Document Details

Storage Files Identity Ad Ds Enable
Home / Scan 41 / Storage Files Identity Ad Ds Enable
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_first
⚠️ windows_tools
⚠️ missing_linux_example
Summary:
The documentation is heavily biased toward Windows environments. All examples and instructions use Windows PowerShell (specifically PowerShell 5.1), Windows-based tools (Active Directory PowerShell module, Setspn, etc.), and require a Windows domain-joined device. There are no examples or guidance for performing these tasks from Linux or cross-platform environments, nor any mention of Linux-based tools or methods for managing AD DS integration with Azure Files.
Recommendations:
  • Provide equivalent instructions and examples for Linux environments, including how to join Azure Files to AD DS using Linux-based tools (such as Samba's net ads join, Kerberos utilities, or LDAP tools).
  • Clarify whether the process is supported or unsupported from non-Windows systems, and if unsupported, explicitly state this early in the documentation.
  • If possible, offer Azure CLI or REST API alternatives for steps currently requiring PowerShell, to improve cross-platform accessibility.
  • Include troubleshooting and verification steps that can be performed from Linux clients, such as mounting Azure Files shares using Kerberos authentication from Linux.
  • Add a section discussing Linux support and any limitations, with links to relevant documentation for Linux-based AD DS integration.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-19 00:01 #85 completed ✅ Clean
2025-07-13 21:37 #48 completed ❌ Biased
2025-07-12 23:44 #41 in_progress ❌ Biased

Flagged Code Snippets

# Change the execution policy to unblock importing AzFilesHybrid.psm1 module Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser # Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path .\CopyToPSPath.ps1 # Import AzFilesHybrid module Import-Module -Name AzFilesHybrid # Login to Azure using a credential that has either storage account owner or contributor Azure role # assignment. If you are logging into an Azure environment other than Public (ex. AzureUSGovernment) # you will need to specify that. # See https://learn.microsoft.com/azure/azure-government/documentation-government-get-started-connect-with-ps # for more information. Connect-AzAccount # Define parameters # $StorageAccountName is the name of an existing storage account that you want to join to AD # $SamAccountName is the name of the to-be-created AD object, which is used by AD as the logon name # for the object. It must be 15 characters or less and has certain character restrictions. # Make sure that you provide the SamAccountName without the trailing '$' sign. # See https://learn.microsoft.com/windows/win32/adschema/a-samaccountname for more information. $SubscriptionId = "<your-subscription-id-here>" $ResourceGroupName = "<resource-group-name-here>" $StorageAccountName = "<storage-account-name-here>" $SamAccountName = "<sam-account-name-here>" $DomainAccountType = "<ComputerAccount|ServiceLogonAccount>" # Default is set as ComputerAccount # If you don't provide the OU name as an input parameter, the AD identity that represents the # storage account is created under the root directory. $OuDistinguishedName = "<ou-distinguishedname-here>" # Encryption method is AES-256 Kerberos. # Select the target subscription for the current session Select-AzSubscription -SubscriptionId $SubscriptionId # Register the target storage account with your active directory environment under the target OU # (for example: specify the OU with Name as "UserAccounts" or DistinguishedName as # "OU=UserAccounts,DC=CONTOSO,DC=COM"). You can use this PowerShell cmdlet: Get-ADOrganizationalUnit # to find the Name and DistinguishedName of your target OU. If you are using the OU Name, specify it # with -OrganizationalUnitName as shown below. If you are using the OU DistinguishedName, you can set it # with -OrganizationalUnitDistinguishedName. You can choose to provide one of the two names to specify # the target OU. You can choose to create the identity that represents the storage account as either a # Service Logon Account or Computer Account (default parameter value), depending on your AD permissions # and preference. Run Get-Help Join-AzStorageAccountForAuth for more details on this cmdlet. Join-AzStorageAccount ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -SamAccountName $SamAccountName ` -DomainAccountType $DomainAccountType ` -OrganizationalUnitDistinguishedName $OuDistinguishedName # You can run the Debug-AzStorageAccountAuth cmdlet to conduct a set of basic checks on your AD configuration # with the logged on AD user. This cmdlet is supported on AzFilesHybrid v0.1.2+ version. For more details on # the checks performed in this cmdlet, see Azure Files Windows troubleshooting guide. Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose
Setspn -S cifs/your-storage-account-name-here.file.core.windows.net <ADAccountName>
Set-ADUser -Identity $UserSamAccountName -UserPrincipalName cifs/<StorageAccountName>.file.core.windows.net@<DNSRoot>
Set-ADComputer -Identity <domain-object-identity> -Server <domain-name> -KerberosEncryptionType "AES256"
Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose
DomainName:<yourDomainHere> NetBiosDomainName:<yourNetBiosDomainNameHere> ForestName:<yourForestNameHere> DomainGuid:<yourGUIDHere> DomainSid:<yourSIDHere> AzureStorageID:<yourStorageSIDHere>
# Create the Kerberos key on the storage account and get the Kerb1 key as the password for the AD identity # to represent the storage account $ResourceGroupName = "<resource-group-name-here>" $StorageAccountName = "<storage-account-name-here>" New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ListKerbKey | where-object{$_.Keyname -contains "kerb1"}
Set-ADAccountPassword -Identity servername$ -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "kerb1_key_value_here" -Force)
# Set the feature flag on the target storage account and provide the required AD domain information Set-AzStorageAccount ` -ResourceGroupName "<your-resource-group-name>" ` -Name "<your-storage-account-name>" ` -EnableActiveDirectoryDomainServicesForFile $true ` -ActiveDirectoryDomainName "<your-domain-dns-root>" ` -ActiveDirectoryNetBiosDomainName "<your-domain-dns-root>" ` -ActiveDirectoryForestName "<your-forest-name>" ` -ActiveDirectoryDomainGuid "<your-guid>" ` -ActiveDirectoryDomainsid "<your-domain-sid>" ` -ActiveDirectoryAzureStorageSid "<your-storage-account-sid>" ` -ActiveDirectorySamAccountName "<your-domain-object-sam-account-name>" ` -ActiveDirectoryAccountType "<your-domain-object-account-type, the value could be 'Computer' or 'User'>"
Set-ADUser -Identity <domain-object-identity> -Server <domain-name> -KerberosEncryptionType "AES256"
$KeyName = "kerb1" # Could be either the first or second kerberos key, this script assumes we're refreshing the first $KerbKeys = New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName $KeyName $KerbKey = $KerbKeys.keys | Where-Object {$_.KeyName -eq $KeyName} | Select-Object -ExpandProperty Value $NewPassword = ConvertTo-SecureString -String $KerbKey -AsPlainText -Force Set-ADAccountPassword -Identity <domain-object-identity> -Reset -NewPassword $NewPassword
# Get the target storage account $storageaccount = Get-AzStorageAccount ` -ResourceGroupName "<your-resource-group-name-here>" ` -Name "<your-storage-account-name-here>" # List the directory service of the selected service account $storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions # List the directory domain information if the storage account has enabled AD DS authentication for file shares $storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties