Microsoft have released Entra Kerberos for cloud-only identities into public preview, allowing Azure Files to be used without requiring domain controllers.
What is Azure Files?
Traditionally, many businesses have operated file servers on-premises, allowing folders to be created and shared over the network for employees to store documents and other files. Azure Files offers a similar capability that is cloud-based and accessed over the internet.
Azure Files is available in several tiers that affect the cost and performance of the shares, allowing customers to choose the most cost-effective option to meet their needs. It’s available in all Azure regions and supports zone redundancy (data is stored in different datacentre facilities) in regions that offer it. There are soft-delete and snapshot capabilities, and it integrates with Azure Backup for vaulted, long-term backups.
Azure Files Authentication – What You Need to Know
It’s important to understand how users authenticate when accessing the share. Windows file servers are accessed using a protocol called SMB and this relies on something called Kerberos for authentication. Kerberos is a legacy technology, provided by Windows Active Directory (AD) running on domain controllers. It’s designed for on-premises environments that operate within a trusted network that is separated from the outside world by firewalls. It is not suitable for the cloud-based, zero-trust world in which we now operate – for that, we have Entra ID.
To remain compatible with Windows file servers, Azure Files also uses SMB and therefore relies on Kerberos, however, to be secure in the cloud, it also uses Entra ID. Historically this has meant Azure Files has required hybrid user identities – Windows AD users synced with Entra ID.
When configuring Azure Files there are three choices for authentication. The first is Entra Domain Services, which deploys Azure-managed domain controllers and syncs the users from Entra ID. The second is self-managed domain controllers that have Entra Connect deployed to sync the users from Windows AD to Entra ID. In both cases, users’ devices must have networking line-of-sight to the domain controllers, which is feasible for users in an office environment, but less so for users working remotely on public networks.
The third option, Entra Kerberos for hybrid identities, is the same as the second, but Entra is used as a go-between for the Kerberos authentication, removing the networking line-of-sight requirement and enabling access for remote users. While this is a more flexible option, it still requires Windows AD domain controllers to be deployed either on-premises or in Azure.
This makes Azure Files an easy choice if your customer has domain controllers and Entra Connect already. However, if your customer is cloud-only, creating new domain controllers, back filling the users and configuring Entra Connect has required significant setup. That said, we have done this many times, so if it’s something your customer wants to do, and you need assistance, please get in touch with us.
Are Microsoft Working on a Solution?
Yes, Microsoft have recently announced Entra Kerberos for cloud-only identities is now available in public preview. Entra can now handle the whole Kerberos authentication rather than passing it on to Windows AD. This new capability removes the need for your customers to run domain controllers and opens up use of Azure Files for all customers, both hybrid and cloud-only.
Granular permissions to access Azure Files share’s files and folders is configurable directly through the Azure Portal, removing the need to mount the share on a VM, which will simplify configuration tasks.
It’s important to remember that Entra Kerberos for cloud-only identities is currently in preview, which means it shouldn’t be used for production workloads. But you definitely should deploy this in a lab environment to learn how it works and be ready for General Availability. Until that time, I would recommend choosing Entra Kerberos as the Microsoft supported authentication method from the three options mentioned above.
Azure Virtual Desktop
Azure Virtual Desktop (AVD) is often deployed using pooled hosts, where users logging on to their virtual desktop are allocated a session from a random host in the pool. When they log off, the session is returned to the pool and made available for use by another user. This is great for resource and cost optimisation, but requires a user profile management solution.
The Microsoft supported solution is FSLogix, it stores the users’ profiles on a centralised file share that all hosts have access to. A common choice of file share is Azure Files. Because Azure Files authentication currently depends on hybrid identity, customers implementing AVD configured for pooled hosts also need domain controllers.
With the new Entra Kerberos for cloud-only identities authentication option, the requirement for domain controllers is eliminated, making AVD with pooled hosts a lot more viable for cloud-only customers. This is great news that I have been excitedly waiting for.
Are there alternatives solutions to Azure Files?
Many end-customers have file servers or NAS devices and want to retire them. They are used to accessing the shares the way they do now and it’s easy to mount them as drive letters on users’ devices. For this reason, they are often looking for a like-for-like cloud-based replacement and, Azure Files can be a good solution, but alternative Microsoft solutions should also be considered.
Lots of end-customers already have Microsoft 365 subscriptions assigned to their users and often these include SharePoint Online and OneDrive. These are both file storage solutions that are designed for the cloud and offer a lot of benefits over a simple file share – automatic saving, versioning, search, granular cross-organisation sharing controls, and collaborative simultaneous editing of documents, to name a few. For these reasons we often recommend a migration to these solutions over using something like Azure Files.
That said, the included SharePoint storage capacity isn’t unlimited and depending on how much storage is needed, it may be cost prohibitive to expand it. If a customer has more data than will fit in their SharePoint capacity, there are a few options. Some good old spring cleaning is one of them, but businesses are typically reluctant to delete data in case it’s needed later. Purview could help here, but that’s another topic. A second option is to archive older data somewhere else, and Azure Files provides a cheaper storage option that, unlike Blob storage, has a nice, easy, familiar method to access, so a combined approach may be the most appropriate solution.
Conclusion
For customers that have domain controllers and Entra Connect deployed, Azure Files a great cloud-based file share solution they can use today. For cloud-only customers that don’t have domain controllers and just use Entra ID, Microsoft have just released in preview a massive update that will let them easily adopt Azure Files and AVD. If you have questions about Azure Files, configuring hybrid identities, Azure Virtual Desktop, SharePoint, OneDrive, or anything else, please reach out to your Business Development Manager to request a call with our Professional Services team or email us at partners@infinigate.cloud.