Azure File Shares do not behave the same as a SMB share hosted on a Windows Server and there are challenges when you connect from non-domain joined computers. In this blog I’ll go over the lessons I learned implementing them.

Feel free to shoot me a message on LinkedIn if you need help with any of these steps!

DFS Namespaces – Important!

DFS-N is vital for a good experience. Azure File Shares no not have an \\server\IPC$ root share, access is blocked and Office applications and Explorer do not like this resulting in a regularly +- 30 seconds hang. Explorer is slow, and Office documents take a long time to load. You can verify this behavior with process explorer.

Follow this doc to implement:

Azure Defender for Storage Accounts

I like the idea of an extra AV on the Storage Account, but the performance was impacted negatively, I recommend to turn this function off and secure the endpoint properly.

Private Endpoints

If possible, use private endpoints to secure network access and limit exposure from internet.

Domain Authentication

Authentication works great from Entra ADDS or regular DS joined devices, but it’s a bit tricky from EntraID or non-domain joined devices.

  1. For all devices:
    • You need dns resolution from the client to the storage account and the domain.
      • Verify your access with nslookup domain & nslookup storage account endpoint
      • Configure conditional forwarders to your domain if you’re connecting form a different location.
  2. For non-domain joined devices:
    • If you authenticate from an non domain joined computer, you can only connect with a net use command. The password needs to be provided on the same line (there’s no password prompt).
      • authenticate with: net use \\storageaccount\share /U:[email protected] password
      • should be the domain name, not the user UPN domain or user Email domain.
    • You’ll have to disable “Secure transfer required” in the storage account configuration.

User connections are tricky from non-domain joined devices. Best is to leverage a script prompting the user for username and password, and connect to the DFS and Storage Account paths. The script below assumes your EntraID joined.

setlocal enableextensions disabledelayedexpansion

echo ...
echo ...

echo Welcome to the drive mapper.
echo You need to launch this every time you can't access your drive.
echo ...
echo ...

FOR /F "tokens=1 delims=@" %%i in ('whoami /upn') do (
set ptsusername=%%i

echo Your detected username is: %ptsusername%
set /p ptsusername=Press enter to continue or enter a different username:

rem Call the subroutine to get the password    
    call :getPassword password 

rem Echo what the function returns
    if defined password (
        echo Connecting to drives...
    ) else (
        echo You have typed nothing
        goto start

net use G: \\\SHARE / %password%
net use \\\shares\script_auth / %password%

echo ...
echo ...

if %ERRORLEVEL% neq 0 goto ProcessError

REM echo Connection successfull, you now have a G: mapping.
REM pause
explorer G:\
exit /b 0

echo Connecting unsuccessfull. Please check your username and password, internet/vpn connection, or contact support.
echo ...
echo email: 
echo phone:

goto start

rem Subroutine to get the password
:getPassword returnVar
    setlocal enableextensions disabledelayedexpansion
    set "_password="

    rem We need a backspace to handle character removal
    for /f %%a in ('"prompt;$H&for %%b in (0) do rem"') do set "BS=%%a"

    rem Prompt the user 
    set /p "=password ?:" <nul 

    rem retrieve a keypress
    set "key="
    for /f "delims=" %%a in ('xcopy /l /w "%~f0" "%~f0" 2^>nul') do if not defined key set "key=%%a"
    set "key=%key:~-1%"

    rem handle the keypress 
    rem     if No keypress (enter), then exit
    rem     if backspace, remove character from password and console
    rem     else add character to password and go ask for next one
    if defined key (
        if "%key%"=="%BS%" (
            if defined _password (
                set "_password=%_password:~0,-1%"
                setlocal enabledelayedexpansion & set /p "=!BS! !BS!"<nul & endlocal
        ) else (
            set "_password=%_password%%key%"
            set /p "=*"<nul
        goto :keyLoop
    rem return password to caller
    if defined _password ( set "exitCode=0" ) else ( set "exitCode=1" )
    endlocal & set "%~1=%_password%" & exit /b %exitCode%


No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *