Enable Microsoft Entra Kerberos Authentication and Map Azure File Shares with Intune

---

Enable Microsoft Entra Kerberos Authentication for Hybrid User Accounts and Map Azure File Shares with Intune

Organizations moving file services to the cloud often adopt Azure Files. The challenge: how do you let users on Intune-managed devices access these shares securely, without relying on storage account keys or SAS tokens?

The answer is Microsoft Entra Kerberos authentication for hybrid user accounts. This feature allows hybrid users (on-prem synced to Entra ID) to access Azure File Shares with Kerberos tickets — the same way they’d access on-premises SMB shares.

In this post, we’ll cover:

• What Entra Kerberos authentication is.
• How to enable it for Azure Files.
• How to configure hybrid clients.
• How to deploy mapped drives with Intune.
• Common issues and troubleshooting tips.

---

🔑 Why Use Entra Kerberos for Azure Files?

• No storage keys or SAS tokens → users authenticate with their domain account.
• Centralized access control → permissions managed via Azure RBAC, not distributed secrets.
• Seamless experience → users map drives as they would on a traditional file server.

⚠️ Limitation: Only hybrid users (on-prem AD + synced to Entra ID) are supported today. Pure cloud-only users cannot use Kerberos authentication for Azure Files.

---

✅ Prerequisites

1. Hybrid identity
   • Users must exist in Active Directory and be synced to Entra ID (via Azure AD Connect).
2. Azure Storage account
   • Must be General Purpose v2 or Premium.
   • File share created.
3. Permissions
   • Admin: Storage File Data SMB Share Elevated Contributor role.
   • Users: Storage File Data SMB Share Contributor or Reader role, scoped to the share.
4. Client requirements
   • Windows 10 2004+ or Windows 11.
   • Device must be Azure AD joined or hybrid joined.

---

🔧 Step 1: Enable Entra Kerberos on the Storage Account

Run Azure CLI:

az storage account update \
  --name <StorageAccountName> \
  --resource-group <ResourceGroupName> \
  --enable-files-aadkerb true

Verify in the Azure Portal under:
Storage Account > File Shares > Identity-based authentication → should show Azure AD Kerberos enabled.

---

🔧 Step 2: Assign RBAC Permissions

Example (Contributor role):

az role assignment create \
  --assignee <UserUPN> \
  --role "Storage File Data SMB Share Contributor" \
  --scope "/subscriptions/<SubID>/resourceGroups/<RGName>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>/fileServices/default/shares/<ShareName>"

---

🔧 Step 3: Configure Clients for Cloud Kerberos Ticket Retrieval

On Windows 10/11 devices, enable ticket retrieval:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" `
 -Name CloudKerberosTicketRetrievalEnabled `
 -Value 1 `
 -PropertyType DWord `
 -Force

You can deploy this via:

• Intune Settings Catalog → OMA-URI
• Custom policy → registry key
• PowerShell script → as remediation

---

🔧 Step 4: Test Kerberos Access

On a test device:

klist get cifs/<StorageAccountName>.file.core.windows.net

If successful, try accessing:

\\<StorageAccountName>.file.core.windows.net\<ShareName>

---

🔧 Step 5: Deploy Drive Mapping with Intune

Once authentication works manually, automate it for users with Intune.

Option 1: PowerShell Script

$DriveLetter = "Z:"
$UNCPath = "\\<StorageAccountName>.file.core.windows.net\<ShareName>"

# Remove existing mapping if present
if (Test-Path $DriveLetter) {
    Remove-PSDrive -Name "Z" -Force
}

# Map drive persistently
New-PSDrive -Name "Z" -PSProvider FileSystem -Root $UNCPath -Persist

Deploy as:

• PowerShell script → run in user context.
• Or package as Win32 app with detection rules.

Option 2: ADMX Drive Maps in Intune

• Import the Drive Map ADMX into Intune.
• Configure mapped drives via Administrative Templates.
• Assign to user groups.

---

⚠️ Common Pitfalls

• MFA and Conditional Access
  • Kerberos cannot handle MFA. Exclude the Azure Storage service principal from MFA policies.
• Windows Hello for Business
  • If devices use PIN/key trust, SMB access may fail. Ensure CloudKerberosTicketRetrieval is enabled.
• Running scripts in SYSTEM context
  • SYSTEM has no Kerberos tickets. Always run mapping scripts in user context.

---

🔍 Troubleshooting

• klist tickets → check if Kerberos tickets exist for storage account.
• Event Viewer → Microsoft-Windows-SMBClient/Security logs.
• Test manually with UNC path before rolling out via Intune.

---

✅ Best Practices

1. Pilot with a small group before broad rollout.
2. Use RBAC roles to manage access instead of group storage keys.
3. Automate via Intune using PowerShell or ADMX policies.
4. Consider OneDrive/SharePoint for cloud-only users (since they can’t use Kerberos with Azure Files).

---

Conclusion

By enabling Microsoft Entra Kerberos authentication and deploying drive mappings with Intune, you can give hybrid users seamless access to Azure File Shares without exposing storage keys.

This setup brings the simplicity of traditional mapped drives into a cloud-first Intune environment — with centralized identity, secure access, and Intune-driven automation.

---

🔗 References:

• Enable Entra Kerberos for Azure Files
• Peter van der Woude: Mapping Azure File Shares with Intune

---