LinkedInGitHubYouTube

Update Password for an AD DS Storage Account Identity

Summary β€” Update the password of your storage account identity in AD DS

Applies to: SMB Azure file shares

What this is about

  • When you domain-join a storage account to Active Directory Domain Services (AD DS), an AD principal (computer or service account) is created with a password. That password is one of the storage account's Kerberos keys.

  • If the AD principal's password expires (per your OU password policy) or is removed by cleanup scripts, Kerberos authentication to Azure file shares can fail.

  • You can either periodically rotate the AD principal password or place the AD principal into an OU that does not require password rotation.

General notes

  • Use only one method to trigger password rotation: either the AzFilesHybrid module or Active Directory PowerShell β€” do not use both.

  • You need appropriate permissions:

    • Owner permission on the storage account.

    • AD DS permissions to change the AD principal password.

    • For the Active Directory PowerShell method, Windows PowerShell 5.1 with elevated privileges is required.

How to rotate the password

1

Option: Use AzFilesHybrid module

  • Use the Update-AzStorageAccountADObjectPassword cmdlet from the AzFilesHybrid module.

Requirements:

  • Run from a domain-joined client.

  • Owner permission on the storage account.

  • AD DS permissions to change the AD principal password.

Example command:

PowerShell
# Update the password of the AD DS account registered for the storage account
# You may use either kerb1 or kerb2
Update-AzStorageAccountADObjectPassword `
        -RotateToKerbKey kerb2 `
        -ResourceGroupName "<your-resource-group-name-here>" `
        -StorageAccountName "<your-storage-account-name-here>"

Recommendation:

  • After rotating to kerb2, wait several hours and run Update-AzStorageAccountADObjectPassword again to rotate back to kerb1 so both Kerberos keys are regenerated.

2

Option: Use Active Directory PowerShell

  • If you prefer not to download AzFilesHybrid, you can use the Windows Server Active Directory PowerShell cmdlets.

Important:

  • Run these cmdlets in Windows PowerShell 5.1 with elevated privileges.

Example (replace appropriately):

PowerShell
$KeyName = "kerb1" # Could be either the first or second Kerberos key, this script assumes we're refreshing the first
$KerbKeys = New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName $KeyName
$KerbKey = $KerbKeys.keys | Where-Object {$_.KeyName -eq $KeyName} | Select-Object -ExpandProperty Value
$NewPassword = ConvertTo-SecureString -String $KerbKey -AsPlainText -Force

Set-ADAccountPassword -Identity <domain-object-identity> -Reset -NewPassword $NewPassword

Test that the AD DS account password matches a Kerberos key

  • After updating the AD DS account password, run:

PowerShell
Test-AzStorageAccountADObjectPasswordIsKerbKey -ResourceGroupName "<your-resource-group-name>" -Name "<your-storage-account-name>" -Verbose

References

  • AzFilesHybrid module (https://github.com/Azure-Samples/azure-files-samples/releases)

  • Active Directory PowerShell (https://learn.microsoft.com/powershell/module/activedirectory)

Last updated: 12/09/2025

PreviousData Protection Overview for Azure FilesNextMigrate data into Azure File Sync with Azure Data Box

Was this helpful?