Going through your list of videos about Azure one by one, really get knocked out by how great they are, many thanks, please keep the ball rolling for the sake of learners around the world.
@michellegomez441
2 жыл бұрын
Loved the flow of this demo. You explained the theoretical and actual setup clearly.
@MoeinGhorshi
4 жыл бұрын
Finally, Files makes sense for Enterprise Use!
@Yuricsson01
Жыл бұрын
Exceptional overview. Many thanks for it. Now I can see how it works
@Geekier3001
3 жыл бұрын
As usual, super clear explanation with the whiteboard John. Excellent job!
@NTFAQGuy
3 жыл бұрын
Glad you liked it!
@notoriousft
2 жыл бұрын
Beautifully explained. That's what I need at work right now.
@phoenixlevi270
3 жыл бұрын
So well explained as usual John!
@projectironman3597
2 жыл бұрын
Thanks for the very informative video John, Well explained. keep up the great work
@NTFAQGuy
2 жыл бұрын
Thank you
@richardwaldron1684
4 жыл бұрын
Thanks for this video, compliments your PluralSight video on Azure Files very nicely.
@NTFAQGuy
4 жыл бұрын
Thank you.
@mikewillodea
4 жыл бұрын
Its a fantastic feature. Now if only i could get it working for my environment. As my on premises active directory is sync'd to azure but all users log in to azure(windows 10 azure AD join) with a UPN enabled through domains and trusts. We require each user to give another credential for the primary domain to map drives to the file share. Surely logging in via a UPN should give you permission to the primary domain resource!! aggghh
@rajismiley8937
4 жыл бұрын
What I was really hoping to watch was how can u make the network share automatically point to the correct endpoint between an onprem file sync share and the serverless cloud endpoint seamlessly, like dfs does with namespaces. That would make azure files AMAZING
@markdoyle3252
3 жыл бұрын
Brilliant video, very clear explanation.
@NTFAQGuy
3 жыл бұрын
Thank tou
@markdoyle3252
3 жыл бұрын
@@NTFAQGuy Do you need line of sight to a domain controller when integrating ad ds? is there a way to authenticate without having it?
@NTFAQGuy
3 жыл бұрын
@@markdoyle3252 The client using does yes to get the kerberos ticket. No you can't do without AD as its AD authentication. the storage account does NOT need line of sight.
@markdoyle3252
3 жыл бұрын
@@NTFAQGuy Great thanks for getting back to me. And with AAD DS the client devices have to be joined to the AAD DS domain. So only option for users accessing azure file service from a remote location without vpn is using the access keys?
@Timmy-Hi5
4 жыл бұрын
/me thinks John is very very very excited about this new Azure service, looks very interesting.
@NTFAQGuy
4 жыл бұрын
lol
@NTFAQGuy
4 жыл бұрын
been waiting a LONG time for this!
@Timmy-Hi5
4 жыл бұрын
@@NTFAQGuy yes :) let us see if customers will adopt it, USA region could be more cooperative. As you know the UK is quite conservative when it comes to anything new.... "don't touch it if works" :) :) :) one of the everyday conversation I have with my Boss, nightmare
@thomasodellbalkestahl1956
4 жыл бұрын
Any scenario where this can be used without the ’classic’ AD and only an AAD?
@NTFAQGuy
4 жыл бұрын
You would use the hybrid where it creates an aad ds instance based on aad. Ad is always in the picture somewhere :)
@TheMowgus
4 жыл бұрын
Great content! Will be watching more of your videos. Our laptops are Intune Azure AD joined but users are On Prem AD joined and synced to Azure AD. I would think this should work (as the user principal remains the same) but do you see gotchas? The machines never talk to the domain controllers (and are in fact, offsite).
@NTFAQGuy
4 жыл бұрын
No that won’t work as if they don’t talk to domain controllers then they won’t talk Kerberos. You would need to use the azure ad integrated option for integration. Good luck.
@tony6626
3 жыл бұрын
Great video as always John. Can i confirm, for customers with cloud only solutions (using Azure AD for identities) does this mean we would have to set up Azure ADDS (i.e we could use the Azure AD already in place)?
@NTFAQGuy
3 жыл бұрын
You don’t need aadds unless you have some requirement on legacy auth like kerberos or ntlm by an app. If you’d are all modern then just have aad.
@tony6626
3 жыл бұрын
@@NTFAQGuy Many thanks John. I think this is where my confusion lye, all the MS documents point towards having to have AADDS for the tenant (or On-Prem ADDS). I cant find anything that states/shows how you achieve ACLs on a file share with Azure AD.
@NTFAQGuy
3 жыл бұрын
Sorry. I didn’t put the comment with the video :) ok, if you want azure files acls then yes you either need aadds or regular adds, sorry. There are two flavors available. If you don’t have adds today then aadds would be the way to go.
@NTFAQGuy
3 жыл бұрын
The way KZitem shows comments on the dashboard I didn’t map the question to the video. My bad :)
@tony6626
3 жыл бұрын
@@NTFAQGuy Thanks John - keep up the great work on the videos, awesome stuff.
@alexnassar
4 жыл бұрын
Great video! Wondering if this possible without AD Connect to Azure AD? With just Azure AD and Azure Active Directory Services?
@NTFAQGuy
4 жыл бұрын
Yes, that is the azure ad integrated option. You can integrate either with ad or azure ad with aad ds.
@DP-fr1yw
3 жыл бұрын
Hi John, im a bit stuck on a POC deployment for a customer here. Hope you can help me with it. I setup an ADDS with AD Connect on it for the AD Auth. Created a Storage account with a File Share on it, enabled AD Auth on the correct way. Synced some Security Groups so I can decide the Share-level permissions through RBAC. So all of the above worked correctly and I can map the file share as network drive on domain joined laptops etc. I mapped the File share with super user permissions on my test AD and tried to modify the NTFS rights to get it how we wish. So I made a user a member of the SMB Contributor group, and I made a Security Group in AD called ReadOnly where I also made the same user a member. I put the ReadOnly security group on a map in the share, so I expected the user I just made member of the SG & SMB Contributor group that the most restricted permissions would win. But they actually don't, the user can still edit everything. Is there something that I missed maybe?
@NTFAQGuy
3 жыл бұрын
In ARM the permissions are cumulative. If you give someone read and then in another assignment give them write they will have write. If you are saying on a folder on NTFS directly you set the user with read-only permissions then yes in that folder they should only be able to read if its setup correctly.
@Stateoftheheart
4 жыл бұрын
Thank you John, stoked the functionality has finally arrived to use on-prem AD! Interested to know how old your Pluralsight training for AZ-103 is & if it's still relevant for studying towards Az-104? According to Pluralsight's website it was updated June 23 2020 which doesn't make sense as this update on KZitem is from Feb.
@NTFAQGuy
4 жыл бұрын
The KZitem and Pluralsight are completely separate. The date on Pluralsight would be accurate.
@NTFAQGuy
4 жыл бұрын
there are some changes going on right now re courses so not sure when it will be updated. Sorry
@Stateoftheheart
4 жыл бұрын
@@NTFAQGuy Thanks John, sorry I got confused as I watched the Azure AD authentication PS video and just realized there is another for ADDS.
@nathanpinotti
4 жыл бұрын
Hey, nice video! So Am I going to be able to use nested group strategy as do on my on-premisse env?
@NTFAQGuy
4 жыл бұрын
same kerberos token so things will work the same :-)
@nidi2234
4 жыл бұрын
Hi John. A little confused with this. Considering we have all users synced from different domains, should all users be able to authenticate to the file share that is domain joined to an Azure VM? Does the VM need to be domain joined to on-premise domain?
@bazookaman3
4 жыл бұрын
Great video, thank you John! I have a question though. The best practice for on-prem file shares was to grant Everyone the Full Control access at the "Share" level and then use ACLs at the Folder/File level to secure your share. This way you only need to worry about 1 set of permissions. Can we still do something similar with this integration? Or will I have to manage 2 sets of permissions (Azure RBAC roles, and ACLs for Folders/Files)?
@NTFAQGuy
4 жыл бұрын
You can still do the same thing. RBAC using AAD at the share and then the ACLs on the file/folder can be more restrictive.
@bazookaman3
4 жыл бұрын
@@NTFAQGuy Thanks. So would I just assign everyone the SMB Elevated Contributor role in RBAC, would that be the same as the old "Full Control" share permission? One area where I'm getting hung up is the root folder NTFS permissions. Am I able to change that with an Azure File Share? For instance, assign NTFS read-only permissions at the root folder level, to stop people from creating top-level folders.
@NTFAQGuy
4 жыл бұрын
BazookaMan3 Right, that would be equivalent to the full control on the share. Read docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable which goes through the root permissions.
@JohnBevan
4 жыл бұрын
Hey John, thank-you for this video; it really helped me crack some issues that we were having with AD based permissions on Azure Files / get my head around how things fitted together. One question: do you know if Access Based Enumeration (i.e. the ability to hide content to which the user does not have access) exists in Azure Files? Thank-you in advance.
@NTFAQGuy
4 жыл бұрын
No ABE today.
@deepakrajput0071
4 жыл бұрын
Amazing Stuff.As an alternative,cant we use SharePoint Online. SharePoint will take care of the required permissions and also provide ways to map your drive with document library(I believe it uses "web dav" for that).
@NTFAQGuy
4 жыл бұрын
Certainly you can use SharePoint/Ondrive for business as another mechanism and even sync o4b to desktop.
@Stateoftheheart
4 жыл бұрын
Hi John, Many companies are using Sharepoint online to store documents. I would like to know what is the difference between storing files in Sharepoint online vs Azure files & the pros & cons of each. I'm battling to find anything online that explains this well.
@NTFAQGuy
4 жыл бұрын
Azure files is just an smb share ultimately where as share point is a complete collaboration platform with rights management, co authoring and much more.
@NTFAQGuy
4 жыл бұрын
Also think about sharing. I can external share with share point online etc
@Stateoftheheart
4 жыл бұрын
@@NTFAQGuy Thanks John that is helpful!
3 жыл бұрын
For tiny companies (
@NTFAQGuy
3 жыл бұрын
many companies bigger than that as well :-)
@megaa1c
4 жыл бұрын
thanks John
@alexpetrenko5952
3 жыл бұрын
Hi, a very useful feature. Probably I missed that, but does it require that user accoun is synchronized to azure ad to get access?
@NTFAQGuy
3 жыл бұрын
Yes for share iac
@bproducer
4 жыл бұрын
Hi John, great video. Can an on-premise enduser connect SMB3.0 over the internet to the pubic endpoint of the Azure file share or does it require a private endpoint with express route/VPN? Thanks
@NTFAQGuy
4 жыл бұрын
With smb 3 yes as it has encryption but does require Corp firewalls to allow which is not likely hence vpn etc likely required.
@MoeinGhorshi
4 жыл бұрын
When a search a mounted share, where does the search happen? if your local site goes down does the authentication still happen across azure for remote users?
@NTFAQGuy
4 жыл бұрын
Do you mean if AD is unavailable? If AD is unavailable you won't be able to get a Kerberos ticket so won't have permissions on files/folders.
@robb1267
4 жыл бұрын
This is great for remote workers on their domain joined machines so they don't have to VPN in to get access to a file server. But for on-prem users, isn't using Azure File Sync (with recent data cached locally) still a more efficient method? Otherwise, all on-prem users have to traverse the WAN to Azure to access the files.
@jansalisbury1189
4 жыл бұрын
I believe that they do still have to VPN into the on-prem AD for authentication. So for me, it's not quite the game-changer we're looking for. Don't get me wrong, turning file servers off is a big step forward, but what we really need is for this to work without a VPN. That would be the game-changer for me. What do you think John?
@kauffmann101
4 жыл бұрын
Or with adopting Azure Ad domain services , so it can able to using AFS without VPN
@jamesgannon8427
4 жыл бұрын
If you were to remove the on prem AD would this model still work for AAD Joined Win10 PC's?
@NTFAQGuy
4 жыл бұрын
No but you could use the AAD integration azure files model.
@midnightwatchman1
3 жыл бұрын
Is the word "acls" a thing ? I thought it was ACLs I wondering initially when I first heard it
@NTFAQGuy
3 жыл бұрын
Same
@rohanofelvenpower5566
2 жыл бұрын
cheers
@sateg
3 жыл бұрын
Hello John, thanks for great video !, I have File servers & AD DS in onpremise , and would like to migrate some file servers into the Azure Files. Will be enough to extend AD DS into Azure with installing IaaS VM DC (and replicating with onprem DCs) + use trick with computer account as you described ? I am asking whether really need to configure AAD Connect and synchronize object from AD DS to AAD. What we will loose if there will be no AD Connect?
@NTFAQGuy
3 жыл бұрын
No, you have to have AAD sync'ing from AD so AAD has the objects or you have no way to give RBAC to the share for a user.
@sateg
3 жыл бұрын
@@NTFAQGuy thanks a lot, you are right
@benp89bp
3 жыл бұрын
When you use net use to connect to the share in this instance do you need to authenticate with your AD account or with the storage account key like you do natively?
@NTFAQGuy
3 жыл бұрын
Ad account. That is the whole point of this setup.
@bk6141
4 жыл бұрын
Hi John, great video! setup File Share and added to File Sync with on-prem, however files/folder created directly on Storage Account does not sync to on-prem share. is this normal? is it possible to have a two-way sync? any advise is highly appreciated. thank you again.
@NTFAQGuy
4 жыл бұрын
Give it time, they should sync but it takes a while for the files to be seen by engine.
@BusinessITSolutions
3 жыл бұрын
Hi John, I have a customer with 600 Windows 10 laptops. All users login to the Windows 10 machine using the Azure AD (M365) login. All devices are also managed by Intune and Azure AD joined. They have never had onsite AD, everything is serverless. We spun up AzureFiles but can't get Azure AD DS to authenticate. All Microsoft documentation keeps talking about computers need to be domain joined. Am I doing something wrong here, and if we take a step back, how do I use AzureFiles with 600 Windows 10 devices that are Azure AD domain joined and managed by Intune?
@NTFAQGuy
3 жыл бұрын
this is for AD domain joined which you are not so this won't work. Azure AD is not the same as AD. There is an Azure AD joined alternative which may work or if you are all modern something like onedrive and sharepoint may be better fit.
@BusinessITSolutions
3 жыл бұрын
@@NTFAQGuy Thank you John, we are currently on OneDrive/Sharepoint but this is a large non tech savvy workforce and OneDrive is not an option. So many issues between files not syncing, file upload fails, having to reset OneDrive, they forget to check that OneDrive is actually syncing etc.
@NTFAQGuy
3 жыл бұрын
@@BusinessITSolutions Hmmm, well there is an Azure AD Azure Files integration but its not as friendly as the AD integration but may be your only choice.
@donniejohnson6511
4 жыл бұрын
Can an Azure file share be a DFS target? I know azure file sync is an option but I was wondering if we could point the dfs link directly to the azure share.
@NTFAQGuy
4 жыл бұрын
I don’t see why not however if you use ad sites for proximity that wouldn’t work. I’d have to test that :)
@Rybek
3 жыл бұрын
In relation to roles in IAM I understand that you need for example "Storage File Data SMB Share Contributor " to manage NTFS permission but for normal user access that just read is normal "Contributor" is enough if he will not be editing permissions but creating new folders etc?
@NTFAQGuy
3 жыл бұрын
Iam for azure files are about the share access only, ntfs drives what you can do on actual file system
@Rybek
3 жыл бұрын
@@NTFAQGuy I understand but if the users don't need to right click on files and edit permission but just access then from what I understand they don't need to use this "Storage File Data SMB Share Contributor". This group is only required for admin and managers that do operation on file ? or actually they need to be in this group to be able to create and delete folders and file because in the end those are SMB operations ?
@NTFAQGuy
3 жыл бұрын
@@Rybek there are multiple share roles based on what the user needs at share level. Suggest you read the docs
@Danijam2
3 жыл бұрын
Hi John, Is there an option I'm missing where we can authenticate to the share using SMB and just AAD. I.e we don't have AADDS or on-premises domain controllers. For example say I just have an AAD registered device (not domain joined) and a AAD User cloud only account. Could that user and device mount the share without needing to use the access keys?
@NTFAQGuy
3 жыл бұрын
not with file level acls. has to integrate with AD for file/folder ACLs.
@Danijam2
3 жыл бұрын
@@NTFAQGuy Thanks John!
@toffitomek
3 жыл бұрын
do you know if there is any chance to allow Azure AD Joined devices to authenticate to Azure Files...? That would be perfect server-less option, fully in the cloud ;)
@NTFAQGuy
3 жыл бұрын
you have to have AD in there somewhere. either AADDS or ADDS.
@Rybek
3 жыл бұрын
Hi John. Thanks for great video but can you clarify something for me please. If we are using File Sync Replication to azure and we want to use replicated enforced ACLS in azure from on premise (go serverless) in a scenario when on premise is not available do we need to replicate all groups that are in relation to ACLS to cloud (locally users are added to groups and base on that they have access to certain folders) or user accounts with password synchronisation is enough. Is this local computer account is needed if there is a password hash synchronisation enabled ? What we want to have is replication of local shares to cloud and be able to access those shares with same ACLS and not interrupted authentication to all subdirectories in DR scenario when On premise will not be available.
@NTFAQGuy
3 жыл бұрын
It has to access ad to enforce the acls. If on premises was not available you’ll need dcs somewhere the clients can get to for a token.
@Rybek
3 жыл бұрын
@@NTFAQGuy So ACLS are only enforced when on premise are available O_o ? I thought that they are replicated and when you have password hash replication for users that are synchronised with maybe group synchronisation so Azure AD would take control Authentication and Authorisation to shares and local AD is not taking any part. So i'm still depended on on premise if want to use same ACLS in short ? There is no way to do replica via Azure file sync and access without disruption mapping to cloud when on premise will be offlice with same ACLS working ?
@NTFAQGuy
3 жыл бұрын
@@Rybek put dcs in cloud and enable user access to them. It’s ad integrated auth, you need ad to give the token as I said.
@Rybek
3 жыл бұрын
@@NTFAQGuy Ok thanks all the info :)
@Rybek
3 жыл бұрын
@@NTFAQGuy I'm trying right now to map resource that was replicated to Azure File Shares (storage account) via Azure File Sync to a computer added to local ad with ACL enforcement from ADDS. I want to be able to map those resources with ACL enforcement but not rely on local on prem authentication. This is for DR scenario. I deployed Azure Active Directory Domain Services, enabled "Identity-based access for file shares", added synced users via Azure AD connect to Storage File Data SMB Share Contributor role. All security groups from local AD that are responsible for access to specific directories are also synced. Mapping is working with ACLs enforcement on computer added to ADDS but not working for a computer added to local AD. I suspect that this computer need to have access to ADDS subnet to utilise Kerberos and LDAP so I'm considering VPN to Azure. I guessing that subnet and vnet that computer will have allocated will also need to have route to ADDS subnet. Do I missing something ? If that will be enough ? I want to avoid rejoining computer from local on prem Active Directory to AADDS and I understand that I don't need to add Azure Storage account to on-prem because in this situation authentication will be done by local AD and in situation when it will be not available ACL enforcement will not work so we don't want this step in the process right ?
@fabriciomattos16
4 жыл бұрын
I want to unjoin a Storage Account I joined to my local active directory. Whenever I attempt to it, I receive the following message: “An operation is currently performing on this storage account that requires exclusive access.”. What shoud I do???
@NTFAQGuy
4 жыл бұрын
Not seen that error. Make sure you are owner or contributor on the storage account.
@cpgixxer
4 жыл бұрын
Hey John, great vid. Can you post the link to the ps1 download in the comments so we know where the script is? Thanks
@NTFAQGuy
4 жыл бұрын
This is probably the best link for the code. docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable. Good luck!
@cpgixxer
4 жыл бұрын
@@NTFAQGuy thank you so much, working on this tomorrow!
@@cpgixxer If you want my script its on my repo at github.com/johnthebrit/RandomStuff/tree/master/AzureFilesADIntegration but that MS docs is the full command set and what I used to create my mini version.
@cpgixxer
4 жыл бұрын
@@NTFAQGuy I'm home free now, i ran it and it created the account in AD- thanks for all the help!
@msobhy95
3 жыл бұрын
Hi John, very nice video Could you please copy this script to join AzStorageAccount to AD here?
@NTFAQGuy
3 жыл бұрын
the code was all based on the MS KB article to set that up.
@papixmedia8107
4 жыл бұрын
Just in case someone is trying it on general storage v2, it will not work on that. Use a general storage v1 storage account.
@NTFAQGuy
4 жыл бұрын
I used storage v2. It should work with v2, not sure what error you got. Please post.
@nrohyarts
4 жыл бұрын
Nice video...question though. I set this up in a lab and despite all my efforts am getting an error "The password is invalid for \\file.core.windows.net\. I have triple checked settings, verified accounts have synced, run the diags, and all looks ok. But logging in to an AD computer with a user with RBAC roles and NTFS permissions set and trying to mount a drive to the share, I get this error. Any pointers?
@NTFAQGuy
4 жыл бұрын
And you have the used rbac on azure files as well right? Try passing username via net use as well.
@nrohyarts
4 жыл бұрын
John Savill I think RBAC changes take a while - after about an hour this magically started to work. The only thing I can attribute it to is something on the Azure backplane settling.
Пікірлер: 119