LinkedInGitHubYouTube

Overview - Azure Files Identity-Based Authentication

Applies to: SMB Azure file shares

Summary

  • Purpose: Explains how to use identity-based authentication (Kerberos) to enable identity-based access to Azure file shares over SMB, allowing share/directory/file-level permissions like a Windows file server. No extra service charge for enabling this on a storage account.

  • Supported clients: Windows, Linux, and macOS (not supported for NFS).

  • Security recommendation: Prefer identity-based authentication over using storage account keys; never share storage account keys.

How it works

  • Azure Files uses Kerberos. The client requests authentication from the chosen identity source; if successful the identity source returns a Kerberos ticket. The client presents the Kerberos ticket to Azure Files; Azure Files authorizes the request based on the ticket. Azure Files never receives user credentials.

Common use cases

  • Replace on-premises file servers: Enables seamless migration while retaining the same credentials and permissions for end users.

  • Lift-and-shift applications to Azure: Keeps the same authentication model for file share access when moving apps to the cloud.

  • Backup and DR: Use Azure file shares for backup/DR while preserving Windows DACLs and enabling proper access control at failover.

Choose an identity source (one per storage account; applies to all file shares in that account)

  • On-premises Active Directory Domain Services (AD DS)

    • Storage account must be joined to AD DS; clients need unimpeded network connectivity to domain controllers (domain-joined or network access).

    • On-premises AD DS must be synced to Microsoft Entra ID using Microsoft Entra Connect.

    • See prerequisites: https://docs.azure.cn/en-us/storage/files/storage-files-identity-ad-ds-overview#prerequisites

  • Microsoft Entra Kerberos

    • Uses Microsoft Entra ID to issue Kerberos tickets (supports hybrid identities). Allows access without network connectivity to domain controllers.

    • For hybrid identity authentication, a traditional AD DS deployment synced to Microsoft Entra ID is required; clients must be Microsoft Entra joined or hybrid joined.

  • Microsoft Entra Domain Services

    • Cloud-based VMs domain-joined to Microsoft Entra Domain Services can access shares with Microsoft Entra credentials.

    • The storage account identity is created automatically; user sync to the managed domain is handled by the platform.

Guidelines to choose an identity source

  • Use AD DS if you have on-prem AD and clients/VMs have unimpeded connectivity and you’re not ready to move identities to the cloud.

  • Use Microsoft Entra Kerberos if clients lack unimpeded AD connectivity or if you need Microsoft Entra joined VMs (e.g., FSLogix profiles).

  • Use Microsoft Entra Kerberos for hybrid scenarios where on-prem AD is synced to Microsoft Entra ID.

  • Use Microsoft Entra Domain Services if you already use that service.

Enabling each identity source

  • AD DS: Can host domain controllers on Azure VMs or on-premises; domain-join recommended. Read overview and enable guidance:

    • Overview: https://docs.azure.cn/en-us/storage/files/storage-files-identity-ad-ds-overview

    • Enable: https://docs.azure.cn/en-us/storage/files/storage-files-identity-ad-ds-enable

  • Microsoft Entra Kerberos: Enables Kerberos for Microsoft Entra/hybrid identities; see enable guide:

    • Enable: https://docs.azure.cn/en-us/storage/files/storage-files-identity-auth-hybrid-identities-enable

    • Note: Can be used for FSLogix profile containers (link in original).

  • Microsoft Entra Domain Services: Requires enabling the managed domain and domain-joining VMs; requirements and enable guide:

    • Enable: https://docs.azure.cn/en-us/storage/files/storage-files-identity-auth-domain-services-enable

    • Access requirements: clients must be domain joined to the managed domain; non-Azure clients cannot be domain joined to it (they can use explicit credentials if they have unimpeded network connectivity).

Related resources

  • Overview of Azure Files authorization and access control: https://docs.azure.cn/en-us/storage/files/storage-files-authorization-overview

  • Kerberos Authentication Overview: https://docs.azure.cn/en-us/windows-server/security/kerberos/kerberos-authentication-overview

Last updated: 12/23/2025

If you’d like, I can:

  • Produce a one-page quick-reference checklist for choosing and enabling an identity source, or

  • Create a short step-by-step guide for enabling a specific identity source (AD DS, Microsoft Entra Kerberos, or Microsoft Entra Domain Services).

PreviousUnderstand Azure Files performanceNextOn-Premises AD DS Authentication for Azure Files

Was this helpful?