No mention of Azure Active Directory Domain Services

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure

https://docs.microsoft.com/azure

Creative Commons Attribution 4.0 International

10.27k stars 21.46k forks source link

No mention of Azure Active Directory Domain Services #41286

Closed jgwinner closed 3 years ago

jgwinner commented 5 years ago

The page "Enable Azure Active Directory Domain Services authentication over SMB for Azure Files" implies that you need to setup Azure Active Directory mid way through the above steps.

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-enable

Is this required? Will ACL's be preserved between AAD DS joined machines and DS joined machines?

Thank you,

    == John ==

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 61bb35a5-e2f3-1ce8-1d6e-a926374de6c8
Version Independent ID: e4b3065a-5351-26ef-cdbb-ef2eaea3f301
Content: Deploy Azure File Sync
Content Source: articles/storage/files/storage-sync-files-deployment-guide.md
Service: storage
Sub-service: files
GitHub Login: @roygara
Microsoft Alias: rogarana

VikasPullagura-MSFT commented 5 years ago

@jgwinner Thanks for the feedback! We are currently investigating and will update you shortly.

jgwinner commented 5 years ago

I think I got a partial answer from another thread. The basic problem is this line:

Your domain-joined Windows virtual machines (VMs) can access Azure file shares by using Azure Active Directory (Azure AD) credentials.

but later on it says:

Azure AD DS authentication for SMB access and NTFS DACL persistence is not supported on Azure file shares managed by Azure File Sync.

So would Robocopy work? Otherwise, how do you get the blasted files into Azure securely (with permissions intact)?

I get you guys are in an uncomfortable situation. The product is only partially functional, especially if you're stuck with one leg in the cloud, and one leg outside the cloud. Still ... there needs to be some clarity here (or better yet, make AAD DS actually work with OnPrem domain joined machines AND Azure File Sync ... but my guess is, that won't happen until it's no longer useful).

I'm just asking for a clear documentation of the proper use-case for the normal busines.

wmgries commented 3 years ago

I think this doc has changed significantly between the time this issue was opened and now, so I apologize it has taken us a long time to address this issue. In general, you probably want to use AD DS, not Azure AD DS, with Azure Files. Azure AD DS is kind of a niche scenario where you don't have on-premises users that are trying to access the Azure file share.

With respect to AD DS, ACLs work the way you expect when migrating from an on-premises file server or using Azure File Sync, under the condition that you have domain joined the storage account to the same domain (or a trusted domain) as the original file share. Hope this helps. #please-close