HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Azure Azure FilesKerberosHybrid IdentityEntra IDIntuneAzure StorageSMB

Azure Files Kerberos Auth With Hybrid Identities — No More Storage Account Keys for Domain Users

IA
Imran Awan
9 July 2026

The Problem With Storage Account Keys

If your users are accessing Azure file shares today using a storage account key mounted as a drive letter, you already know the pain: the key is essentially a root password for the entire storage account, it never expires unless you rotate it manually, and there is no concept of per-user permissions at the storage layer. Everyone gets the same access. Windows ACLs on top do not help if the underlying connection is authenticated as the storage account itself.

The alternative — Microsoft Entra Kerberos authentication — lets hybrid domain users access Azure Files the same way they access on-premises file servers: with their Windows credentials, SSO at logon, and proper per-user Windows ACLs at the directory and file level. No key distribution. No shared password. No token management scripts.

This guide covers the full setup for hybrid identities (on-premises AD DS synced to Entra ID), configured via Intune, from storage account configuration through to client-side policy and proof it is working.

⚠ Critical — One Identity Source Per Storage Account

Azure Files supports only one identity source at a time per storage account. If you currently have on-premises AD DS authentication enabled and switch to Microsoft Entra Kerberos, the AD DS auth stops immediately. Plan your migration carefully — do not enable Entra Kerberos on a production storage account that has active AD DS mounts until you are ready to cut everything over.

Why This Works — The Kerberos Flow

When you enable Microsoft Entra Kerberos on a storage account, Azure registers an Entra ID service principal that represents that storage account. The service principal name follows the pattern [Storage Account] <storageaccountname>.file.core.windows.net.

When a client needs to mount the share, the flow is:

  1. The client sends a Ticket Granting Ticket (TGT) request to Microsoft Entra ID during logon — this is the step enabled by the CloudKerberosTicketRetrievalEnabled policy.
  2. Entra ID issues a cloud TGT backed by the user's Entra identity.
  3. When the client tries to access the Azure Files endpoint (<storageaccount>.file.core.windows.net), it presents the TGT to Entra ID and receives a service ticket for the storage account's service principal.
  4. The client presents that service ticket over SMB. Azure Files validates it against Entra ID and checks the user's Azure RBAC share-level permissions.
  5. If RBAC passes, Windows ACLs (NTFS permissions) on the share are evaluated to determine read/write/execute access at the file and directory level.

For hybrid identities, the user's Entra account is their synced on-premises AD account. Group memberships synced from AD are honoured in both the RBAC check and the NTFS ACL evaluation. The on-premises domain controller is only needed to configure NTFS ACLs — not for every mount operation.

Prerequisites Checklist

Before you start, confirm every item below. Missing any of these is the most common source of setup failures.

Requirement Detail
Entra Connect Sync or Cloud Sync Users and groups must be synced from on-premises AD DS to Entra ID. Accounts created only in AD (not synced) cannot be used.
Client OS Windows 11 24H2+ (with KB5079391), Windows 10 2004+ (with KB5007253), or Windows Server 2022+ (with KB5007254). Clients must be Entra joined or Hybrid Entra joined — not AD-only joined.
WinHttpAutoProxySvc running The WinHTTP Web Proxy Auto-Discovery service must be in the Running state. It handles KDC Proxy requests for Kerberos. Do not disable this service.
IP Helper service running The iphlpsvc service must be Running on all client devices.
Port 445 outbound Clients must reach <storageaccount>.file.core.windows.net on TCP 445. Check firewall rules and ISP restrictions — many residential ISPs block port 445.
No existing identity source on the storage account If AD DS auth is already enabled, disable it first. Only one identity source is supported at a time.
Application management policy exception If your tenant has policies blocking symmetric key addition on service principals, grant an exception for the Storage Resource Provider app (app ID: a6aa9161-5291-40bb-8c5c-923b567bee3b).

Verify the two required services on a client before you start:

Verify-AzFilesKerberosPrereqs.ps1 — run on a client device
# Check both required services are running before enabling Entra Kerberos auth

$services = @('WinHttpAutoProxySvc', 'iphlpsvc')
foreach ($svc in $services) {
    $s = Get-Service $svc -ErrorAction SilentlyContinue
    if ($s.Status -eq 'Running') {
        Write-Host "[OK]   $svc is Running" -ForegroundColor Green
    } else {
        Write-Host "[FAIL] $svc is $($s.Status) — this WILL block Entra Kerberos auth" -ForegroundColor Red
    }
}

# Check client join state — must be Entra joined or Hybrid Entra joined
$dsreg = (& dsregcmd /status) | Select-String 'AzureAdJoined|DomainJoined'
$dsreg | ForEach-Object { Write-Host $_.Line.Trim() }

# Check port 445 reachability (replace with your storage account name)
$storageAccount = 'mystorageaccount'
$test = Test-NetConnection "$storageAccount.file.core.windows.net" -Port 445
Write-Host "Port 445 reachable: $($test.TcpTestSucceeded)" -ForegroundColor (if ($test.TcpTestSucceeded) { 'Green' } else { 'Red' })

Step 1 — Enable Microsoft Entra Kerberos on the Storage Account

Run the following from Azure PowerShell. For hybrid identities you should also pass the domain name and GUID so that Windows File Explorer can be used to set directory and file-level ACLs (instead of icacls only).

Enable-AzFilesEntraKerberos.ps1 — run from a Hybrid Entra joined machine with AD DS access
# Get domain info from local AD (run on a domain-joined machine)
$domain     = Get-ADDomain
$domainName = $domain.DnsRoot        # e.g. contoso.com
$domainGuid = $domain.ObjectGUID.ToString()

Write-Host "Domain : $domainName"
Write-Host "GUID   : $domainGuid"

# Enable Entra Kerberos auth on the storage account
Connect-AzAccount
Set-AzStorageAccount `
    -ResourceGroupName 'rg-fileshares-prod' `
    -StorageAccountName 'mystorageaccount' `
    -EnableAzureActiveDirectoryKerberosForFile $true `
    -ActiveDirectoryDomainName $domainName `
    -ActiveDirectoryDomainGuid $domainGuid

# Confirm it is enabled
Get-AzStorageAccount -ResourceGroupName 'rg-fileshares-prod' -StorageAccountName 'mystorageaccount' |
    Select-Object -ExpandProperty AzureFilesIdentityBasedAuth

Expected output after enabling:

Azure PowerShell — AzureFilesIdentityBasedAuth property
DirectoryServiceOptions : AADKERB
ActiveDirectoryProperties
DomainName : contoso.com
DomainGuid : a1b2c3d4-e5f6-7890-abcd-ef1234567890
NetBiosDomainName : CONTOSO

Step 2 — Grant Admin Consent to the Auto-Created Entra App

When you enabled Entra Kerberos, Azure automatically registered a service principal in your tenant. You must grant admin consent to its API permissions before any user can authenticate. Without this step, Kerberos ticket requests will fail silently.

Microsoft Entra admin center — App registrations (simulated)
All applications › search: mystorageaccount
[Storage Account] mystorageaccount.file.core.windows.net
Auto-created when Entra Kerberos was enabled — do not modify other than granting consent
Open ›
API permissions ›
Microsoft Graph — openid, profile, User.Read Pending consent
Grant admin consent for Contoso Ltd
Click Yes in the confirmation dialog. All three permissions (openid, profile, User.Read) will show green status after consent.

Step 3 — Exclude the Storage Account App From MFA Conditional Access

Microsoft Entra Kerberos does not support MFA as part of the Kerberos ticket flow. If your tenant has a Conditional Access policy requiring MFA for all apps (or for all Azure resources), you must add an exclusion for the storage account's Entra app. This is not optional — without the exclusion, every mount attempt fails.

The app to exclude is named: [Storage Account] <your-storage-account-name>.file.core.windows.net

In Entra admin center: Protection › Conditional Access › [your MFA policy] › Users or workload identities › Exclude › Service principals › search for the storage account app name › Save

⚠ Gotcha — System Error 1327 Means MFA Is Blocking the Mount

If users get System error 1327: Account restrictions are preventing this user from signing in when running net use, the MFA Conditional Access policy is blocking the Kerberos ticket request for the storage account. The fix is always the same: find the CA policy with MFA enforcement and add the storage account's Entra app to the exclusion list. This error does not indicate a password or permission problem — it is a CA policy problem.

Step 4 — Assign Share-Level Permissions (Azure RBAC)

Share-level permissions are the first gate before NTFS ACLs are even evaluated. Assign one of the three built-in RBAC roles to users or synced groups at the file share scope.

RBAC Role What it allows Typical use
Storage File Data SMB Share Reader Read access to files and directories Read-only shares, reference data
Storage File Data SMB Share Contributor Read, write, and delete access Standard user home drives, project shares
Storage File Data SMB Share Elevated Contributor Read, write, delete, and modify NTFS ACLs Admins who need to set permissions on the share

Assign RBAC at the individual file share scope, not at the storage account scope. Assigning at storage account scope grants access to all shares in that account.

Assign-AzFilesShareRBAC.ps1
# Assign share-level RBAC — use the synced Entra group, not the on-prem AD group directly

$resourceGroup   = 'rg-fileshares-prod'
$storageAccount  = 'mystorageaccount'
$shareName       = 'profiles'
$groupName       = 'SG-AzFiles-Profiles-Contributor'  # synced from AD

# Get the file share resource ID
$shareId = (Get-AzStorageAccount -ResourceGroupName $resourceGroup -StorageAccountName $storageAccount |
    Get-AzStorageShare -Name $shareName).Id

# Get the Entra group object ID
$groupId = (Get-AzADGroup -DisplayName $groupName).Id

# Assign Contributor role
New-AzRoleAssignment `
    -ObjectId $groupId `
    -RoleDefinitionName 'Storage File Data SMB Share Contributor' `
    -Scope $shareId

Write-Host "RBAC assigned: $groupName → Contributor on $shareName" -ForegroundColor Green

Step 5 — Set NTFS Permissions on the Share

RBAC grants access to the share. NTFS ACLs control access within the share — which directories and files each user or group can read, write, or execute. For hybrid identities, you need a device with network connectivity to the on-premises domain controller to set NTFS ACLs, because the ACL editor needs to resolve AD group SIDs.

Mount the share using the storage account key first (to get elevated access to set ACLs), then use icacls to set the permissions:

Set-AzFilesNTFS.ps1 — run as admin from a domain-joined machine
# Mount with storage account key to get rights to set ACLs
$accountKey = '<storage-account-key>'
$sharePath  = '\\mystorageaccount.file.core.windows.net\profiles'

net use Z: $sharePath $accountKey /user:AZURE\mystorageaccount

# Set root permissions: Domain admins get Full Control; Users get Modify
$rootPath = 'Z:\'
icacls $rootPath /grant "CONTOSO\Domain Admins:(OI)(CI)(F)"
icacls $rootPath /grant "CONTOSO\SG-AzFiles-Profiles-Contributor:(OI)(CI)(M)"
icacls $rootPath /remove "Everyone"  # remove the Everyone default

# Verify ACLs
icacls $rootPath

# Disconnect the admin mount when done
net use Z: /delete

The icacls flags: (OI) = object inherit (files), (CI) = container inherit (subdirectories), (F) = Full Control, (M) = Modify.

Step 6 — Configure Clients via Intune to Retrieve Kerberos Tickets

This is the client-side step that enables the Kerberos TGT retrieval from Entra ID at logon. Without it, the client has no cloud TGT and cannot get a service ticket for the storage account, so the mount fails.

Deploy this via Intune Settings Catalog — not OMA-URI. The OMA-URI method does not work on Azure Virtual Desktop multisession devices, which is a common deployment scenario for Azure Files with Entra Kerberos.

Microsoft Intune admin center — Devices › Configuration › Create › Settings catalog (simulated)
🔍 Search settings: CloudKerberosTicketRetrievalEnabled
Cloud Kerberos Ticket Retrieval Enabled
Kerberos › Allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon
Value:
Enabled (1) Disabled (0)
Policy CSP path: ./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled
Assign to: your Hybrid Entra joined device group. Reboot or gpupdate /force required for the setting to take effect.
✓ Use Settings Catalog, Not OMA-URI

Microsoft explicitly states that the OMA-URI method for CloudKerberosTicketRetrievalEnabled does not work on Azure Virtual Desktop multisession devices. If your deployment includes AVD (which is a common reason to set up Entra Kerberos + Azure Files for FSLogix profiles), use the Settings Catalog path. The Settings Catalog path works for both standard and multisession Windows.

Alternatively, for devices managed by registry or Group Policy:

Registry Editor — CloudKerberosTicketRetrievalEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
CloudKerberosTicketRetrievalEnabled REG_DWORD 0x00000001 (1 = Enabled)
Set via elevated cmd: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1
ℹ Info — Service Principal Password Expiry

If you previously enabled Entra Kerberos authentication during the limited preview period, the storage account's service principal password expires every six months. Once it expires, users cannot get Kerberos tickets to the file share. For storage accounts enabled through the GA process described here, Microsoft manages the password rotation automatically. If you are on the old preview setup and experiencing periodic authentication failures every ~6 months, see the Microsoft Learn troubleshooting article (Error - Service principal password has expired in Microsoft Entra ID) for the remediation steps.

Step 7 — Coexistence With AD DS Storage Accounts

If your environment has some storage accounts using on-premises AD DS authentication and others using Entra Kerberos, you need Kerberos realm mappings on the clients. Without them, enabling CloudKerberosTicketRetrievalEnabled on clients will break access to AD DS-authenticated storage accounts.

For each AD DS-authenticated storage account, add a host-to-realm mapping via Intune Settings Catalog (Kerberos › HostToRealm), Group Policy (Admin Templates\System\Kerberos\Define host name-to-Kerberos realm mappings), or via command:

Add-KerberosRealmMapping.cmd — run elevated on client
:: Map the AD DS storage account hostname to the on-prem realm
:: Realm names are CASE SENSITIVE and must be UPPERCASE
ksetup /addhosttorealmmap adsstorageaccount.file.core.windows.net CONTOSO.LOCAL

:: Verify the mapping was added
ksetup

:: Or view the raw registry key
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm"

Step 8 — Proof It Is Working

After a reboot (or gpupdate /force + sign-out/sign-in), verify the Kerberos ticket is issued and the share mounts cleanly.

Test-AzFilesKerberos.ps1 — run as the target user (not admin)
# 1. Check Kerberos tickets — look for a ticket issued by Entra ID for the storage account
klist

# Look for a line like:
# Server: cifs/mystorageaccount.file.core.windows.net @ KERBEROS.MICROSOFTONLINE.COM
# KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

# 2. Mount the share without a password — should use Kerberos silently
net use Z: \\mystorageaccount.file.core.windows.net\profiles

# Expected output (no password prompt):
# The command completed successfully.

# 3. Confirm who you are connecting as
net use  # check the listed username for Z: — should show your domain account

# 4. Verify NTFS permission is honoured
icacls Z:\  # shows the ACLs on the root — your account/group should appear

# 5. Run the Debug cmdlet if something is wrong (requires AzFilesHybrid module v0.3.0+)
Debug-AzStorageAccountAuth -StorageAccountName 'mystorageaccount' -ResourceGroupName 'rg-fileshares-prod' -Verbose

The klist output should include a ticket for cifs/<storageaccount>.file.core.windows.net with the Kerberos realm shown as KERBEROS.MICROSOFTONLINE.COM — that is the Entra ID Kerberos realm, confirming the cloud ticket flow is working rather than the on-premises AD DS flow.

Common Errors and Fixes

⚠ System error 1327 — Account restrictions are preventing this user from signing in
Cause: MFA Conditional Access policy is enforcing MFA for the storage account Entra app.
Fix: Exclude [Storage Account] <name>.file.core.windows.net from all MFA CA policies.
⚠ System error 5 — Access is denied
Cause: RBAC share-level permission not assigned, or NTFS ACL does not include the user/group.
Fix: Confirm RBAC role assignment at the file share scope (not storage account scope). Then confirm the user's AD group is synced to Entra ID and has the correct icacls entry on the share root.
⚠ System error 53 — Network path was not found
Cause: Port 445 outbound is blocked by the client's firewall, ISP, or network policy.
Fix: Run Test-NetConnection <storageaccount>.file.core.windows.net -Port 445. If TcpTestSucceeded is False, open port 445 outbound to the Azure Files endpoint at the firewall level. Many consumer ISPs block port 445 by default — this is a common issue for remote workers.
⚠ No Kerberos ticket in klist for the storage account
Cause: CloudKerberosTicketRetrievalEnabled is not set on the client, or the client has not rebooted since the setting was applied.
Fix: Confirm the registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CloudKerberosTicketRetrievalEnabled is 1. If it is not present, the Intune policy has not applied yet — check the device's Intune sync status and wait for policy refresh, then reboot.

References

Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Intune
Get a PRT Fleet Health Report in 5 Minutes Using Graph Explorer
You have deployed the PRT detection script to Intune. Now how do you see the results…
Guides
Microsoft Intune Complete Roadmap: Beginner to Advanced (All 12…
A structured 12-chapter roadmap covering everything in Microsoft Intune — from…
Entra ID
Microsoft Entra ID Complete Overview: Identity, SSO, Conditional…
The complete foundational guide to Microsoft Entra ID — what it is, how authentication…