Azure Docs

Authentication and Authorization for Azure Files

This document provides a comprehensive guide on how to authenticate and authorize access to Azure Files shares. Securely managing access is crucial for protecting your data.

Overview of Authentication Methods

Azure Files supports two primary methods for authentication:

  • Azure Active Directory (Azure AD) Domain Services: Provides Kerberos and NTLM authentication for Windows clients, enabling seamless integration with on-premises or Azure AD DS environments.
  • Storage Account Key: A simpler method where access is granted using the access keys associated with your storage account. This is often used for service-to-service authentication or less sensitive scenarios.

Using Azure AD Domain Services for File Shares

Leveraging Azure AD DS allows you to use familiar Windows authentication protocols. This method is ideal for scenarios requiring:

  • Lift-and-shift Windows applications.
  • Share management using standard Windows tools like File Explorer.
  • Integration with existing Active Directory Group Policies.

To enable this:

  1. Ensure your storage account is integrated with Azure AD DS.
  2. Configure share-level access control lists (ACLs) using user and group identities from your Azure AD DS domain.

Authentication with Storage Account Keys

Storage account keys provide direct access to your storage account and its resources. While convenient, they should be managed with care:

Security Note: Treat storage account access keys like passwords. Avoid hardcoding them in applications and use managed identities or Azure Key Vault for better security practices.

When using storage account keys, requests are authenticated by including a Shared Key signature. This signature is generated using your storage account key and the details of the request.

Generating a Shared Key Signature (Conceptual)

The process involves constructing a specific string-to-sign and then creating a hash using the account key. Here's a conceptual example of the string-to-sign:


    Verb:
    Content-Length:
    Content-MD5:
    Content-Type:
    Date:
    If-Modified-Since:
    If-Match:
    If-None-Match:
    If-Unmodified-Since:
    Range:
    CanonicalizedHeaders
    CanonicalizedResource

The specific headers and resource path are crucial for generating the correct signature.

Best Practices for Access Control

  • Principle of Least Privilege: Grant only the necessary permissions to users and applications.
  • Managed Identities: For Azure services accessing Azure Files, use managed identities to avoid managing credentials.
  • Azure Key Vault: Store and manage storage account keys securely using Azure Key Vault.
  • Role-Based Access Control (RBAC): Use Azure RBAC to control management plane operations on storage accounts.

Example: Mounting an Azure Files Share (Windows)

Mounting a share using Azure AD DS authentication involves mapping a network drive, similar to an on-premises file share:


    net use Z: \\yourstorageaccount.file.core.windows.net\yourshare /user:YourDomain\YourUser password

For authentication using a storage account key, you can use:


    net use Z: \\yourstorageaccount.file.core.windows.net\yourshare /user:Azure\yourstorageaccount YOUR_STORAGE_ACCOUNT_KEY

Remember to replace placeholders with your actual account, share, domain, user, and key.