Storage Files Identity Ad Ds Enable

Bias Analysis

Bias Types:

⚠️ powershell_heavy

⚠️ windows_first

⚠️ missing_linux_example

⚠️ windows_tools

Summary:

The documentation is heavily biased toward Windows environments. All examples and instructions use Windows PowerShell (specifically PowerShell 5.1), Windows-specific modules (AzFilesHybrid, Active Directory PowerShell), and Windows command-line tools (Setspn). There are no examples or guidance for performing these tasks from Linux or cross-platform environments, nor is there mention of Linux clients or tools. The documentation assumes the administrator is working from a Windows domain-joined machine and does not address Linux-based management or access scenarios.

Recommendations:

Provide equivalent instructions and examples for Linux environments, including how to join storage accounts to AD DS using cross-platform tools or Azure CLI.
Mention and document any limitations or requirements for Linux administrators, such as whether certain steps must be performed from Windows, and what alternatives exist.
Include examples for mounting Azure file shares from Linux clients using AD DS credentials, if supported.
Reference or link to documentation on managing Azure Files and AD DS integration from non-Windows platforms.
Clarify in prerequisites and throughout the guide which steps are Windows-only and offer Linux-compatible alternatives where possible.

Create pull request

Date	Scan ID	Status	Bias Status
2025-08-19 00:01	#85	completed	✅ Clean
2025-07-13 21:37	#48	completed	❌ Biased
2025-07-12 23:44	#41	in_progress	❌ Biased

Flagged Code Snippets

# Create the Kerberos key on the storage account and get the Kerb1 key as the password for the AD identity # to represent the storage account $ResourceGroupName = "<resource-group-name-here>" $StorageAccountName = "<storage-account-name-here>" New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ListKerbKey | where-object{$_.Keyname -contains "kerb1"}

# Change the execution policy to unblock importing AzFilesHybrid.psm1 module Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser # Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path .\CopyToPSPath.ps1 # Import AzFilesHybrid module Import-Module -Name AzFilesHybrid # Login to Azure using a credential that has either storage account owner or contributor Azure role # assignment. If you are logging into an Azure environment other than Public (ex. AzureUSGovernment) # you will need to specify that. # See https://learn.microsoft.com/azure/azure-government/documentation-government-get-started-connect-with-ps # for more information. Connect-AzAccount # Define parameters # $StorageAccountName is the name of an existing storage account that you want to join to AD # $SamAccountName is the name of the to-be-created AD object, which is used by AD as the logon name # for the object. It must be 15 characters or less and has certain character restrictions. # Make sure that you provide the SamAccountName without the trailing '$' sign. # See https://learn.microsoft.com/windows/win32/adschema/a-samaccountname for more information. $SubscriptionId = "<your-subscription-id-here>" $ResourceGroupName = "<resource-group-name-here>" $StorageAccountName = "<storage-account-name-here>" $SamAccountName = "<sam-account-name-here>" $DomainAccountType = "<ComputerAccount|ServiceLogonAccount>" # Default is set as ComputerAccount # If you don't provide the OU name as an input parameter, the AD identity that represents the # storage account is created under the root directory. $OuDistinguishedName = "<ou-distinguishedname-here>" # Encryption method is AES-256 Kerberos. # Select the target subscription for the current session Select-AzSubscription -SubscriptionId $SubscriptionId # Register the target storage account with your active directory environment under the target OU # (for example: specify the OU with Name as "UserAccounts" or DistinguishedName as # "OU=UserAccounts,DC=CONTOSO,DC=COM"). You can use this PowerShell cmdlet: Get-ADOrganizationalUnit # to find the Name and DistinguishedName of your target OU. If you are using the OU Name, specify it # with -OrganizationalUnitName as shown below. If you are using the OU DistinguishedName, you can set it # with -OrganizationalUnitDistinguishedName. You can choose to provide one of the two names to specify # the target OU. You can choose to create the identity that represents the storage account as either a # Service Logon Account or Computer Account (default parameter value), depending on your AD permissions # and preference. Run Get-Help Join-AzStorageAccountForAuth for more details on this cmdlet. Join-AzStorageAccount ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -SamAccountName $SamAccountName ` -DomainAccountType $DomainAccountType ` -OrganizationalUnitDistinguishedName $OuDistinguishedName # You can run the Debug-AzStorageAccountAuth cmdlet to conduct a set of basic checks on your AD configuration # with the logged on AD user. This cmdlet is supported on AzFilesHybrid v0.1.2+ version. For more details on # the checks performed in this cmdlet, see Azure Files Windows troubleshooting guide. Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose

$KeyName = "kerb1" # Could be either the first or second kerberos key, this script assumes we're refreshing the first $KerbKeys = New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName $KeyName $KerbKey = $KerbKeys.keys | Where-Object {$_.KeyName -eq $KeyName} | Select-Object -ExpandProperty Value $NewPassword = ConvertTo-SecureString -String $KerbKey -AsPlainText -Force Set-ADAccountPassword -Identity <domain-object-identity> -Reset -NewPassword $NewPassword

Document Details

About This Page

Bias Analysis

Scan History

Flagged Code Snippets