How to Access On-Premises File Shares from Azure AD Joined Devices

The article explains how to access on-premises file shares from Azure AD joined devices using different solutions, such as passwordless security key sign-in, Windows Hello for Business, or certificates.
The article also answers some frequently asked questions about the benefits, prerequisites, and troubleshooting of accessing on-premises file shares from Azure AD joined devices.
The article concludes by stating that accessing on-premises file shares from Azure AD joined devices is a common scenario for hybrid environments, but it requires some configuration and planning to ensure a secure and seamless experience for users.

If you have a hybrid environment with both Azure Active Directory (Azure AD) and on-premises Active Directory Domain Services (AD DS), you may want to enable your users to access on-premises file shares from their Azure AD joined devices. However, this is not a straightforward task, as Azure AD joined devices are not aware of your on-premises AD DS domain and cannot authenticate with it by default. In this article, we will explain the challenges and solutions for accessing on-premises file shares from Azure AD joined devices. We will also answer some frequently asked questions about this topic.

Table of Contents

The Challenges of Accessing On-Premises File Shares from Azure AD Joined Devices
The Solutions for Accessing On-Premises File Shares from Azure AD Joined Devices
Solution 1: Enable Passwordless Security Key Sign-In to On-Premises Resources with Azure AD
Solution 2: Configure Microsoft Entra Joined Devices for On-Premises Single-Sign On using Windows Hello for Business
Solution 3: Use Certificates for AADJ On-Premises Single-Sign On
Frequently Asked Questions About Accessing On-Premises File Shares from Azure AD Joined Devices
Conclusion

The Challenges of Accessing On-Premises File Shares from Azure AD Joined Devices

On-premises file shares are typically secured by NTFS permissions that rely on AD DS user accounts and groups. To access these file shares, users need to provide their AD DS credentials, which are usually the same as their Windows logon credentials. However, Azure AD joined devices use Azure AD credentials for Windows logon, which are different from AD DS credentials. Therefore, users cannot access on-premises file shares from Azure AD joined devices using their Windows logon credentials.

There are some workarounds for this issue, such as:

Mapping the file share as a network drive and providing the AD DS credentials manually. However, this is not a secure or convenient solution, as users have to remember and enter their AD DS credentials every time they access the file share.
Using the same username and password for both Azure AD and AD DS accounts. However, this is not a recommended practice, as it can create security risks and synchronization issues.
Using Microsoft Entra Connect or Microsoft Entra Connect cloud sync to synchronize user attributes between Azure AD and AD DS. However, this requires additional configuration and licensing, and it does not provide seamless single sign-on (SSO) experience for users.

The Solutions for Accessing On-Premises File Shares from Azure AD Joined Devices

To enable users to access on-premises file shares from Azure AD joined devices without compromising security or convenience, you need to implement one of the following solutions:

Enable passwordless security key sign-in to on-premises resources with Azure AD
Configure Microsoft Entra joined devices for on-premises single-sign on using Windows Hello for Business
Use certificates for AADJ on-premises single-sign on

We will explain each solution in detail below.

Solution 1: Enable Passwordless Security Key Sign-In to On-Premises Resources with Azure AD

This solution allows users to sign in to their Azure AD joined devices using a FIDO2 security key, such as a USB key or a NFC card. The security key acts as a smart card that can authenticate both with Azure AD and with on-premises AD DS domain controllers. This way, users can access on-premises file shares from their Azure AD joined devices using their security key, without entering any passwords.

To enable this solution, you need to:

Register your security keys with Azure AD
Configure your on-premises domain controllers to trust Azure AD
Configure your on-premises file servers to accept smart card authentication
Configure your Azure AD joined devices to use security keys for Windows logon

Solution 2: Configure Microsoft Entra Joined Devices for On-Premises Single-Sign On using Windows Hello for Business

This solution allows users to sign in to their Azure AD joined devices using Windows Hello for Business, which is a biometric or PIN-based authentication method that replaces passwords. Windows Hello for Business creates a cryptographic key pair that is bound to the device and the user identity in both Azure AD and AD DS. This way, users can access on-premises file shares from their Azure AD joined devices using Windows Hello for Business, without entering any passwords.

To enable this solution, you need to:

Configure hybrid key trust or hybrid certificate trust deployment of Windows Hello for Business
Configure your on-premises domain controllers to trust Azure AD
Configure your on-premises file servers to accept Kerberos authentication
Configure your Azure AD joined devices to use Windows Hello for Business for Windows logon

Solution 3: Use Certificates for AADJ On-Premises Single-Sign On

This solution allows users to sign in to their Azure AD joined devices using certificates that are issued by an enterprise certification authority (CA). The certificates are enrolled and managed by Microsoft Intune and can authenticate both with Azure AD and with on-premises AD DS domain controllers. This way, users can access on-premises file shares from their Azure AD joined devices using certificates, without entering any passwords.

To enable this solution, you need to:

Configure an enterprise CA and a certificate template for user authentication
Configure Microsoft Intune to deploy certificates to Azure AD joined devices
Configure your on-premises domain controllers to trust the enterprise CA
Configure your on-premises file servers to accept certificate authentication
Configure your Azure AD joined devices to use certificates for Windows logon

Frequently Asked Questions About Accessing On-Premises File Shares from Azure AD Joined Devices

Here are some common questions and answers about accessing on-premises file shares from Azure AD joined devices:

Question: What are the benefits of accessing on-premises file shares from Azure AD joined devices?

Answer: Accessing on-premises file shares from Azure AD joined devices can provide the following benefits:

Enhanced security: Users can access on-premises file shares without using passwords, which can reduce the risk of phishing, credential theft, and brute-force attacks.
Improved user experience: Users can access on-premises file shares with SSO, which can save time and eliminate the hassle of remembering and entering multiple credentials.
Simplified management: Administrators can manage user identities and devices in a single place, which can reduce complexity and overhead.

Question: What are the prerequisites for accessing on-premises file shares from Azure AD joined devices?

Answer: To access on-premises file shares from Azure AD joined devices, you need to have:

An Azure AD tenant with a valid subscription
An on-premises AD DS domain with Windows Server 2016 or later domain controllers
An on-premises file server with Windows Server 2016 or later
A VPN or other network infrastructure to connect Azure AD joined devices to the on-premises network
A FIDO2 security key, Windows Hello for Business, or a certificate for user authentication

Question: How can I troubleshoot issues with accessing on-premises file shares from Azure AD joined devices?

Answer: If you encounter any issues with accessing on-premises file shares from Azure AD joined devices, you can try the following steps:

Check the network connectivity between the device and the file server
Check the device registration status in Azure AD
Check the user authentication method and credentials
Check the NTFS permissions and share permissions on the file server
Check the event logs on the device, the domain controller, and the file server

Conclusion

Accessing on-premises file shares from Azure AD joined devices is a common scenario for hybrid environments. However, it requires some configuration and planning to ensure a secure and seamless experience for users. In this article, we have explained the challenges and solutions for accessing on-premises file shares from Azure AD joined devices. We have also answered some frequently asked questions about this topic.

We hope this article was helpful for you. If you have any questions or feedback, please leave a comment below.

Disclaimer: This article is for informational purposes only and does not constitute professional advice. We are not affiliated with any of the products or services mentioned in this article. We recommend that you consult with a qualified network technician before making any changes to your network settings.