Azure Files SMB Access with Windows AD

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

I like this dudes videos but the thumbnails are awful

So can I use group policy/item level targeting now?

👍︎︎ 2 👤︎︎ u/Jose083 📅︎︎ May 02 2020 🗫︎ replies

Thanks for the video. Been looking forward to this for a year now :)

👍︎︎ 1 👤︎︎ u/boqs 📅︎︎ May 02 2020 🗫︎ replies

Can you set separate file permissions on Linux mount yet?

👍︎︎ 1 👤︎︎ u/atticusfinch975 📅︎︎ May 02 2020 🗫︎ replies

So..this doesn't use AAD? I thought this required you to sync your AD domain to AAD?

👍︎︎ 1 👤︎︎ u/mixduptransistor 📅︎︎ May 03 2020 🗫︎ replies

So I have a few questions as this is something were looking at.

How do you protect the data back up etc?
Does this support snapshots such as can I go to the previous version tab of a file/folder and restore an earlier version of the file/folder.
is it possible to keep a 1.5 yrs of snapshots?
if you region for some reason goes down can you use SR to sync the share to another region and run the share from that region in case of a DR situation?

👍︎︎ 1 👤︎︎ u/Chrys6571 📅︎︎ May 04 2020 🗫︎ replies

Captions

in this video we enable Windows ad SMB access for Azure files hello everyone SMB access for Azure files with Azure Active Directory domain services has been GA for a while but only recently went into public preview with Windows Active Directory hold on a second if that didn't make any sense to you that's okay Microsoft has three different directory services with Active Directory in the name check out my video on the differences between Azure AD Windows AD and Azure ad domain services if you're unclear about the difference I'll post a link above moving on one of the first challenges I ran into with Azure Services is moving a large number of files into Azure storage this was years ago and Azure storage you didn't have all the options that are available today I figured let's just copy the files to blob storage that's when I started to truly learn the difference between traditional compute services and cloud services fast forward a couple years and now Azure storage offers file services along with blob storage table storage and static websites I have another video that goes over Azure storage if you're interested again link will be above azure file storage now offers the ability to use traditional NTFS style permissions based on your on-premises Windows 80 domain this is an awesome addition because you can finally start to extend file services to Azure I should point out that this is a preview feature at the time of this recording this is part one of a two-part video in this video we set up Azure files for SMB access with Windows a B the second part goes over how to extend that service to your on-premises network and secure it before we get started please take a second to subscribe click the bell icon and if you enjoy these videos click the like button seeing the subscription count go up makes these days of social distancing just a little bit more pleasant I have a home lab connected to an azure V net with a VPN this would be similar if using Express route I also have a domain controller at each location in the demo coming up we're going to add the storage account add a file share to that account and then enable M Sun B file security on that share adding a file share is not new to Azure storage but enabling NTFS style permission to it is this provides access similar to file servers deployed in a Windows domain let's review how this works because you can't join a storage account to a domain like you could a server I'm going to stick with just the azure portion for now notice that both the VM client and domain controller are in the same V net and note that the client vm is domain joined we can extend this to the on-premises of VMs but for now we're sticking to the azure v net Microsoft provides a script to enable SMB access for Azure files when we enable SMB access the script adds a computer or user object that will represent the storage account in Windows ad the storage account gets a Kerberos key used to validate tokens when a user on the domain join client accesses the storage account the request is sent to the domain controller to get a token if the user is authenticated at Kerberos token is returned and the user uses that to access the file share the token is validated at the storage account you may have noticed that we can use either a computer or user object to represent the storage account in Windows 80 why use one over the other I couldn't find much information on this they both work equally as well the only difference I found is how passwords are treated because the Azure file account is represented as a computer user object in Windows ad a password policy is likely to apply if the password expires authentication will fell you could override this by using a user account and setting the password to never expire or add the account to an O you that doesn't enforce a password policy I'm not a security expert but neither those sound like a good idea the third option is to use the update AZ storage account a B object password command that's part of the AZ files hybrid module to create a new password before it expires we'll step through that in the demo it needs to run inside the domain and could be easily scheduled to automate the process if you don't have automation in place check out my series on Azure automation this could be scheduled on a hybrid worker that runs inside your domain task scheduler would also work although Azure files with SMB permissions behave like a traditional file share there are differences there are three different types of permissions used to control access to Azure files the first is at the share level unlike your on-premises file server Azure files uses are back roles at the share level these identities must originate from Windows ad and replicate to Azure ad using ad Connect this only applies to the share not all directories or files in that share next is the root directory and file permissions in the share these are protected with traditional NTFS access like your on-premises servers after we set up the new file share no MTF permissions exist so no one can access the share well that would be the case if it wasn't for these super user access this access uses the storage account key to mount the file share for the first time then we can create root level file access using NTFS the share has to be mounted on a computer on the domain so we can add NTFS permissions to users on the domain the process we follow in the demo is to create the share and set the permissions model to share with the storage account key set the root directory permissions once that's all done mount a share as a normal user and use it let's jump in and walk through this the demo we'll start by adding a new storage account and a share then we work through the steps listed on the screen at the end we'll run the command to change the password Here I am at the azure portal and the first thing I'm going to do is create a storage account so to do that I'm going to go to create a resource and type in storage I'll select storage account and crate I'll create a new resource group and I'll call it Azure file our G 0 1 I'll give the storage account a name CI our file test o 1 I'll select a location my location is central us you can select whatever you need for performance I'm going to leave it as standard if this was a production I may consider the premium but for this test I'm just gonna leave it as standard leave the account as storage v2 and I'll change the replication to locally redundant storage next I'll select networking we'll do more with this later but for now I'm just gonna leave it to public endpoints under advanced I'm going to leave everything as default notice there is the ability to add large file share support I don't need that for now so I'm just going to move on to next and then review and create and I'll create will give this a minute to finish the deployments complete I'm going to go to the resource now that I'm in the storage account I'm going to create a file share so I'll add a share I'll call this SMB test and I don't need any quota for it so we'll do create that's the first part is creating the storage account in the share right now we have a share but you can't access the share using SMB or NTFS style permission so let's set that up to setup the SMB access I'm going to log in to a VM that's both on the V net and join to the domain so let's open up a IC I don't have code on this yet I'm going to run this as administrator as part of this I have to import some modules so I need elevated permissions to do that we're going to download and run a script that Microsoft provides that will give us the commands to join that storage account to the domain the user running that script will need some permissions to be able to do this the account used to run the script it has to be replicated to Azure ad so this is going to be account that sourced from Windows ad and replicated to Azure ad with AD Connect it has to have rights to modify ad to add a user or computer object and that account also has to have storage owner or contributor rights the account I'm using I set up just for this it's both a domain admin and a global admin so that gives me all the permission I need but you can definitely scale that back in production if you don't want to give it full domain and global admin rights let me just clear that out next let's download the script so I'm going to go into ie I'll include the link to this in the video that's a good hub repo that Microsoft has with the location of the script there's a few versions of it I'm going to download the most recent which is version 0.12 we'll just save it and open a folder I'm going to close this out - so I'll extract the zip file we can leave it right where it's at you'll notice there's two files in here one's a PowerShell script and the other one's a module file and then there's a copy to PS path the copy to PS path file just copies these two scripts to where they need to be so let's get this under way the first thing I'm going to run is a command to set the execution policy to unrestricted for this current user once that's done I'm going to run the copy to PS path script so to do that I need to get into the download directory that's where it's located then I can just run this I'll make all these commands available on my blog if you want to follow along next I'm going to import the AC file hybrid module that finished the next thing I'm going to do is connect to my asure account and again this account has global admin rights but the account use has to have a minimum of storage account owner or contributor rights to that storage account now I'm can - my Azure account and the next thing we need to do is set up some variables we're going to set up the subscription ID resource group name and storage account name so I'll add my resource group name and my storage account name and don't forget to add your subscription ID I already have that set as a variable I'm gonna leave that blank just makes editing later a little bit easier and then let's make sure we're in the correct storage account will do that with select AZ subscription and set it to the subscription ID okay so I ran that and I'm on the right subscription now that that's all set let's run the command and let me just go through what this is doing the command is join AZ storage account for auth we've got the resource group name and we already have that set in a variable we have the storage account name set in a variable as well domain account type this can either be a computer account or a service login account I'm gonna set it to service login account and again the only real difference with this is how passwords are treated at least that's all I could find so we have two options for organizational unit name this is the Oh you that the computer user object will be placed into you can simply specify main or you can give it a distinguished path if you use the organizational unit name let's say you have a oh you called file server and you wanted to go there if you only had one oh you called file server that would work fine but if you had multiple I'll use with the same name it's just gonna pick the first one so I think I'd rather give it the distinguished name so it goes exactly where I expect it to I'll just pull these out it's all set the last thing to do is to run it so it looks like we got a confirmation here that it's enabled there's a couple other commands we can run to verify it's working first we'll get the storage account that gets the storage account we created and adds it as a variable and then if we go to the storage account properties of the measure file identity based off directory service options we can see it's set to a D and the last command here is Azure file identity based off active directory properties and there it is so we can see it is part of my domain let's also look at a D Here I am in Active Directory users and computers I'm going to go to my domain and go to the azure file share that's the o you I used you can see I have two objects here one is the Cir file test-1 user account that we just set up I set up the one above it previously using the computer account then I'll just point out if we go into properties we have a small set of properties the basics for any computer account if I go into this one that we just created it's a user so we can go into account and one of the things I noticed is password set to never expire so I'm not sure if this is something that's changed on the most recent version of the script if that's supposed to be there if it's not anyway just pointing that out that that is an option when you use the user account okay but that is in a B now the user account used to manage Kerberos information when a client accesses the resource let's go back to the portal and add the are back roles to the file share Here I am in the storage account I'm going to go to file shares and pick the Polish share we just set up and go into access control I'm going to add some role assignments first I'm gonna select a role and I want to point out a couple rolls down here there's George filed data SMB share contributor this has modify rights to the share then we have storage file data SMB share elevated contributor that has modify rights as well as rights to change the permissions and then we have a reader role so I'm gonna start with a reader and look for some groups that I had set up previously so here's my a Z file reader group you can see I have three groups here one for elevated contributor and one for contributor these groups are replicated from Windows ad this axis that I'm setting up only needs to be created once then membership can be managed in the Windows domain by adding or removing users from these groups remember by default Azure ad Connect synchronizes every 30 minutes so if you make a change you either have to wait 30 minutes for that replication to take place or initiate an 80 connect synchronization I'm going to add another although contributor this time and the third one this is the reader this is equivalent to adding share permissions on a folder next we'll add NTFS permission to the directory structure and to do that we need to go back to the computer to configure NTFS permissions we have to use a super user access so I'm going to build out that command now so first have to set a drive letter this is a simple in that use command I'm just going to make this why then we need the storage account main I'll just pull that from up here and it's also needed Oh at the end of this command I mean the share name and the storage account key so I think I can remember SMB test I'm gonna grab the access key just copy that to the clipboard that is SMB test I'll paste in the key okay but don't run it from here I'm going to copy this the reason I'm not going to run it from this PowerShell session is because I ran it with elevated permissions I won't be able to see the drive path if I run it here so I'm just going to open up the command prompt as a normal user and run it now if I go back to File Explorer you can see I have the new Drive mounted I'm going to go to the properties of this you go to security and start modifying some of the security settings so we'll go to edit and I'm going to add a reader role the contributor role and an administrative role so let's do the reader first that has read an executed list and read and again I'm using groups for this will do a contributor next I'm going to give this account modify rights in addition to the read I'm going to add a third one now this will be the elevated contributor and that's gonna have full control it's gonna tell me that if you're setting this at the folder it's going to change everything that's fine there's no subfolders so I'll click OK and okay mounting this share with the storage key only needs to be done once now that I have the NTFS permissions I can go in as one of the users in the full control group and modify permissions as I need to let's do net use Y and we'll delete that so all the permissions are set all the users are created let's give it a try Here I am logged in to a machine that's domain join and on a b net and azure i'm just going to open up PowerShell ISE i'm using this as a normal user this time now i'm going to use the net use command to mount to share ok that completed successfully now we can go into the end drive and we can create folders and files let's just set up a couple and i'm going to go into test3 and we can modify the properties and go into security we can disable inheritance just add the user to give that one user full control so as you can see it works just like Windows file server permissions from this point on let's go into test2 and we'll create a new document okay so that's all working let's log in as a different user I'm going to log in as a user with contributor rights it will log in to ice again and I'll just run the net use command there it is and you can see our folders are there if I try to go into test3 I don't have permissions you can go into test2 and open up documents and I can't go into test3 as I said that so only test three user three has full control to that folder so let's try the third option this is the user with read-only access we can mount the directory and we should see it in here again I can't go into test3 I can go in here if I try to edit it I don't have permissions so that all works as expected let's go back to the admin account we started with because we have one more thing to do we're going to change the password on the account we use to enable Kerberos authentication to do that we're going to use the update AZ storage account ad object password command for resource groups because I still have the session running I can just do dollar sign resource group and the storage account name I already have that again set as a variable if you don't you can just add your resource group name and surgical name and again what I'm doing is something similar to a storage account key rotation and it's going to give me a warning and I'll do yes to all this will use the Kerberos keys to update the password on the windows ad object remember if the password expires on that object users will not be able to authenticate to the file share I'm now on a server that's in my home lab connected to the V met with a VPN and I'm going to try to connect to that chair notice it felled with a network path not found error if I do an NS look-up on that hostname I should be able to get a response so can find the IP address but I'm still giving that Network path not found that's because the way it's configured so far this will only work on the V net in Azure in my next video I'll go over how to fix that so can be used over a VPN or Express route that's it for the video don't forget to Like subscribe and click the Bell icon to get notifications when my next video comes out thanks for watching

Info

Channel: Travis Roberts

Views: 30,572

Rating: 4.9926333 out of 5

Keywords: Azure, Azure AD, Windows AD, Active Directory, Azure AD Domani Services, SMB, NTFS, File Share, Root Directory, Service Account, Kerberos, token, Azure Files Security, File Server

Id: Vm5QXbRPoKI

Channel Id: undefined

Length: 25min 17sec (1517 seconds)

Published: Sat Apr 25 2020