On-Prem Storage To Azure Storage - Part-2

-

Technical Setup and Configuration Blueprint

First and foremost, before proceeding any further, the most critical step is to ensure that the underlying network is properly configured to establish seamless communication between the Azure and on-premises environments. Fortunately, the majority of the network configurations were already in place; however, there were still a few intricacies that needed to be addressed—such as configuring private endpoints, DNS entries, and Cloudflare traffic routing. 


Once networks and communication are configured, we can initiate building other elements as follows - 
The diagram below provides an overview of the Azure setup and illustrates how the environment is structured. I will try as much as possible to explain more thoroughly -




1. Azure Storage and Azure File Shares

  • Azure Storage and Azure Files Configuration 

We begin by creating the Azure Storage and Azure Files with the following configuration. Certain details have been blurred out for privacy and security reasons. Please review the configuration values for your own setup — these may vary depending on your specific requirements. In my case, the chosen configuration was the most suitable and cost-effective option based on the approved budget and ongoing recurring costs.

2. Authentication and Authorization

Connecting to Azure file shares mounted with an access token key has limitations. We used the access key to connect to the share, which gave us the right to modify the content, but we could not modify NTFS-style permissions. Therefore, we need to configure RBAC and Identity-based Authentication. 
  • Azure File RBAC Access
To maintain consistency and simplify access management, I adopted a group-based strategy instead of assigning permissions directly to individual users. This approach not only aligns with best practices but also makes administration and auditing far easier in the long run.

In my setup, I created three key groups—each representing a specific level of access and responsibility within the Azure Files environment. These groups are defined either in Active Directory (AD) or Microsoft Entra ID, depending on the environment setup. Each group contains nested admin/user members, allowing for scalable management as the organization grows or team structures change.

Storage File Data SMB Share Contributor  
AAD_AzureFileData_SMB_Share_Contributor

Storage File Data SMB Share Elevated Contributor
AAD_AzureFileData_SMB_Share_Elevated_Contributor

Storage File Data SMB Share Reader 
AAD_AzureFileData_SMB_Share_Reader

Please follow the video reference to add these RBAC roles to your Azure File Share and understand why we are doing these steps. 


Once RBAC was successfully configured, the next step was to implement Azure File Identity-based Access for Azure Files

  • Azure File Identity-based Authentication

Azure Files lets you store files in the cloud, and you can secure access using "identity-based authentication" over SMB (a protocol for sharing files). Just like Windows file servers, you can grant permissions to an identity at the share, directory, or file level.


Given that our environment heavily relies on Active Directory, selecting, Active Directory Domain Services (AD DS), is the most appropriate choice. ðŸ”— Azure Files identity-based authentication for SMB access


To set up ADDS identity authentication, you need to run PowerShell scripts from your domain controller or a member server. This process initiates the creation of an object in Active Directory, which will be used for communication and authentication with Azure Files. 

Be prepared, it will be a lot of reading...🤓

In simple terms, you’ll need to download the PowerShell scripts and run them in sequence from your Domain Controller using a domain admin account. Copy and extract these files in your DC.

Step-by-Step Instructions

Step 1:
Open PowerShell as an administrator and set the execution policy to unrestricted.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Step 2:
Install all Az* modules or update them if they’re already installed.

Install-Module Az.* or Install-Module Az -Force -AllowClobber
# or
Update-Module Az.*

Step 3:
Run the following script from the folder to copy the Az files to the PowerShell path.

.\CopyToPSPath.ps1

Step 4:
Import the AzFilesHybrid module.

Import-Module -Name AzFilesHybrid

Step 5:
Connect to your Azure tenant.
If you’re a Global Administrator, you shouldn’t face any permission issues.

Connect-AzAccount

Step 6:
You can either follow the method shown in the referenced video (YouTube link) or use the command below. 🔗 Configure Azure Files Share with Windows AD NTFS Permissions

In my case, I added an extra parameter -Domain "domain FQDN", which isn’t included in the original script. 

Join-AzStorageAccount `
  -ResourceGroupName "AFS-FisherFunds" `
  -StorageAccountName "ffazurefileshare01" `
  -Domain "internal.local" `
  -DomainAccountType ComputerAccount `
  -OrganizationalUnitName "AzureFileShareAccount"
or 

Join-AzStorageAccount -ResourceGroupName "Production-AVD" -StorageAccountName "mcdfslogix" -Domain "avd.local" -DomainAccountType ComputerAccount -OrganizationalUnitName "AzureFileShareAccount"


Verify the permissions and connection 
(Get-AzStorageAccount -ResourceGroupName Production-AVD -Name mcdfslogix).AzureFilesIdentityBasedAuth

If for some reason you have network or share permissions issues, there is tools that you can use to check the issue - https://github.com/Azure-Samples/azure-files-samples/tree/master/AzFileDiagnostics/Windows


Continuation PART -3 

Popular posts from this blog

On-Prem Storage To Azure Storage - Part-1

-
Image
Project requirements  Designed and implemented a cost-effective, end-to-end Azure-based storage solution, successfully migrating users and associated application dependencies with zero downtime . The project involved the seamless transfer of 10TB of data while preserving NTFS permissions and ACLs and ensuring that critical Excel macros remained fully functional.  This was particularly vital as Fisher Funds manages investments across bonds and equities via Bloomberg integrations. The resulting solution delivered modern security, enhanced reliability, and operational resilience, all while maintaining optimal cost efficiency. Challenges and Preparation 1. NTFS/ACL Enumeration and Access During the assessment phase, I identified that file share access across all departments was configured using direct user-based permissions rather than AD group-based access. I initiated a comprehensive access remediation project to align permissions with best practices. To achieve this, I ...
Read more

Secure Boot vCenter Deployment

-
Image
Fully automated PowerShell script to replace expiring Secure Boot certificates  across hundreds of Windows Server VMs — eliminating the need for manual EFI console interaction, FAT32 disks, or per-VM operator involvement.  If you need the full deployment files -  https://github.com/cloudmigrator/vMware 01 // The Problem Microsoft's Boot Certs Are Expiring Every Windows Server VM with Secure Boot enabled in our VMware environment trusts a set of cryptographic certificates that Microsoft issued back in 2011. On 24 June 2026 , those certificates begin to expire — and if we do nothing, those VMs silently fall out of Microsoft's Secure Boot servicing boundary forever. ⚡ Hard Deadline The Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 both expire on 24 June 2026 . The Windows Production PCA 2011 — which signs the Windows bootloader itself — expires in October 2026 . The good news, per Microsoft's official documentation: machines will not immediately fail to boo...
Read more