickets so hybrid identities (AD DS accounts synced to Microsoft Entra ID via Microsoft Entra Connect) can authenticate to Azure file shares over SMB.
Windows ACLs and directory/file permissions still apply and require unimpeded connectivity to on-premises domain controllers for hybrid identities.
Only one identity source can be enabled per storage account (Microsoft Entra Kerberos, on-prem AD DS, or Microsoft Entra Domain Services). See alternatives: Overview of Azure Files identity-based authentication options for SMB access and this deep dive.
Important notes
Kerberos ticket encryption is always AES-256.
Cross-tenant B2B/guest users are not supported.
The WinHTTP Web Proxy Auto-Discovery Service and IP Helper service must be running.
You must disable MFA on the Microsoft Entra app representing the storage account (see Disable multifactor authentication on the storage account).
If this feature previously used a preview flow for FSLogix, service principal passwords may expire every six months—see troubleshooting link provided.
Prerequisites
Only one identity source per storage account; disable others before enabling Microsoft Entra Kerberos.
For hybrid identities: on-prem AD DS + Microsoft Entra Connect; create and sync user/group accounts to Microsoft Entra ID.
Required services: WinHttpAutoProxySvc running, iphlpsvc running.
Clients must be Microsoft Entra joined or Microsoft Entra hybrid joined (not AD-only or joined to Microsoft Entra Domain Services).
Supported OS clients: Windows 11 Enterprise/Pro, Windows 10 Enterprise/Pro (v2004+ with updates), Windows Server 2025/2022 with latest cumulative updates (see article for specific KBs).
If clients don't meet prerequisites, you can configure a cloud trust (link in article) instead.
Enable Microsoft Entra Kerberos authentication You can enable it via the Azure portal, Azure PowerShell, or Azure CLI.
Portal enable (stepper)
Sign in to the Azure portal and open the target storage account.
Under Data storage, select File shares.
Next to Identity-based access, select the configuration status (e.g., Not configured).
Under Microsoft Entra Kerberos, select Set up, then check Microsoft Entra Kerberos.
Optional (hybrid identities): to enable configuring directory/file-level permissions via Windows File Explorer, specify your on-prem AD domain name and domain GUID (Get-ADDomain on an on-prem AD-joined client). If you prefer icacls, this step is optional but requires unimpeded connectivity to on-prem AD.
Select Save.
PowerShell
Enable: Set-AzStorageAccount -ResourceGroupName -StorageAccountName -EnableAzureActiveDirectoryKerberosForFile $true
Optionally set domain name/GUID (after retrieving via Get-ADDomain) with: Set-AzStorageAccount -ResourceGroupName -StorageAccountName -EnableAzureActiveDirectoryKerberosForFile $true -ActiveDirectoryDomainName $domainName -ActiveDirectoryDomainGuid $domainGuid
Azure CLI
Enable: az storage account update --name --resource-group --enable-files-aadkerb true
Optionally set domain name/GUID: az storage account update --name --resource-group --enable-files-aadkerb true --domain-name --domain-guid
Warning
If service principal password was set via a previous preview flow, it may expire every six months—see troubleshooting for "Service principal password has expired" guidance.
Grant admin consent to the new service principal (stepper) After enabling, grant tenant admin consent to the auto-registered Microsoft Entra application for the storage account.
Open Microsoft Entra ID in the Azure portal.
Under Manage, select App registrations → All Applications.
Find the application named: [Storage Account] <your-storage-account-name>.file.core.chinacloudapi.cn
Under API permissions, select Grant admin consent for [Directory Name] to approve the requested permissions (openid, profile, User.Read).
If using private endpoints, add the private link FQDN to the storage account app per troubleshooting guidance.
Disable multifactor authentication on the storage account
Microsoft Entra Kerberos does not support MFA. Exclude the storage account service principal from conditional access MFA policies.
Search for the app by name: [Storage Account]
<your-storage-account-name>.file.core.chinacloudapi.cnIf not excluded, mapping will fail with account restriction errors. Links to conditional access docs provided.
Assign share-level permissions
For each file share, assign users/groups access via Assign share-level permissions to an identity. After share-level access is granted, Windows ACLs govern file/directory permissions.
Configure directory and file-level permissions
To set NTFS/Windows ACLs for hybrid identities, you need a device with unimpeded connectivity to on-prem AD. See Configure directory and file-level permissions over SMB.
Configure clients to retrieve Kerberos tickets You must enable Microsoft Entra Kerberos on every client that will mount Azure Files. Three configuration methods:
Intune (use the Settings Catalog; set Kerberos/CloudKerberosTicketRetrievalEnabled to 1)
Group Policy (Enable: Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon)
Registry: set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CloudKerberosTicketRetrievalEnabled (REG_DWORD) = 1
Notes
Use Settings Catalog (not OMA-URI) for Intune; OMA-URI does not work for AVD multi-session.
Changes require policy refresh/reboot.
Enabling this blocks connections to storage accounts configured for on-prem AD DS unless you configure Kerberos realm mappings (see next section).
Configure coexistence with storage accounts using on-prem AD DS If clients need to access both Microsoft Entra Kerberos and AD DS-enabled storage accounts, add host-to-realm mappings using Intune, Group Policy, or Registry (Kerberos/HostToRealm CSP or Administrative Template\System\Kerberos\Define host name-to-Kerberos realm mappings). Alternatively use ksetup:
ksetup /addhosttorealmmap
Realm names are case sensitive and must be uppercase (typically your domain name in uppercase).
Undo the client configuration to retrieve Kerberos tickets To disable client-side Microsoft Entra Kerberos functionality, reverse the same three methods:
Intune: set Kerberos/CloudKerberosTicketRetrievalEnabled to 0
Group Policy: Disable the same Kerberos policy
Registry: set CloudKerberosTicketRetrievalEnabled = 0
If you added host-to-realm mappings, remove them (Intune/Group Policy/Registry or via ksetup /delhosttorealmmap). Note: disabling client setting prevents connecting to Microsoft Entra Kerberos-configured storage accounts but allows AD DS-configured ones.
Disable Microsoft Entra authentication on your storage account
Disable via Portal (stepper):
Open storage account → Data storage → File shares → Identity-based access → Configure.
Under Microsoft Entra Kerberos, uncheck the checkbox and Save.
PowerShell: Set-AzStorageAccount -ResourceGroupName -StorageAccountName -EnableAzureActiveDirectoryKerberosForFile $false
Azure CLI: az storage account update --name --resource-group --enable-files-aadkerb false
Debugging
Use Debug-AzStorageAccountAuth (requires AzFilesHybrid v0.3.0+) to run checks for Microsoft Entra Kerberos and AD DS authentication configurations. See troubleshooting link for more on checks and mounting errors.
Next steps and resources
Mount an Azure file share
Potential errors when enabling Microsoft Entra Kerberos authentication
Create a profile container with Azure Files and Microsoft Entra ID
Last updated: 12/23/2025
If you want, I can:
Produce a shortened one-paragraph summary,
Generate a checklist of actions to perform in order,
Or extract all commands and put them in a single runnable code block. Which would you prefer?
Was this helpful?