Serverless Security
How to Create Serverless File Sharing with Azure Files
Did you happen to leave some of those pesky Windows® file servers on-premises in your journey to the cloud? Follow along as we explore Azure Files and how it can help you complete your cloud journey.
Save to Folio
If you are like the most of us in your cloud journey, you may have some of the those pesky Windows file servers still residing on premises in the wiring closet in the back. Admit it, it's alright! Let's face it, SMB (Server Message Block) protocol and Windows file shares technology has been around a long time. It is reliable and it works! However, more and more people are working from home these days. Employees may not have the ability to VPN into your network just to get some files off the company file server. Also, maybe you have some share dependent applications that still need access to local file shares, and you still want to migrate to them to the cloud via Azure Virtual Machines. However, you are concerned that you don't want to break the code everywhere there is a reference to an SMB file share on premises.
Well, I have some good news! Azure Files is your serverless file sharing answer. It now works with either Azure Active Directory Domain Services, and Active Directory DS authentication/identity providers.
To get started, create a storage account, and head on over to the Azure Files Shares snap-in (Serverless SMB file shares) illustrated below.
Once you click in, you are going to want to head on into to the left navigation blade, and select the configuration option. This is shown below. You will then see both options for authentication via Azure Active Directory DS (AAD DS), or Active Directory (AD). There can be only one!
The Active Directory (AD) option is going to show you how to domain join your Azure storage account to your on-premises Active Directory Domain. This is done by running the above powershell cmdlet on your on-premises environment. This is done in order to create the offine-domain joined connection between your on premises AD and your Azure Storage Account.
The Azure Active Directory Domain Service (AAD DS) option is going use authentication to the Azure Files shares to connect to your Azure Active Directory Domain Service (AAD DS). This is managed service from Microsoft that connects directly to your Azure Active Directory.
Once you have picked an authentication scheme you are going to want to create some file shares. You can do that shown in the wizard below
Set your name of your Azure File share, and set your initial storage quota accordingly. Finally, you want to setup your IAM access polices to the root level share via high level administrative access. That is done with the Access Control blade shown above. You can also set traditional NTFS level access by mounting the Azure Files share on an test Administrative machine, and using windows explorer or powershell to set to specific users and groups via NTFS. Code example snippet below to mount the new share to your Administrative machine:
After NTFS permissions are set above. An end-user can map the drive to the azure file share below with out the storage key, and should get prompted for their AD credentials.
Thats it! Hope that helps you get started on utilizing a new twist on a tried and true on-premises technology, and extend it to the cloud for your remote users. For further detailed and official information from Microsoft, check out the reference links provided below that were used to provide general information to this article.
References List:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable
