Azure Files Remote Access with MyWorkDrive
Azure Files Overview
Microsoft Azure file shares are SMB accessible file shares hosted by Azure. By utilizing Azure Files, companies are relieved of the responsibility of maintaining Windows file server-based file shares. Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol.
To map drives remotely to Azure file shares requires connecting to ports 445 over SMB protocol, which may be blocked by internet providers and only accessible from the same local area network or via VPN. Businesses will need to maintain VPN tunnels from Azure to each location as well as VPN gateways for users to access files on the go.
Use MyWorkDrive to easily connect to your Azure files shares without VPN from any device.
- Connect through a Web Based File Manager with your AD credentials from any device (PC’s do not need to joined to the domain).
- Connect using iPhone or Android Apps.
- Use the MyWorkDrive mapped drive client that works over HTTPS (no VPN needed).
Use Azure Files with MyWorkDrive to get the elasticity and ease of management of cloud storage.
- Durable and highly available cloud storage fully managed by Microsoft.
- Pay as you go storage. Only pay for what you use. Up to 100TB per share.
- Connect multiple shares to MyWorkDrive.
- File are encrypted in transit and at rest.
- Snapshot management from Azure Backup.
- Azure File Sync
- Bi-directional sync between on-premise and Azure file shares.
- Local caching and cloud tiering. Performance of on-premise storage with scale and elasticity of the cloud.
- Multi-site sync to have a cache at each branch office with centralized cloud storage.
The combination of MyWorkDrive and Azure Files is a great match!
Option 1: Directly Connect Azure Files with MyWorkDrive
Azure file shares support authentication using Active Directory or using Azure File Sync. John Savill provides an detailed overview of Azure Files Authentication here. In this article, we present our preferred MyWorkDrive Azure file shares deployment option, which is to directly connect Azure file shares with MyWorkDrive hosted in Azure, using Active Directory Authentication.
Active Directory Authentication
Azure Files Active Directory integration using your own Active Directory Domain’s managed by you, or using Azure AD Domain Services is fully supported in Azure. Read more about the benefits of Azure Files Active Directory Integration and follow this step by step guidance to get started with integrating Azure file shares with Azure AD Domain Services. To integrate Azure file shares authentication with on-premise Active Directory follow these steps.
With this method, users can login to Azure file shares using their existing AD DS username/passwords stored in Active Directory or synced from Azure AD to Azure AD Domain Services hosted by Azure. Users may also use their Azure AD credentials when synced from AD DS and coupled with MyWorkDrive’s Azure AD SAML/Single Sign-on integration.
For On-premise Active Directory, customers may run and manage their own Active Directory servers in Azure as a virtual machine, or connect an Azure network to on-premise using a VPN tunnel or Azure ExpressRoute. For fastest authentication, we recommend placing a Domain Controller in Azure on the same network as the MyWorkDrive server or using Azure AD Domain Services.
MyWorkDrive has updated our Azure MyWorkDrive Image in the marketplace to allow it to easily join an existing Windows Active Directory domain. This further accelerates the deployment process.
Azure file shares Active Directory MyWorkDrive Setup Steps
- Active Directory must be synced to Azure AD (for setting share permissions).
- Network connectivity from Azure to an AD DC (either a DC running in Azure or ExpresseRoute/VPN connection to a DC on-prem) or utilizing Azure AD Domain Services.
- Azure hosted 2019 Server with RSAT Tools, Joined to Active Directory (use this server to manage Azure file shares and add them to your domain/set permissions).
- Accelerated Networking enabled on Azure Virtual Machine (not available with all machine sizes, typically requires a D series with 2 or more vCPUs)
- Proximity Placement Groups deployed to ensure compute resources are physically located together for optimal performance.
- SMB MultiChannel enabled on AzureFiles, if your performance tier supports it.
- Azure Storage Account Name must not exceed 15 characters (Active Directory Computer Name Requirement).
Create Storage Account
Create a storage account in a resource group in the same Azure Account that hosts your Azure AD. Select the required redundancy and performance options.
Create File Share
Add a file share to your storage account setting share name and quota.
Join Azure Storage Account to Active Directory
Before you start, Map a drive using storage account key: net use : “net use desired-drive-letter: \\storage-account-name.file.core.windows.net\share-name storage-account-key/user:Azure\storage-account-name” from your Windows 2019 server in Azure to ensure you have SMB File Share connectivity.
Enable Azure Files Active Directory Integration
For On-premise Active directory, Enable Azure Files Active Directory Authentication using the steps outlined here. Note: The scripts run best using PowerShell shipped with Server 2019 as they require specific components to be installed as part of the process. The Azure Storage account will be added as a computer account.
For Azure AD Domain Services follow these steps to Enable Azure Files Authentication with Active Directory Domain Services. In this case the Azure Storage Account will be added to Active Directory as a User Account.
If you are using Azure AD Domain services, please make sure that the user accounts created in Active Directory are set so that the password does not expire. If the password expires, users will no longer have access to the Azure Files shares via their AD Credentials and will receive errors on login to MyWorkDrive (see item 1 in the section Unable to mount Azure Files with AD credentials of Microsoft’s Azure Files Connection troubleshooting). You will need to reset the password and re-sync the Kerberos keys.
Assign Share Permissions
Even though we will be assigning and using Active Directory NTFS permissions, Azure file shares currently require that permissions must also be set at the Share level using user accounts or groups synced to Azure AD. Assign Identity Share Permissions – For example: “Storage File Data SMB Share Elevated Contributor” allows read, write, delete and modify.
There are three Azure built-in roles for granting share-level permissions to users:
- Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
- Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
- Storage File Data SMB Share Elevated Contributor allows read, write, delete, and modify Windows ACLs in Azure Storage file shares over SMB.
One of these extra Azure AD Share permissions need to be set in addition to Active Directory NTFS permissions regardless of any other Azure AD Share Permissions already in place (e.g. owner). Please note that Active Directory Groups Synced from local domain can be used (Azure AD Connect excludes built-in security groups from directory synchronization).
Microsoft has enabled a way to assign permissions for all users instead of assigning on a user by user basis. Details are available in this updated Microsoft Documentation
Assign NTFS Permissions
Using the same drive mapped earlier with your storage account key, Add NTFS permissions for Active Directory Users Or groups to the mapped drive at the share or desired directory levels. Test the new share NTFS permissions by mapping a drive to the private endpoint address – e.g. \\azure-file-share.file.core.windows.net\share.
Install MyWorkDrive Server
Using a new server or the 2019 Server already joined to Active Directory in Azure, setup MyWorkDrive Server just like you would any MyWorkDrive Server. When adding your first share use your new Azure file share unc path as your file share path: e.g. \\azure-file-share.file.core.windows.net\share.
Optionally enable MyWorkDrive Azure AD Single Sign-On
If users are synced from Active Directory (AD DS) to Azure AD, Users can login using single sign on with their Azure AD credentials using our MyWorkDrive Azure AD SAML/Single Sign-on integration after allowing delegation of the Azure file share computer object in Active Directory (when Azure files shares are added to Active Directory a corresponding computer account object is created).
Option 2: Connect Azure File Sync with MyWorkDrive On-Premise
With Azure Files Sync multiple locations can be sync’d from on-premise to Azure Files and remote locations. Using Azure File Sync is another alternative to connect your Active Directory, since NTFS ACL’s are synced, in addition to files and folders. Furthermore, Azure File Sync supports preserving, inheriting, and enforcing Microsoft file system NTFS ACLs on all folders and files in a file share.
To connect MyWorkDrive to Azure file shares, simply point them to the local server hosting the sync copy of your Azure file shares. From a MyWorkDrive perspective, nothing has changed – NTFS permissions and file locks are honored.
Azure File Sync extends file services from on-premise to Cloud Storage on Azure file shares and across Windows Servers in multiple locations. Microsoft engineers interviewed customers and confirmed that Windows File Shares are still in use for a multitude of reasons. The customer pain points identified include speed of access, control of data and large storage capacities. Azure File Sync addresses these concerns.
Azure File Sync Key Features
- Bi-Directional Sync – from Windows Server to Azure Cloud Storage with write back capabilities
- Multi-Site Sync – Sync a share across multiple Windows Servers through Azure file shares to Cloud Storage with the ability to cache and edit data in real time at each site.
- Backup of Azure file shares to Azure Backup
- Tiering of data – set the maximum data storage capacities for each Windows Server and only replicate the most recent data to each server with the balance stored in Azure file Shares in the cloud.
Using MyWorkDrive, Windows file shares can be accessed from any location worldwide over HTTPS (port 443) from any Web Browser, the MyWorkDrive mapped drive client or mobile clients.