Use Microsoft Entra Domain Services with Azure Files
Enable Microsoft Entra Domain Services authentication on Azure Files β Summary
Applies to: SMB Azure file shares
What this is
Azure Files supports identity-based SMB authentication using Kerberos via:
On-premises Active Directory Domain Services (AD DS)
Microsoft Entra Domain Services (MEDS)
Microsoft Entra Kerberos for hybrid user identities
This article explains enabling Microsoft Entra Domain Services (formerly Azure AD DS) for Azure Files SMB authentication. Microsoft Entra credentials and MEDS credentials are interchangeable in this scenario.
Recommended: use AES-256 Kerberos encryption.
Note: Azure Files honors Azure RBAC role assignments only for principals synchronized into MEDS in scoped-sync environments.
Prerequisites
Domain-join a VM with Microsoft Entra Domain Services
VMs that access the file share using MEDS credentials must be domain-joined to MEDS.
Supported clients: Windows VMs (OS newer than Windows 7 / Server 2008 R2) and Linux VMs (Ubuntu 18.04+ or equivalent RHEL/SLES).
Non-domain-joined VMs can still access shares only if they have direct network connectivity to MEDS domain controllers (typically via site-to-site or point-to-site VPN).
Regional availability
MEDS authentication for Azure Files is available in all regions.
Overview of the workflow
The article includes an end-to-end workflow diagram (link to original image).
Enable MEDS authentication for a storage account
Enabling MEDS for Azure Files is done by setting a property on the storage account (portal, PowerShell, or Azure CLI). This implicitly "domain-joins" the storage account to the MEDS deployment and enables MEDS authentication for all file shares in the account.
You must have MEDS deployed before enabling this.
Portal (high level)
In the Azure portal: go to the storage account > Data storage > File shares > File share settings > Identity-based access: Not configured > Microsoft Entra Domain Services > Set up > enable checkbox > Save.
Screenshots are included in the original article.
PowerShell
Requirements: Az module 2.4+ or Az.Storage 1.5+. Example to create a new storage account with MEDS enabled:
To enable on an existing account:
Azure CLI
Requirement: Azure CLI 2.0.70+. Example to create a new storage account with MEDS enabled:
To enable on an existing account:
Recommended: use AES-256 encryption
The article recommends configuring Kerberos AES-256 encryption for the storage account. This requires running Windows Server Active Directory PowerShell cmdlets from a domain-joined client (Windows PowerShell 5.1 β PowerShell 7.x not supported).
You must have write access to the msDS-SupportedEncryptionTypes attribute (typically AAD DC Administrators members).
Example commands (run from a domain-joined client):
If previously using RC4 and you switch to AES-256, run klist purge on the client and remount the file share to obtain new AES-256 Kerberos tickets.
Next step
To grant users access, follow the article on assigning share-level permissions (link in original).
Additional resources / metadata
Last updated: 12/23/2025
(End of summary β links and images referenced above are from the original article.)
Was this helpful?