Azure File Shares Remote Access with MyWorkDrive

Azure File Shares MyWorkDrive

Azure File Shares Overview

Microsoft Azure File Shares (AFS) are hosted SMB accessible file shares hosted by Azure.  By utilizing Azure File Shares, companies are relieved of the responsibility of maintaining windows file server-based file shares.  Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol.

To map drives remotely to Azure File Shares requires connecting to ports 445 and 139 over SMB protocol which are only accessible from the same local area network or via VPN.  Businesses will need to maintain VPN tunnels from Azure to each location (and pay for usage and bandwidth) as well as VPN gateways for users to access files on the go.

As an alternative to VPN, MyWorkDrive can be enabled in Azure as a virtual machine to provide secure Azure File Share access over port 443 (SSL)  from any Web Browser, our mapped drive or mobile clients.

Instead of using VPN’s, end users can access their files from a Web Browser and can even edit documents in Office 365 online while saving them back to Azure File Shares.

Azure File Share MyWorkDrive Integration Methods

Azure File Shares (AFS) support authentication using Azure AD flowing to Active Directory or using Azure File Share Sync.  John Savill provides a very good Azure File Share Authentication overview video here.  In this article we present our preferred MyWorkDrive AFS deployment options.

Active Directory Authentication

Azure Files Active Directory integration using customers own Active Directory Domain’s managed by customers, is available in preview in all regions.  Read more about the benefits of Azure Files Active Directory Integration and follow this step by step guidance to get started.    MyWorkDrive has fully tested and supports this method for accessing Azure File Shares.

Users can login to Azure File Shares using their existing username/passwords currently in Active Directory or using their Azure AD credentials using our MyWorkDrive Azure AD SAML/Single Sign-on integration.

Customers may also run and manage their own Active Directory servers in Azure as a virtual machine or connect an Azure network to on-premise using a VPN tunnel or Azure ExpressRoute.

By hosting Active Directory servers as virtual machines, organizations have the benefits of redundancy and outsourcing the management of hardware infrastructure while retaining ownership and management of their AD domains. Microsoft has detailed important considerations when deploying Active Directory Domain Controllers as virtual machines.

MyWorkDrive has updated our our Azure MyWorkDrive Image in the marketplace to allow it to easily join an existing Windows Active Directory Server that further simplifies the process.

Azure File Share Active Directory MyWorkDrive Setup Steps

Prerequisites
  • Active Directory must be synced to Azure AD (for setting share permissions).
  • Setup a new Active Directory DC in Azure ( VPN or ExpressRoute to On-Premise, With new AD site in domain for local AD authentication (AD Sites and Services).
  • Azure hosted 2019 Server with RSAT Tools, Join to Domain (use this server to manage Azure File Shares and add it to domain/set permissions.
  • Azure Storage Account in the same region, resource group and Azure Active Directory synced from Active Directory.
Create Storage Account

Create a storage account in a resource group in the same Azure Account that hosts your Azure AD.  Select the required redundancy and performance options.

Create File Share

Add a file share to your storage account setting share name and quota.

Create a Private Endpoint

Create a Private Endpoint to the storage account on the same network as Azure File Share and Virtual Machines.  This will secure the Azure File Share so that SMB port 445 is not exposed to the internet.   To enable SMB Drive mapping internally, add the private endpoint internal host name to internal Active Directory DNS so that is resolves internally to the private endpoint address.

Join Azure Storage Account to Active Directory

Before you start, Map a drive using storage account key: net use : “net use desired-drive-letter: \\storage-account-name.file.core.windows.net\share-name storage-account-key/user:Azure\storage-account-name” from your Windows 2019 server in Azure to ensure you have SMB File Share connectivity.

Enable Azure File Share Active Directory Integration

Enable Azure File Share Active Directory Integration using the steps outlined here.  Note: The scripts run best using PowerShell shipped with Server 2019 as they require specific components to be installed as part of the process.

Assign Share Permissions

Even though we will be assigning and using NTFS permissions, Azure File Shares currently require permissions must also be set at the share level using user accounts or groups synced to Azure AD.  Assign Identity Share Permissions – For example: “Storage File Data SMB Share Elevated Contributor” allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.   Note Ad Distribution Groups Synced from local domain can be used (default domain local groups do not sync to Azure AD).

Assign NTFS Permissions

Using the same drive mapped earlier, Add AD Users Or groups to the mapped drive at the share level.     Test the new share NTFS permissions by mapping a drive to the private endpoint address – e.g.  \\azure-file-share.file.core.windows.net\share.

Install MyWorkDrive Server

Using a new server or the 2019 Server already joined to Active Directory in Azure, setup MyWorkDrive Server just like you would any MyWorkDrive Server.   When adding your first share use your new Azure File Share unc path as your file share path: e.g.  \\azure-file-share.file.core.windows.net\share.

Optionally enable MyWorkDrive Azure AD Single Sign-On

Users can login using their Azure AD credentials using our MyWorkDrive Azure AD SAML/Single Sign-on integration.

File Share Sync

With Azure File Share Sync multiple locations can be sync’d from on-premise to AFS and remote locations.    Using Azure File Share Sync is another alternative to connect AFS to customer’s own Active Directory since NTFS ACL’s are synced in addition to files and folders.  In addition, Azure Files supports preserving, inheriting, and enforcing Microsoft file system NTFS ACLs on all folders and files in a file share.