Professional Documents
Culture Documents
Create an Azure Files storage account and enabling Azure AD Domain Services authentication
Create an Azure Files storage account and enabling Azure AD Domain Services authentication
Now it’s time to enable Azure AD Domain Services authentication over Server Message
Block (SMB). For more details on this process, see the Azure Storage Documentation.
First, navigate to the Microsoft Azure Portal, select All services from the sidebar, and
select Storage accounts.
Next, click Add to start the Create storage account wizard. Enter the following details:
Once the deployment has completed, proceed to the next step by selecting Go to
resource.
Select Configuration from the left pane, then enable Azure Active Directory
authentication for Azure Files (Preview) in the main pane. Confirm this change by
selecting Save.
Once saved, select Overview in the left pane, then Files in the main pane.
Select File share and enter the Name and Quota.
Copy and paste the following information into Notepad or other plain text application:
{
"Name": "<Custom-Role-Name>",
"Id": null,
"IsCustom": true,
"Description": "Allows for read, write and delete access to Azure File Share over SMB",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action"
],
"DataActions": [
"*"
],
"AssignableScopes": [
"/subscriptions/<Subscription-ID>"
]
}
In PowerShell,
1. Execute the following command:
Login-AzureRmAccount
2. When prompted, enter Global administrator or Contributor.
3. If needed, select the desired subscription, then execute the following command:
New-AzureRmRoleDefinition -InputFile "C:\temp\CustomRole.json"
4. When prompted to -InputFile, enter the file path for the JSON file.
5. Assign the new role to all users that will be getting user profiles.
Here's an example:
$FileShareContributorRole = Get-AzureRmRoleDefinition "AADDCpreview"
#Compose the scope as to the target file share:
$scope = "/subscriptions/1783ee2d-7d93-47ee-afc1-1ce9f7dc7678/resourceGroups/profiles/
providers/Microsoft.Storage/storageAccounts/fsprofile2/fileServices/default/fileshare/share"
#Assign the customer role to target user with UPN
New-AzureRmRoleAssignment -SignInName "adele.vance@airlift2020outlook.onmicrosoft.com" -
RoleDefinitionName $FileShareContributorRole.Name -Scope $scope)
6. Finally, navigate to the Microsoft Azure Portal, select Virtual machines from the sidebar,
select the desired VM, select Overview in the left pane, then Connect in the main pane to
sign in as an administrator and start a Remote Desktop (RDP) session.
From the Microsoft Azure Portal sidebar, select Storage accounts. From the list of
storage accounts, select the account for which you enabled Azure AD Domain Services
and created the custom roles in steps above.
Under Settings, select Access keys and copy the key from key1.
Note: If the key contains the “/” symbol, hit the Refresh icon to generate a new key.
Navigate to the Virtual Machines tab and locate any VM that is going to be part of
your hostpool.
Click on the name of the VM under Virtual Machines (adVM) and select Connect.
This will download an RDP file that allows you to connect to the VM via the credentials
specified during VM creation.
Execute the following command to grant full access to the Azure Files share: