Mapping Azure File Shares to Intune-Joined Devices: A Complete Guide to Authentication and Deployment
File shares remain a backbone for many organizations, even as cloud collaboration tools like OneDrive and SharePoint grow in use. For companies adopting Microsoft Intune and managing Azure AD-joined (Entra ID-joined) devices, a common question arises:
“How do I map Azure File Shares as network drives for users, and how does authentication work in this setup?”
This guide covers the challenges, the supported authentication model, configuration requirements, and different methods to deploy drive mappings with Intune.
Why Azure Files and Intune?
- Azure Files provides SMB-accessible shares hosted in Azure Storage, allowing you to lift and shift file-based workloads into the cloud.
- Intune manages modern, cloud-first Windows 10/11 devices without requiring on-premises AD or GPOs.
- Combining the two seems natural — but authentication is not straightforward when devices are purely Azure AD joined.
The Authentication Challenge
On-premises, users access file shares with Kerberos authentication against Active Directory. GPOs push drive mappings, and everything works seamlessly.
With Azure Files, admins often find:
- Storage account keys or SAS tokens can mount shares, but distributing and rotating them securely is a nightmare.
- Azure AD (Entra ID) authentication doesn’t work for cloud-only users. Drive mapping fails with prompts for credentials or “Access Denied.”
- Scripts run via Intune sometimes succeed locally but fail when deployed, often because of context and ticket issues.
The issue boils down to this:
👉 Azure Files only supports identity-based authentication for hybrid identities using Azure AD Kerberos.
Microsoft’s Supported Model: Azure AD Kerberos Authentication
Microsoft allows Azure Files access using Kerberos tickets from Entra ID (Azure AD), but only in hybrid identity environments.
Requirements
- Hybrid identities
- Users must be synchronized from on-prem AD to Azure AD (via Azure AD Connect).
- Cloud-only Entra ID accounts cannot use Kerberos authentication with Azure Files.
- Storage account configuration
- Enable Azure AD Kerberos for SMB on the storage account.
- Ensure no conflicting identity source is enabled.
- Client requirements
- Devices must be Azure AD joined or hybrid joined.
- Registry / policy: set
CloudKerberosTicketRetrievalEnabled = 1. - Services such as WinHTTP Web Proxy Auto Discovery Service and IP Helper must be running.
- Conditional Access
- Exclude the Azure Storage service principal from MFA policies.
- Kerberos does not support MFA during file share authentication.
Once configured, Azure Files behaves like a normal SMB share — the UNC path (\\storageaccount.file.core.windows.net\sharename) can be mapped using Kerberos tickets issued via Entra ID.
Verifying Kerberos Authentication
On a test machine:
- Sign in with a hybrid identity account.
- Run
klist get cifs/storageaccount.file.core.windows.netto check for a Kerberos ticket. - Attempt to access the UNC path in File Explorer.
- If access is denied:
- Check Event Viewer logs under Microsoft-Windows-SMBClient/Security.
- Ensure the registry key for
CloudKerberosTicketRetrievalEnabledis applied. - Confirm that Conditional Access is not blocking storage.
Deployment Methods with Intune
Once authentication works manually, the next step is to deploy mapped drives via Intune. Since Intune does not provide a built-in “map network drive” setting, admins use scripts or custom ADMX templates.
1. PowerShell Script Deployment
Example script:
$DriveLetter = "Z:"
$UNCPath = "\\storageaccount.file.core.windows.net\sharename"
# Remove existing mapping if present
if (Test-Path $DriveLetter) {
Remove-PSDrive -Name "Z" -Force
}
# Map drive persistently
New-PSDrive -Name "Z" -PSProvider FileSystem -Root $UNCPath -Persist
Deploy with Intune:
- Package as a Win32 app or use the script deployment option.
- Configure to run in user context, not system context (Kerberos tickets are user-specific).
Pros:
- Simple and flexible.
- Can include logic for specific groups or conditions.
Cons:
- If deployed in the wrong context, authentication fails.
- Drive mappings may not survive all logon scenarios.
2. ADMX-Backed Policy in Intune
- Import the Drive Maps ADMX/ADML templates into Intune.
- Configure mapped drive policies directly in the Intune Settings Catalog.
Pros:
- Policy-based, consistent, and manageable at scale.
- Behaves similarly to traditional GPOs.
Cons:
- Initial setup is more complex.
- Less flexible than scripting.
3. Manual Access as a Test
Before deploying, test that users can access the share directly via:
\\storageaccount.file.core.windows.net\sharename
If authentication works here, you can confidently proceed with Intune automation.
Common Pitfalls and Fixes
- Windows Hello for Business
- PIN or key-trust logins sometimes fail to pass Kerberos credentials to SMB.
- Ensure devices support Cloud Kerberos TGT retrieval.
- Running scripts as SYSTEM
- SYSTEM has no Kerberos tickets.
- Always run mapping scripts in user context.
- Conditional Access Policies
- MFA requirements for Azure Storage will break Kerberos auth.
- Create targeted exclusions for the Azure Files service principal.
Best Practices
- Test authentication manually before rolling out Intune policies.
- Use hybrid identities if you must support Azure Files for SMB.
- Run scripts in user context to leverage Kerberos tickets.
- Monitor Kerberos tickets with
klistand Event Viewer for troubleshooting. - Evaluate alternatives — for cloud-only organizations, consider OneDrive for Business or SharePoint Online for file storage instead of Azure Files.
Conclusion
Mapping Azure File Shares to Intune-joined devices is possible, but it requires the right identity architecture and Kerberos configuration. Pure cloud-only users will face limitations, while hybrid users with Entra Kerberos enabled can enjoy a seamless experience.
For deployment, Intune PowerShell scripts and custom ADMX policies are the go-to options. With proper planning, you can extend familiar mapped drives into your modern, Intune-managed environment.
🔗 Useful References
- Enable Entra Kerberos for Azure Files (Microsoft Docs)
- Peter van der Woude – Mapping Azure File Shares with Intune
