This is an awesome video. Would you happen to have a video on how to do this from strictly an Azure environment? Like we no longer have an on-prem environment and everything is azure based with users remoting onto an Azure VM with the file share mapped to the VM using Entra ID authentication. But we are running into issues being able to edit the NTFS permissions.
Thanks for the content, very useful video.👍 Once the share and NTFS permissions have been setup by the admin, what is the best practice for setting the File share authentication method in Azure - leave it as "Access Key" or change it to "Microsoft Entra User account"? If the share and NTFS permissions are set up correctly, are there any implications to leaving the method as access key for example?
as an Azure architect I love your videos. I haven't had to run this in a long time but I had to today and i'm getting an error. If i include the -OrganizationalUnitDistinguishedName $OuDistinguishedName switch the command fails with "New-ADComputer: A required privilege is not held by the client.". If i remove just the OU switch the command runs fine but it puts the SA in an OU I don't want it in and I don't have access to move it to the OU i want it in. I have a long distinguished Name but I have confirmed it is correct so I am not sure why i am getting that error when the DN is correct? any idea? thanks!
@Travis, what if you create the file share but not syncing with on-prem AD. Once you create the file share would robocopy not retain permissions when copied to the AFS. No Azure file sync, Not using onprem AD but did setup Entra Domain services....What are my options then to copy and retain similar NTFS style permissions?
NTFS permissions require Kerberos. Entra ID can read Kerberos tickets but not create them, that's why user need Windows AD or Entra DS. Also, Robocopy may copy permissions, but the GUID and user object in AD DS is different then from Entra ID, even if the UPN is the same.
When I perform a 'Check Names' on a group that I'm trying to add, I get an NTLM-style prompt, which rejects my account, even though I am logged in as an enterprise admin. I've tried with different admin accounts but no success. Have you come across this?
The error disappeared a few days later, so I can lookup users and groups, but when I try to apply, I get an error "Failed to enumerate objects in the container. Access is denied." The account I am using to manage permissions has the "SMB Elevated Contributor" role. Any ideas?
Azure File Shares NTFS style permissions needs Kerberos for authentication. Entra ID can read, but not create Kerberos tickets. For now, users and groups need to be sourced from Windows AD.
Really good that you demo'd the NTFS failure before this is configured :)
Glad it was helpful!
This is an awesome video. Would you happen to have a video on how to do this from strictly an Azure environment? Like we no longer have an on-prem environment and everything is azure based with users remoting onto an Azure VM with the file share mapped to the VM using Entra ID authentication. But we are running into issues being able to edit the NTFS permissions.
Excellent Work! Thank you for your content!
Excellent video 🎉🎉🎉
Hi Travis , plesse make a video on new teams installation on multi session image.its helps to lot of avd Engineer. ❤❤❤
Thanks for the content, very useful video.👍
Once the share and NTFS permissions have been setup by the admin, what is the best practice for setting the File share authentication method in Azure - leave it as "Access Key" or change it to "Microsoft Entra User account"?
If the share and NTFS permissions are set up correctly, are there any implications to leaving the method as access key for example?
is it possible to do it with linux?
as an Azure architect I love your videos. I haven't had to run this in a long time but I had to today and i'm getting an error. If i include the -OrganizationalUnitDistinguishedName $OuDistinguishedName switch the command fails with "New-ADComputer: A required privilege is not held by the client.". If i remove just the OU switch the command runs fine but it puts the SA in an OU I don't want it in and I don't have access to move it to the OU i want it in. I have a long distinguished Name but I have confirmed it is correct so I am not sure why i am getting that error when the DN is correct? any idea? thanks!
@Travis, what if you create the file share but not syncing with on-prem AD. Once you create the file share would robocopy not retain permissions when copied to the AFS. No Azure file sync, Not using onprem AD but did setup Entra Domain services....What are my options then to copy and retain similar NTFS style permissions?
NTFS permissions require Kerberos. Entra ID can read Kerberos tickets but not create them, that's why user need Windows AD or Entra DS. Also, Robocopy may copy permissions, but the GUID and user object in AD DS is different then from Entra ID, even if the UPN is the same.
how to create the sync between the onprem and azure AD group ? Any option to validate
Azure Entra Connect is the service that sync users and groups from on-prem to Entra ID.
Can this be done for a remote user with no vpn?
It requires line-of-sight to a DC, so no.
When I perform a 'Check Names' on a group that I'm trying to add, I get an NTLM-style prompt, which rejects my account, even though I am logged in as an enterprise admin. I've tried with different admin accounts but no success. Have you come across this?
The error disappeared a few days later, so I can lookup users and groups, but when I try to apply, I get an error "Failed to enumerate objects in the container. Access is denied." The account I am using to manage permissions has the "SMB Elevated Contributor" role. Any ideas?
what if my system is add to Intune how can i manage this permission?
same account is add to local dc as well but permission is not working
Please do a "Azure Files Share with Entra ID per user/group Permissions" ??
cloud only file share with cloud only servers, clients & users.
Azure File Shares NTFS style permissions needs Kerberos for authentication. Entra ID can read, but not create Kerberos tickets. For now, users and groups need to be sourced from Windows AD.
@@Ciraltos what if my system are join to intune and my Azure file share is add to local AD(I have Azure AD Connect). Will this still work ?