Document Details
Storage Files Identity Auth Hybrid Cloud Trust
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
windows_first
powershell_heavy
windows_tools
missing_linux_example
Summary
The documentation is heavily biased towards Windows environments. All client and server instructions assume Windows OS, with explicit requirements for Windows 10/Server 2012 or higher. All command-line examples use PowerShell, and Windows-specific tools (e.g., Group Policy, Windows File Explorer, icacls, dsregcmd.exe) are referenced exclusively. There are no examples or guidance for Linux clients or non-Windows AD environments, nor is there mention of how (or if) Linux clients could participate in this scenario.
Recommendations
- Clearly state at the beginning whether Linux clients are supported or not. If not, explain the limitation.
- If Linux clients can participate (e.g., via Samba, SSSD, or Kerberos tools), provide equivalent Linux instructions for mounting SMB shares, configuring Kerberos, and managing permissions.
- Include Linux command-line examples (e.g., using kinit, smbclient, mount.cifs, setfacl) where appropriate.
- Reference Linux tools and configuration files (e.g., /etc/krb5.conf, /etc/samba/smb.conf) alongside Windows tools.
- If certain features (like directory/file-level permissions or Kerberos ticket retrieval) are only possible on Windows, explicitly call this out and suggest workarounds or alternatives for Linux environments.
- Consider adding a dedicated section for cross-platform (Linux/macOS) support, or explicitly state that only Windows clients are supported if that is the case.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2026-01-14 00:00 | #250 | in_progress |
 Clean
|
| 2026-01-13 00:00 | #246 | completed |
Biased
|
| 2026-01-11 00:00 | #240 | completed |
Biased
|
| 2026-01-10 00:00 | #237 | completed |
Biased
|
| 2026-01-09 00:34 | #234 | completed |
Biased
|
| 2026-01-08 00:53 | #231 | completed |
Clean
|
| 2025-08-20 00:01 | #86 | completed |
Clean
|
| 2025-08-19 00:01 | #85 | completed |
Clean
|
| 2025-07-13 21:37 | #48 | completed |
Biased
|
| 2025-07-12 23:44 | #41 | cancelled |
Biased
|
Flagged Code Snippets
Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $true
$domain = "your on-premises domain name, for example contoso.com"
$domainCred = Get-Credential
$cloudUserName = "Azure AD user principal name, for example admin@contoso.onmicrosoft.com"
Set-AzureAdKerberosServer -Domain $domain ` -DomainCredential $domainCred ` -UserPrincipalName $cloudUserName -SetupCloudTrust ` -RotateServerKey
$domainInformation = Get-ADDomain $domainGuid = $domainInformation.ObjectGUID.ToString() $domainName = $domainInformation.DnsRoot
Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $true -ActiveDirectoryDomainName $domainName -ActiveDirectoryDomainGuid $domainGuid
az storage account update --name <storageaccountname> --resource-group <resourcegroupname> --enable-files-aadkerb true
$domainInformation = Get-ADDomain $domainGuid = $domainInformation.ObjectGUID.ToString() $domainName = $domainInformation.DnsRoot
az storage account update --name <storageAccountName> --resource-group <resourceGroupName> --enable-files-aadkerb true --domain-name <domainName> --domain-guid <domainGuid>
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet -Force
if (@(Get-PSRepository | ? {$_.Name -eq "PSGallery"}).Count -eq 0){
Register-PSRepository -DefaultSet-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
}
Install-Module -Name PowerShellGet -Force
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
Get-AzureAdKerberosServer -Domain $domain `
-DomainCredential $domainCred `
-UserPrincipalName $cloudUserName
ID : XXXXX
UserAccount : CN=krbtgt-AzureAD, CN=Users, DC=contoso, DC=com
ComputerAccount : CN=AzureADKerberos, OU=Domain Controllers, DC=contoso, DC=com
DisplayName : XXXXXX_XXXXX
DomainDnsName : contoso.com
KeyVersion : 53325
KeyUpdatedOn : 2/24/2024 9:03:15 AM
KeyUpdatedFrom : ds-aad-auth-dem.contoso.com
CloudDisplayName : XXXXXX_XXXXX
CloudDomainDnsName : contoso.com
CloudId : XXXXX
CloudKeyVersion : 53325
CloudKeyUpdatedOn : 2/24/2024 9:03:15 AM
CloudTrustDisplay :
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $cloudUserName -DomainCredential $domainCred -SetupCloudTrust
ID : XXXXX
UserAccount : CN=krbtgt-AzureAD, CN=Users, DC=contoso, DC=com
ComputerAccount : CN=AzureADKerberos, OU=Domain Controllers, DC=contoso, DC=com
DisplayName : XXXXXX_XXXXX
DomainDnsName : contoso.com
KeyVersion : 53325
KeyUpdatedOn : 2/24/2024 9:03:15 AM
KeyUpdatedFrom : ds-aad-auth-dem.contoso.com
CloudDisplayName : XXXXXX_XXXXX
CloudDomainDnsName : contoso.com
CloudId : XXXXX
CloudKeyVersion : 53325
CloudKeyUpdatedOn : 2/24/2024 9:03:15 AM
CloudTrustDisplay : Microsoft.AzureAD.Kdc.Service.TrustDisplay
Set-AzureAdKerberosServer -Domain $domain ` -DomainCredential $domainCred ` -UserPrincipalName $cloudUserName -SetupCloudTrust ` -RotateServerKey -Force
Remove-AzureADKerberosServerTrustedDomainObject -Domain $domain ` -DomainCredential $domainCred ` -UserPrincipalName $cloudUserName
Remove-AzureAdKerberosServer -Domain $domain ` -DomainCredential $domainCred ` -UserPrincipalName $cloudUserName