Document Details

Storage Files Identity Auth Hybrid Cloud Trust
Home / Scan 41 / Storage Files Identity Auth Hybrid Cloud Trust
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ windows_first
⚠️ powershell_heavy
⚠️ windows_tools
⚠️ missing_linux_example
Summary:
The documentation is heavily biased towards Windows environments. All client and server instructions assume Windows OS, with explicit requirements for Windows 10/Server 2012 or higher. All command-line examples use PowerShell, and Windows-specific tools (e.g., Group Policy, Windows File Explorer, icacls, dsregcmd.exe) are referenced exclusively. There are no examples or guidance for Linux clients or non-Windows AD environments, nor is there mention of how (or if) Linux clients could participate in this scenario.
Recommendations:
  • Clearly state at the beginning whether Linux clients are supported or not. If not, explain the limitation.
  • If Linux clients can participate (e.g., via Samba, SSSD, or Kerberos tools), provide equivalent Linux instructions for mounting SMB shares, configuring Kerberos, and managing permissions.
  • Include Linux command-line examples (e.g., using kinit, smbclient, mount.cifs, setfacl) where appropriate.
  • Reference Linux tools and configuration files (e.g., /etc/krb5.conf, /etc/samba/smb.conf) alongside Windows tools.
  • If certain features (like directory/file-level permissions or Kerberos ticket retrieval) are only possible on Windows, explicitly call this out and suggest workarounds or alternatives for Linux environments.
  • Consider adding a dedicated section for cross-platform (Linux/macOS) support, or explicitly state that only Windows clients are supported if that is the case.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-20 00:01 #86 completed ✅ Clean
2025-08-19 00:01 #85 completed ✅ Clean
2025-07-13 21:37 #48 completed ❌ Biased
2025-07-12 23:44 #41 in_progress ❌ Biased

Flagged Code Snippets

Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $true
$domain = "your on-premises domain name, for example contoso.com" $domainCred = Get-Credential $cloudUserName = "Azure AD user principal name, for example admin@contoso.onmicrosoft.com"
Set-AzureAdKerberosServer -Domain $domain ` -DomainCredential $domainCred ` -UserPrincipalName $cloudUserName -SetupCloudTrust ` -RotateServerKey
$domainInformation = Get-ADDomain $domainGuid = $domainInformation.ObjectGUID.ToString() $domainName = $domainInformation.DnsRoot
Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $true -ActiveDirectoryDomainName $domainName -ActiveDirectoryDomainGuid $domainGuid
az storage account update --name <storageaccountname> --resource-group <resourcegroupname> --enable-files-aadkerb true
$domainInformation = Get-ADDomain $domainGuid = $domainInformation.ObjectGUID.ToString() $domainName = $domainInformation.DnsRoot
az storage account update --name <storageAccountName> --resource-group <resourceGroupName> --enable-files-aadkerb true --domain-name <domainName> --domain-guid <domainGuid>
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Install-PackageProvider -Name NuGet -Force if (@(Get-PSRepository | ? {$_.Name -eq "PSGallery"}).Count -eq 0){ Register-PSRepository -DefaultSet-PSRepository -Name "PSGallery" -InstallationPolicy Trusted } Install-Module -Name PowerShellGet -Force Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
Get-AzureAdKerberosServer -Domain $domain ` -DomainCredential $domainCred ` -UserPrincipalName $cloudUserName
ID : XXXXX UserAccount : CN=krbtgt-AzureAD, CN=Users, DC=contoso, DC=com ComputerAccount : CN=AzureADKerberos, OU=Domain Controllers, DC=contoso, DC=com DisplayName : XXXXXX_XXXXX DomainDnsName : contoso.com KeyVersion : 53325 KeyUpdatedOn : 2/24/2024 9:03:15 AM KeyUpdatedFrom : ds-aad-auth-dem.contoso.com CloudDisplayName : XXXXXX_XXXXX CloudDomainDnsName : contoso.com CloudId : XXXXX CloudKeyVersion : 53325 CloudKeyUpdatedOn : 2/24/2024 9:03:15 AM CloudTrustDisplay :
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $cloudUserName -DomainCredential $domainCred -SetupCloudTrust
ID : XXXXX UserAccount : CN=krbtgt-AzureAD, CN=Users, DC=contoso, DC=com ComputerAccount : CN=AzureADKerberos, OU=Domain Controllers, DC=contoso, DC=com DisplayName : XXXXXX_XXXXX DomainDnsName : contoso.com KeyVersion : 53325 KeyUpdatedOn : 2/24/2024 9:03:15 AM KeyUpdatedFrom : ds-aad-auth-dem.contoso.com CloudDisplayName : XXXXXX_XXXXX CloudDomainDnsName : contoso.com CloudId : XXXXX CloudKeyVersion : 53325 CloudKeyUpdatedOn : 2/24/2024 9:03:15 AM CloudTrustDisplay : Microsoft.AzureAD.Kdc.Service.TrustDisplay
Set-AzureAdKerberosServer -Domain $domain ` -DomainCredential $domainCred ` -UserPrincipalName $cloudUserName -SetupCloudTrust ` -RotateServerKey -Force
Remove-AzureADKerberosServerTrustedDomainObject -Domain $domain ` -DomainCredential $domainCred ` -UserPrincipalName $cloudUserName
Remove-AzureAdKerberosServer -Domain $domain ` -DomainCredential $domainCred ` -UserPrincipalName $cloudUserName