Windows 10 AAD Azure ad domain joined & SMB share

network-share windows-10 server-message-block azure-active-directory mappeddrive
21,212

Solution 1

I have encountered this question before. Essentially you are expecting to be able to get rid of your on premise domain controller (DC) because you can join you laptops and workstations to Azure.

That is an incorrect understanding of Azure.

You still need a DC (a virtual machine (VM) in the cloud or a physical server).

That DC has Azure Active Directory (AAD) Connect installed and configured on it. That creates an account in AD that synchronizes accounts and passwords with AAD.

When a computer joined to AAD logs in it sends the login request to AAD. AAD then validates that authentication request against the information synchronized from AD.

So if you have workstations and laptops joined to AAD and they try to access a share on a server that is in a different domain than what AAD synchronizes with you are going to need to provide credentials that exist in the server which hosts the resources you are trying to access.

There are a few right ways to do this and I will give you two.

  1. If the clients are in a single location and will always be in the same location as the DC then join them to the domain regularly. For clients that will be used in other locations join those computers to AAD and install AAD Connect in the DC.
  2. If you want to move all of the servers out of your office spin up a VM for your DC in Azure and deploy a cloud firewall in front of your VM. Create a Site-to-Site Virtual Private Network (VPN) between the cloud firewall and your office firewall. Now join computers that will always be in the office to the domain like normal, join computers that are going to be used remotely to AAD, and install AAD Connect on the DC.

Solution 2

After much research and testing, here's the solution that worked for me! This is how to connect to a local network resource (such as an SMB share, local server, etc.) from an AzureAD connected Windows 10 Pro computer, logged in as the end user:

1) Search 'cred' and open Credentials Manager

2) Choose Windows Credentials

3) Click 'Add a Windows credential'

  • Internet or network address: enter the network location, such as a LAN IP address or network share
  • User name: domain\User
  • Password: enter user's password

Example:

  • Internet or network address: \fileserver\share
  • User name: example.local\Administrator
  • Password: admin password

With the above in place, Windows will check the credentials against the local domain server (in this case example.local) and grant or deny access to the network share.

Share:
21,212

Related videos on Youtube

user3129787
Author by

user3129787

Updated on September 18, 2022

Comments

  • user3129787
    user3129787 almost 2 years

    I have a number of Windows 10 clients domain joined to azure ad, I still have a local Windows 2012 r2 server onsite with a number of shares i wish to map to from the windows 10 clients. Bu if I try accessing the UNC path from a client I get "you do not have permissions to access the server", if I add the credentials in to credential manager. If I try to use the drive map wizard it shows the "Network folder is mapped using a different user" even though there re no other connections to the server.

    • Appleoddity
      Appleoddity over 6 years
      Are the machines also domain joined locally? Is the 2012 server also Azure AD joined?
    • user3129787
      user3129787 over 6 years
      The windows 10 are joined to azure ad, the 2012 server is a domain controller although I can demote it to a stand alone as no clients are using that domain anymore.
    • Appleoddity
      Appleoddity over 6 years
      Is there a reason you don’t have the machines joined to the domain anymore? I know you can run all cloud, but if you are running an on-premise server and domain controller / file server, the computers can be connected to both onpremise domain and azure AD in hybrid. The only way I can think of otherwise to do this is to join the file server to the Azure domain. Even then I’m not familiar with access control using only AAD, sorry.
    • Appleoddity
      Appleoddity over 6 years
      Well you can access local resources, but if you’re going to have any form of authentication there has to be a central directory of some sort. Typically that is a domain controller. Otherwise there need to be individual accounts created on the server, or NAS or whatever it is. You’ll need to see what access control you can use on a Windows file server with AAD.
    • user3129787
      user3129787 over 6 years
      If I add credentials to credential manager , and type the Inc path in it says I don't have access , if I try to map it says it already exists, iif it was not using a cloud account and not domain joined it would connect using this methed, connecting to a server is not the issue it just seems to not work if logged in using a cloud account, the problem is I can't access local resources
    • Kenneth Bess
      Kenneth Bess over 6 years
      Are the users logging on to the Azure Domain Joined PC synched from your On-prem domain? If yes, there should not be any problems accessing SMB shares on your server. Br,
    • user3129787
      user3129787 over 6 years
      No they are not synced , unexpected windows to ask for credentials if it can't access the shared drive, it doesn't so I have no way of mapping a drive, the domain will be going soon so I'm not adding any more devices to this domain, I believe windows 10! when azure joined should act like any older OS and ask for username and password when accessing a share whether the share is in a domain or not.
  • bogdanbujdea
    bogdanbujdea about 3 years
    I managed to connect to Samba from an Azure joined computer by using the command line. net use * \\server\path thewindev.net/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Mapped Network Drive with SMB1 and Windows 10
Why do my network shares disappear?
Mapped Network Drive Timeout
Group Policy drive maps fail with Error Code: 0x80070043
Cannot Access Windows 2012R2 Shares from Windows 2003 Server
Windows 10 with Azure Active Directory not giving option for Email Signin
How can an ISO image be mounted to a specified drive letter in Powershell?
In Azure AD, is it possible to change the owner of a Windows 10 device?
Windows: Can I map a network drive for a service account?
Why are hidden Windows shares not really hidden?