Azure Files AD Authentication Integration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Asha Falls Active Directory let's finally put those hands together so in this video I want to talk about the new Active Directory domain services integration for Asha files something that I'm actually pretty excited about so if we take a step back I can think about we have as a storage so an azure storage account is deployed to a region it has a certain type there's general purpose v - she's what we're gonna commonly use there's also things like blob and files for particular functionalities if I think about just a regular storage account I create that a square to count I'm not gonna have a number of different types of storage with that storage account I can think about blob these could be block blob this could be page block which we use for VHDs that manage disk sits on top we have a pin block we could have tables we could have cubes and then we have files and files is what I want to focus on in this session now for files I can kind of talk to this through SMB 2.1 smb3 kind of class and obviously rest of the rest api and when i have files it's really broken down in i have a share and then under that share i can create directories i containers and then files i objects now when i access this if it's SMB 2.1 i have to access it from something in the same region as the storage account if I use smb3 then I can access it outside the region I can access it form on-premises because it's going to encrypt the connection same if we use that REST API but the challenge is historically how do I do kind of more granular authorization how do I do it Appling of this content this storage account the storage account has this all-powerful access key was actually two of them so we have two keys so we can alternate between them if we have to regenerate and if I connect via that access key I can do anything I can do any action I can access any object so not really very granular then we had the idea of these shared access signatures a shed access signature enables me to set a certain set of actions I can perform on a set scope so the scope could be a certain directory could be certain false a very granular but the shirt access signatures I could only use fire rest so the access key is great I can use of course all of them I could map to a share as the access key and I can do anything so what this more granular shared access signature I had to use the REST API so it's not very useful if I just want to map for general user content now in addition to this I can think about great we have Asia and I can think about we have as your files and under that I create a share meanwhile on-premises I have Windows based shares as well maybe I have many of them and one of the great technologies we have is Asia file see and what this enables me to do is I have server endpoints and I can have a cloud endpoint and they're part of a sync group so as I kind of write data to a file share it synchronizes up to the cloud and then we'll go and synchronize to all the other copies so I have many many Windows based file servers fantastic they're going to synchronize the cloud endpoint I can even tear content so about a certain quota of content I want to keep locally but if he's not access to a certain amount of time I'll just store it in as your file so I can pull it down if I need to now with this I could have a cause on these farms when I set permissions on that content the Akal would replicate up and be stored and then would replicate back down to any copies but if I as a user access the file share directly those awkward enforced they were maintained for that synchronization but if I was here and I accessed it directly those are calls did not get enforced I could access anything but it was great synchronization if there was actual disaster the solution would be what I would spin up an i as VM I would create a file share in there and add it to the sync group and then I'll get the content and then that would honor and enforce any apples so I could do that so as your files think it's fantastic not enabling me to use the add cause in the cloud I still need I as virtual machines or VMs on-premises hosting the Folgers I can't go service so what we introduced is if I can think about okay I have my Asha file ship now on-premises or it could be in iOS virtual machines I have Active Directory great and what we commonly do is we synchronize to Azure Active Directory so we have Asia ad Connect and we synchronize that to a sure ad and there was an integration for Asia files and either Active Directory through Asia ad domain services so what actually the main services is and not a video on this I can kind of think about well it uses this content to create this Asia ad domain services which is really manifested as some managed domain controllers that gets linked to a certain v-neck so in this model I could now actually form someone joined so if I'm a machine I would be joined to that domain I could now access this I could write apples I could use Robo copy to copy the AK was over I could use I count to set the apples I couldn't use Explorer but now I could actually have a cause on Azure files this file share could not be part of as a fall sync that would not work so it's completely isolated away from Azure file sync it was a separate file share but now I could set apples on it and for people on machines in joint to Azure ad domain services I could now have a clink based on the user objects that have been populated from Asia ad but I have a sure ad domain services I had to be joined to Azure ad domain services it didn't work with Azure file sync and honestly a lot of people didn't really want to get into Asia ad domain services but it did kind of open the world to the idea that hey my Asha file share my storage account would actually now kind of register and support Kerberos so I would actually have an object in that adder ad domain services that represented the storage account so now I can actually authenticate using cobalt I would go and get a token for my storage account it was use it so we're getting close that's what I'm excited about on the goal for this video is now we have integration just with regular Active Directory domain services I don't need the azure ad domain services so the idea now here's great I've got my regular ad now I always draw in green to show on premises doesn't have to be these would be an is virtual machines the point is this is regular Active Directory domain services the role I have in Windows Server ok we still have a Asha obviously we still have Azure ad so I'm still synchronizing I still need to populate our ad using Azure ad connector now a big difference and I should have pointed this out for this to work as rady domain services you have to send the password hashes that was a requirement because it has to come populate this to enable the authentication to the same password so with actually sending the password hash into the cloud not just the hashed of the hatch the actual hash I don't have to send the hashes here I just have to add the objects replicated now what I'm gonna have is yep I've got my out of file share and I'm gonna register that with my domain now when I do this the machine I'm going to do this registration on is has line of sight to my domain controllers this doesn't have to have line a site from a networking perspective is kind of an offline join but it's going to be a machine but I'm going to use to perform the action and what it's going to do is once again in my active directory it's going to create a computer account it could be a service principal that represents that storage account so that storage account was si1 it's going to create a computer account si1 it's going to create an access key in the storage account cut one then it's going to use for the password for that computer object but essentially what we're doing is once again we're gonna now support Kerberos for storage account so I have now registered this storage account into my active directory so I have to have as ready populate with the objects I don't need to password hash storage account is now registered phenomenal they are at the share levels I'm on the share there are some new roles and I'll show this when I demo it different levels of access the I will grant users in the adder ad various permissions I'm going to give them a certain role that could be how you can connect to it but you can't change it up you can connect some fully managed so in the azure connection API arm I'm setting permissions on the share on who can access the share it's the same at can't remember the accounts got replicated over but I'm sending it via the azure ad that's why it has to be replicated now I'm a machine said you say I'm a regular user and this green user sitting at my machine I can now connect to the share providing I've got permissions at the share level so I could just like normal I could map a driver and now using SMB I can say apples this will be SMB 3 plus if I was outside the region so it's an encrypted connection I can now set the apples and it's completely transparent I am now service there is no windows file share I have to have as replicating content up this could just be a pure file share however it could also be that part of the edge of fall sick those ackles that it's kind of replicating up will now be maintained so that file share is up here in Azure falls and the a cause were populated using a default sync that's ok it will be maintained I can now access the azure files directly if I wanted to so it's it's phenomenal this is now just really a transparent authentication authorization calls on Azure files just with regular active there three the active directory could be housed on premises it could be hybrid or domain controllers in is VMs it could still be in a Joe doesn't matter but now I can have a completely transparent experience for the end user now I might build this scenario out end to end you can imagine it's a storage account yes at the public endpoint remember also we have privately so I might have kind of a v-net I might use private link to create an IP address in that virtual network and then maybe I've got Express route connecting my on-prem network into that virtual network using private peering and it uses the end point it to the the share there's other things I can build on this it's a key point now active directory based equals on as your files don't need as rating domain services works with as your faulting now I cannot use both I cannot use kind of the Active Directory integrated authentication and this hybrid adder ID domain service policy I don't know why you want to you if I can do this that's much better than using this option so that's the idea let's actually go in see this in action in this environment I have a storage account there's nothing really special about it the only special thing would be I created it in west-central because currently that's one of the regions where I can do this ad integrated authentication and I created a file share again nothing super interesting about this so I now need to do is tie in the storage account with my active directory now to do this there's actually a very easy little script that hooks into the various AZ modules now you can go ahead and download this script from github and then once you've installed the scripts you can import the module and you literally run one command so I'm doing the joint AZ to edge account for all I give it the resource group of my storage account the name of my storage account the domain I want to join to and then the distinguished name of my organizational unit so I created a special o you sp ends in my domain just so I can kind of show that object so I would execute this command now once I do that that's it I mean that's literally the setup I have to perform if I was to go and look at my active directory you can see I now have under SP ends a computer account because that's the default I could via a flag set it to create a service principle instead but here I can see hey there's a computer account that is the name of my storage account what it also did is it went ahead and created a Kerberos key so if I dump out all of my keys including the Kerberos Keys I've got the regular storage access keys and I've got a curb one and I've got a kerb to because I ran this a few different times as I was experimenting you can also see if I was to check my directory service options you can see it's using Active Directory you can always go and hook into the actual properties of that as well and see my actual domain the domain gooood the main sid etc etc but once I have done that I could now go back to the file share and now I'll be able to access the access control and I'll pretend by the down purpose I'm actually on the rotten storage account which is why it's arrowing it's saying hey you've not done this if I actually go to the correct storage account always a useful thing to do so I jump over to my storage accounts I want the one in west-central so there it is west-central files once again I can go to my ash of files my file shares there's my file share and this time I can do the access control because I've done that ad integration and there are these three special roles available to me so remember access to the share I set here so here if I actually go into a particular share so I'll go into my data share here I can go to the access control I can look at the role assignments I've done so if we actually look storage file data SMB share elevated contributor I give into myself Clark Kent and Bruce Wayne so the name kind of suggests I can read write delete modify the NTFS permissions via SMB now there are also two other roles so if I go and look for my storage you'll see there's also storage file SMB share contributor so I can do the readwrite delete access in Azure storage files over SMB but I can't change the NTFS permissions and then there's also a share reader as the name suggests I can read stuff from it so they're the different roles I could assign at the share to let me connect via SMB so in my case as I showed I gave a number of accounts that permission so now just using regular net use I can connect to it remember if I want to connect to it outside the region I need a client the suppose smb3 plus so I can do that encrypted connection which will let me connect outside the region so if I jump over I have made that connection so for this machine I've connected to that storage account to the data share and from that point I can go and browse the files now notice if I right-click and do properties I will be able to actually see the security I see all the various permissions if I go to actual objects so my sir Oliver for this file well only myself and the administrators know authenticated users or regular users have any access so only I should be able to access this file then there's a Superman picture if I look at Superman's picture oh I can see well Clark Kent's the owner but other users can kind of access as well so I should be able to read that based on the Ackles again I'm on a machine that's joined to my regular active directory if I look at Who am I a member of that domain I'm just John I should also be able to look at these Oliver picture because I am John and I have those permissions and there's a picture of my dog as some kind of general little bit odd I know you can see I have that full SMB connection and I can set all of the Ackles and these could be set directly this could be part of Asia file sync so I'm going to connect as a different user it's now I'm connected as clock again we can check that am i yep so I will take Clark now remember I was the owner of Superman so sure enough I can look at a picture of myself if I look at so Oliver well I don't have permissions to do that to sound check permissions and try again so I'm connected directly to Asha files I can access the Ackles just using my SMB connection and they are enforced that's kind of the key point so again this could be a pure server list nail file share capability and I should point out that it's not super important I'm actually in a different region so this client is in South Central the file share was in West Central so it is working across regions because they're smb3 plus so it can be service or it could be part of Asia file sync and I can still go ahead and access that share so that was it just kind of showing this in action so I hope that was useful I hope you think this is as cool as I do super easy to set up as you saw come in preview so only certain regions support it but go and try it out I think it's super cool and I'll see you at the next video soon please like subscribe share this video take care [Music]
Info
Channel: John Savill's Technical Training
Views: 30,704
Rating: undefined out of 5
Keywords: azure, azure files, active directory, acls, azure storage, storage account, ad integration
Id: LWKkva4ksdg
Channel Id: undefined
Length: 22min 35sec (1355 seconds)
Published: Thu Feb 27 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.