Azure Entra LSA Makes On-Premises Authentication Easier with Microsoft Entra

Azure Entra LSA is a game-changer for on-premises authentication. It simplifies the process by providing a secure and seamless way to authenticate users.

With Azure Entra LSA, you can easily manage on-premises authentication from the cloud. This eliminates the need for separate on-premises infrastructure and reduces administrative burden.

Azure Entra LSA integrates with Microsoft Entra, allowing for a more streamlined and efficient authentication experience. This integration enables you to leverage the power of the cloud to manage on-premises authentication.

To set up Azure Entra ID, you'll need to meet some minimum prerequisites. Your Azure storage account can't authenticate with both Microsoft Entra ID and a second method like AD DS or Microsoft Entra Domain Services.

You must disable multifactor authentication (MFA) on the Microsoft Entra app representing the storage account. For instructions, see Disable multifactor authentication on the storage account.

To ensure a smooth setup, the WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) and IP Helper service (iphlpsvc) should be running. Their state should be set to running.

Here are the essential prerequisites to keep in mind:

Kerberos Authentication is a crucial aspect of Azure Entra LSA. To enable Microsoft Entra Kerberos authentication for hybrid user accounts, you can use the Azure portal, PowerShell, or Azure CLI.

You can enable Microsoft Entra Kerberos authentication using the Azure portal by following these steps: sign in to the Azure portal, select the storage account, and then select File shares under Data storage. Next to Active Directory, select the configuration status, then select Set up under Microsoft Entra Kerberos, and finally, select the Microsoft Entra Kerberos checkbox.

To enable Microsoft Entra Kerberos using Azure PowerShell, run the following command, replacing placeholder values with your own. You can also specify the domain name and domain GUID for your on-premises AD using the Get-ADDomain cmdlet.

To enable Microsoft Entra Kerberos using Azure CLI, run the following command, replacing placeholder values with your own. You can also specify the domain name and domain GUID for your on-premises AD using the az storage account update command.

To configure clients to retrieve Kerberos tickets, you can use one of three methods: Intune, Group Policy, or Registry Key. Configure the Kerberos/CloudKerberosTicketRetrievalEnabled setting to 1 using Intune or set the Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon to "Enabled" using Group Policy.

Here are the three methods to configure clients to retrieve Kerberos tickets:

To enable Azure AD Kerberos authentication on the Azure file share, follow these five steps: open the Azure portal, navigate to Storage accounts, select the storage account, and then select File shares. On the File shares page, select the configuration state next to Active Directory, then select Set it up under Azure AD Kerberos, and finally, configure the settings and click Save.

To configure Windows devices to retrieve Kerberos tickets, you can use a custom device configuration profile to configure the policy setting CloudKerberosTicketRetrievalEnabled. This policy setting is currently not available in the Settings Catalog, so you need to use a custom device configuration profile with an Integer data type and values of 0 (disable) or 1 (enable).

Client Configuration is a crucial step in setting up Azure Entra LSA. You must enable the Microsoft Entra Kerberos functionality on every client machine that will be used to mount or access Azure File shares.

There are three methods to configure this: Intune, Group Policy, or Registry Key. Intune requires configuring the Kerberos/CloudKerberosTicketRetrievalEnabled policy setting to 1.

To use Group Policy, you'll need to configure the Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon setting to "Enabled".

Alternatively, you can use the Registry Key method by setting the following value on the client machine: Changes are not instant, and require a policy refresh or a reboot to take effect.

Here are the three methods summarized:

It's essential to note that once this change is applied, the client(s) won't be able to connect to storage accounts that are configured for on-premises AD DS integration without configuring Kerberos realm mappings.

Microsoft Entra Authentication is a feature that allows you to enable Kerberos authentication for hybrid user accounts on Azure Files.

You can enable Microsoft Entra Kerberos authentication on Azure Files using the Azure portal, PowerShell, or Azure CLI. To do this, you can follow the steps outlined in the Azure portal, which include signing in to the Azure portal, selecting the storage account, and configuring the Active Directory settings.

The Azure portal is one of the three methods to enable Microsoft Entra Kerberos authentication. The other two methods are Azure PowerShell and Azure CLI.

Using the Azure portal to enable Microsoft Entra Kerberos authentication requires several steps, including selecting the storage account, configuring the Active Directory settings, and specifying the domain name and domain GUID for your on-premises AD.

You can also use Azure PowerShell or Azure CLI to enable Microsoft Entra Kerberos authentication. The commands for these methods are provided in the relevant article sections.

If you've previously enabled Microsoft Entra Kerberos authentication through manual limited preview steps, the password for the storage account's service principal will expire every six months. This can cause issues with Kerberos ticketing to the file share.

To mitigate this issue, you can refer to the article section on "Potential errors when enabling Microsoft Entra Kerberos authentication for hybrid users."

Here are the three methods to enable Microsoft Entra Kerberos authentication:

To disable Microsoft Entra Kerberos authentication, you can use the Azure portal, Azure PowerShell, or Azure CLI. Disabling this feature means that there will be no Active Directory configuration for file shares in your storage account until you enable one of the other Active Directory sources.

If you want to use another authentication method, you can disable Microsoft Entra Kerberos authentication on your storage account by following the steps outlined in the article sections.

To enable Azure AD Kerberos authentication on your Azure file share, you'll need to configure Azure Files in your storage account. This includes selecting the Active Directory source that contains the user accounts that will access a share in that storage account.

You can do this by opening the Azure portal, navigating to Storage accounts, and selecting the storage account that should be enabled for Azure AD Kerberos authentication. From there, navigate to File shares and select the configuration state next to Active Directory.

To set up Azure AD Kerberos, select Set it up under Azure AD Kerberos on the Active Directory page. On the Azure AD Kerberos blade, configure the settings and click Save. Make sure to specify the optional domain name and domain GUID for the on-premises AD to enable file and folder level permissions through Windows File Explorer.

To experience the Azure file share sign-on on Windows devices, you'll need to use Windows 11 Enterprise single or multi-session, Windows 10 Enterprise single or multi-session, versions 2004 or later with the latest cumulative updates installed, or Windows Server, version 2022 with the latest cumulative updates installed.

Mapping a network drive to the Azure file share should provide a single sign-on experience and make the file share available like any other network mapping. To verify the authentication, you can use the Azure AD Sign-in logs to check the applied Conditional Access.