Azure File Shares do not behave the same as a SMB share hosted on a Windows Server and there are challenges when you connect from non-domain joined computers. In this blog I’ll go over the lessons I learned implementing them.
Feel free to shoot me a message on LinkedIn if you need help with any of these steps!
DFS Namespaces – Important!
DFS-N is vital for a good experience. Azure File Shares no not have an \\server\IPC$ root share, access is blocked and Office applications and Explorer do not like this resulting in a regularly +- 30 seconds hang. Explorer is slow, and Office documents take a long time to load. You can verify this behavior with process explorer.
Follow this doc to implement: https://learn.microsoft.com/en-us/azure/storage/files/files-manage-namespaces?tabs=azure-portal
Azure Defender for Storage Accounts
I like the idea of an extra AV on the Storage Account, but the performance was impacted negatively, I recommend to turn this function off and secure the endpoint properly.
Private Endpoints
If possible, use private endpoints to secure network access and limit exposure from internet.
Domain Authentication
Authentication works great from Entra ADDS or regular DS joined devices, but it’s a bit tricky from EntraID or non-domain joined devices.
- For all devices:
- You need dns resolution from the client to the storage account and the domain.
- Verify your access with nslookup domain & nslookup storage account endpoint
- Configure conditional forwarders to your domain if you’re connecting form a different location.
- You need dns resolution from the client to the storage account and the domain.
- For non-domain joined devices:
- If you authenticate from an non domain joined computer, you can only connect with a net use command. The password needs to be provided on the same line (there’s no password prompt).
- authenticate with: net use \\storageaccount\share /U:[email protected] password
- fqdndomain.com should be the domain name, not the user UPN domain or user Email domain.
- You’ll have to disable “Secure transfer required” in the storage account configuration.
- If you authenticate from an non domain joined computer, you can only connect with a net use command. The password needs to be provided on the same line (there’s no password prompt).
User connections are tricky from non-domain joined devices. Best is to leverage a script prompting the user for username and password, and connect to the DFS and Storage Account paths. The script below assumes your EntraID joined.
@ECHO OFF
setlocal enableextensions disabledelayedexpansion
:start
echo ...
echo ...
echo Welcome to the drive mapper.
echo You need to launch this every time you can't access your drive.
echo ...
echo ...
FOR /F "tokens=1 delims=@" %%i in ('whoami /upn') do (
set ptsusername=%%i
)
echo Your detected username is: %ptsusername%
set /p ptsusername=Press enter to continue or enter a different username:
rem Call the subroutine to get the password
call :getPassword password
rem Echo what the function returns
if defined password (
echo Connecting to drives...
) else (
echo You have typed nothing
goto start
)
net use G: \\DFS.fqdn.com\SHARE /U:%ptsusername%@domain.com %password%
net use \\storageaccount.file.core.windows.net\shares\script_auth /U:%ptsusername%@domain.com %password%
echo ...
echo ...
if %ERRORLEVEL% neq 0 goto ProcessError
REM echo Connection successfull, you now have a G: mapping.
REM pause
explorer G:\
exit /b 0
:ProcessError
echo Connecting unsuccessfull. Please check your username and password, internet/vpn connection, or contact support.
echo ...
echo email:
echo phone:
pause
goto start
rem Subroutine to get the password
:getPassword returnVar
setlocal enableextensions disabledelayedexpansion
set "_password="
rem We need a backspace to handle character removal
for /f %%a in ('"prompt;$H&for %%b in (0) do rem"') do set "BS=%%a"
rem Prompt the user
set /p "=password ?:" <nul
:keyLoop
rem retrieve a keypress
set "key="
for /f "delims=" %%a in ('xcopy /l /w "%~f0" "%~f0" 2^>nul') do if not defined key set "key=%%a"
set "key=%key:~-1%"
rem handle the keypress
rem if No keypress (enter), then exit
rem if backspace, remove character from password and console
rem else add character to password and go ask for next one
if defined key (
if "%key%"=="%BS%" (
if defined _password (
set "_password=%_password:~0,-1%"
setlocal enabledelayedexpansion & set /p "=!BS! !BS!"<nul & endlocal
)
) else (
set "_password=%_password%%key%"
set /p "=*"<nul
)
goto :keyLoop
)
echo(
rem return password to caller
if defined _password ( set "exitCode=0" ) else ( set "exitCode=1" )
endlocal & set "%~1=%_password%" & exit /b %exitCode%
No responses yet