Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities (preview) on Azure Files

Applies to: ✔️ SMB file shares

This article explains how to enable and configure Microsoft Entra ID (formerly Azure AD) for authenticating hybrid or cloud-only identities (preview).

Hybrid identities are on-premises Active Directory Domain Services (AD DS) identities that are synced to Microsoft Entra ID by using either Microsoft Entra Connect Sync or Microsoft Entra Cloud Sync.
Cloud-only identities are created and managed only in Microsoft Entra ID.

When you enable Microsoft Entra Kerberos authentication, users can access Azure file shares by using Kerberos authentication. Microsoft Entra ID issues the necessary Kerberos tickets to access the file share by using the SMB protocol. For cloud-only users, this authentication method means that Azure file shares no longer need a domain controller for authorization or authentication (preview). However, for hybrid identities, configuring Windows access control lists (ACLs) and directory and file-level permissions for a user or group requires unimpeded network connectivity to the on-premises domain controller.

For more information, see Overview of Azure Files identity-based authentication options for SMB access and this deep dive.

Important

You can only enable one identity source on your storage account for identity-based authentication with Azure Files. If Microsoft Entra Kerberos authentication doesn't fit your requirements, you might be able to use on-premises Active Directory Domain Service (AD DS) or Microsoft Entra Domain Services instead. The configuration steps and supported scenarios are different for each method.

Prerequisites

Before you enable Microsoft Entra Kerberos authentication over SMB for Azure file shares, make sure you complete the following prerequisites.

Minimum prerequisites

You need the following minimum prerequisites. Without these prerequisites, you can't authenticate by using Microsoft Entra ID.

Your Azure storage account can't authenticate with both Entra ID and a second method like AD DS or Microsoft Entra Domain Services. If you already chose another identity source for your storage account, you must disable it before enabling Microsoft Entra Kerberos.
If you want to authenticate hybrid identities, you also need AD DS and either Microsoft Entra Connect Sync or Microsoft Entra Cloud Sync. You must create these accounts in Active Directory and sync them to Entra ID. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Entra ID. This requirement doesn't apply to cloud-only identities.
The WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) is required, and must be in the running state. For security reasons, you can optionally disable Web Proxy Auto-Discovery (WPAD) via registry keys. However, you shouldn't disable the entire WinHttpAutoProxySvc service, as it is responsible for a host of other functionalities, including Kerberos Key Distribution Center Proxy (KDC Proxy) requests.
The IP Helper service (iphlpsvc) is required, and must be in the running state.
You must disable multifactor authentication (MFA) on the Entra app representing the storage account. For instructions, see Disable multifactor authentication on the storage account.
This feature currently doesn't support cross-tenant access for B2B users or guest users. Users from an Entra tenant other than the one configured won't be able to access the file share.
With Microsoft Entra Kerberos, the Kerberos ticket encryption is always AES-256. But you can set the SMB channel encryption that best fits your needs.
Azure Files SMB support for external identities is currently limited to FSLogix scenarios running on Azure Virtual Desktop. This support applies to external users invited to a Microsoft Entra ID tenant in the public cloud, with the exception of cross-cloud users (those invited into the tenant from Azure Government or Azure operated by 21Vianet). Government cloud scenarios aren't supported. Scenarios not involving Azure Virtual Desktop aren't supported for business-to-business guest users or users from other Entra tenants.

Important

Cloud-only identities support (preview) is only available by using a default share-level permission.

Operating system and domain prerequisites

The standard Microsoft Entra Kerberos authentication flow described in this article requires the following prerequisites. If some or all of your client machines don't meet these prerequisites, you can still enable Microsoft Entra Kerberos authentication for SMB file shares, but you need to configure a cloud trust to allow these clients to access file shares.

To use Entra Kerberos authentication for cloud-only identities (preview), use one of the following operating systems:

Windows 11 Enterprise/Pro single or multi-session.
Windows Server 2025 with the latest cumulative updates installed.

To use Entra Kerberos authentication for hybrid identities, use one of the following operating systems:

Windows 11 Enterprise/Pro single or multi-session.
Windows 10 Enterprise/Pro single or multi-session, versions 2004 or later with the latest cumulative updates installed, especially the KB5007253 - 2021-11 Cumulative Update Preview for Windows 10.
Windows Server 2025 with the latest cumulative updates installed.
Windows Server 2022 with the latest cumulative updates installed, especially the KB5007254 - 2021-11 Cumulative Update Preview for Microsoft server operating system version 21H2.

For information about how to create and configure a Windows VM and sign in by using Entra ID-based authentication, see Sign in to Windows virtual machine in Azure using Microsoft Entra ID and Azure Role Based Access Control.

Clients must be Microsoft Entra joined or Microsoft Entra hybrid joined. They can't be joined to Microsoft Entra Domain Services or joined to AD only.

Regional availability

Support for hybrid identities is available in the Azure Public, Azure US Gov, and Azure China 21Vianet clouds.

Support for cloud-only identities (preview) is available only in the Azure Public clouds and is limited to using a default share-level permission for all authenticated identities.

Enable Microsoft Entra Kerberos authentication

You can enable Microsoft Entra Kerberos authentication on Azure Files by using the Azure portal, PowerShell, or Azure CLI.

To enable Microsoft Entra Kerberos authentication by using the Azure portal, follow these steps.

Sign in to the Azure portal and select the storage account you want to enable Microsoft Entra Kerberos authentication for.
Under Data storage, select File shares.
Next to Identity-based access, select the configuration status, such as Not configured.
Under Microsoft Entra Kerberos, select Set up.
Select the Microsoft Entra Kerberos checkbox.
Optional: If you're authenticating hybrid identities and want to configure directory and file-level permissions through Windows File Explorer, specify the domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or by running the following Active Directory PowerShell cmdlet from an on-premises AD-joined client: Get-ADDomain. Your domain name appears in the output under DNSRoot and your domain GUID appears under ObjectGUID. If you'd prefer to configure directory and file-level permissions by using icacls, you can skip this step. However, if you want to use icacls, the client needs unimpeded network connectivity to the on-premises AD. Configuring directory and file-level permissions by using Windows File Explorer isn't currently supported for cloud-only identities (preview).
Select Save.

To enable Microsoft Entra Kerberos by using Azure PowerShell, run the following command. Replace placeholder values, including brackets, with your values.

Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $true

Optional: If you're authenticating hybrid identities and you want to configure directory and file-level permissions through File Explorer, you also need to specify the domain name and domain GUID for your on-premises AD. If you'd prefer to configure directory and file-level permissions by using icacls, you can skip this step. However, if you want to use icacls, the client needs unimpeded network connectivity to the on-premises AD. Configuring directory and file-level permissions by using File Explorer isn't currently supported for cloud-only identities (preview).

You can get this information from your domain admin or by running the following Active Directory PowerShell cmdlets from an on-premises AD-joined client:

$domainInformation = Get-ADDomain
$domainGuid = $domainInformation.ObjectGUID.ToString()
$domainName = $domainInformation.DnsRoot

To specify the domain name and domain GUID for your on-premises AD, run the following Azure PowerShell command. Replace placeholder values, including brackets, with your values.

Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $true -ActiveDirectoryDomainName $domainName -ActiveDirectoryDomainGuid $domainGuid

To enable Microsoft Entra Kerberos by using Azure CLI, run the following command. Replace placeholder values, including brackets, with your values.

az storage account update --name <storageaccountname> --resource-group <resourcegroupname> --enable-files-aadkerb true

You can get this information from your domain admin or by running the following Active Directory PowerShell cmdlets from an on-premises AD-joined client:

$domainInformation = Get-ADDomain
$domainGuid = $domainInformation.ObjectGUID.ToString()
$domainName = $domainInformation.DnsRoot

To specify the domain name and domain GUID for your on-premises Active Directory, run the following command. Replace placeholder values, including brackets, with your values.

az storage account update --name <storageAccountName> --resource-group <resourceGroupName> --enable-files-aadkerb true --domain-name <domainName> --domain-guid <domainGuid>

Warning

If you previously enabled Microsoft Entra Kerberos authentication through manual limited preview steps to store FSLogix profiles on Azure Files for Entra-joined VMs, the password for the storage account's service principal expires every six months. Once the password expires, users can't get Kerberos tickets to the file share. To mitigate this, see Error - Service principal password has expired in Microsoft Entra ID.

After enabling Microsoft Entra Kerberos authentication, grant admin consent to the new Entra application registered in your Entra tenant. This service principal is autogenerated and isn't used for authorization to the file share, so don't make any edits to the service principal other than those documented here. If you do, you might get an error.

You can configure the API permissions from the Azure portal by following these steps:

Open Microsoft Entra ID.
In the service menu, under Manage, select App registrations.
Select All Applications.
Select the application with the name matching [Storage Account] <your-storage-account-name>.file.core.windows.net.
In the service menu, under Manage, select API permissions.
Select Grant admin consent for [Directory Name] to grant consent for the three requested API permissions (openid, profile, and User.Read) for all accounts in the directory.
Select Yes to confirm.

If you're connecting to a storage account through a private endpoint or private link by using Microsoft Entra Kerberos authentication, add the private link FQDN to the storage account's Microsoft Entra application. For instructions, see the troubleshooting guide.

Enable cloud-only groups support (mandatory for cloud-only identities)

Kerberos tickets can include a maximum of 1,010 Security Identifiers (SIDs) for groups. Now that Microsoft Entra Kerberos supports Entra-only identities (preview), tickets must include both on-premises group SIDs and cloud group SIDs. If the combined group SIDs exceed 1,010, the Kerberos ticket can't be issued.

If you're using Microsoft Entra Kerberos to authenticate cloud-only identities, update the Tags in your application manifest file, or authentication fails.

Follow these instructions to update the tag in your application manifest.

Disable multifactor authentication on the storage account

Microsoft Entra Kerberos doesn't support using MFA to access Azure file shares configured with Microsoft Entra Kerberos. You must exclude the Microsoft Entra app representing your storage account from your MFA conditional access policies if they apply to all apps.

The storage account app should have the same name as the storage account in the conditional access exclusion list. When searching for the storage account app in the conditional access exclusion list, search for: [Storage Account] <your-storage-account-name>.file.core.windows.net

Replace <your-storage-account-name> with the proper value.

Important

If you don't exclude MFA policies from the storage account app, you can't access the file share. Trying to map the file share by using net use results in an error message that says "System error 1327: Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced."

For guidance on disabling MFA, see the following articles:

When you enable identity-based access, for each share you must assign which users and groups have access to that particular share. Once a user or group is allowed access to a share, Windows ACLs (also called NTFS permissions) on individual files and directories take over. This permission system allows for fine-grained control over permissions, similar to an SMB share on a Windows Server.

To set share-level permissions, follow the instructions in Assign share-level permissions to an identity. Cloud-only identities can only be assigned a default share-level permission that applies to all authenticated identities.

Configure directory and file-level permissions

Once share-level permissions are in place, you can assign Windows ACLs (directory and file-level permissions) to the user or group. For hybrid identities, this assignment requires using a device with unimpeded network connectivity to an Active Directory.

To configure directory and file-level permissions, follow the instructions in Configure directory and file-level permissions over SMB.

Configure the clients to retrieve Kerberos tickets

Enable the Entra Kerberos functionality on the client machines you want to use to mount Azure Files shares. You must enable this functionality on every client that uses Azure Files.

Use one of the following three methods:

Configure this Intune Policy CSP and apply it to the client(s): Kerberos/CloudKerberosTicketRetrievalEnabled, set to 1

Note

When configuring CloudKerberosTicketRetrievalEnabled through Intune, use the Settings Catalog instead of the OMA-URI method. The OMA-URI method doesn't work on Azure Virtual Desktop multisession devices. Azure Virtual Desktop multisession is a common deployment scenario for Entra Kerberos with hybrid identities, including configurations involving Entra ID Join, FSLogix, and Azure Files.

Configure this group policy on the clients to "Enabled": Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon

On older versions of Windows, this setting appears as: Administrative Templates\System\Kerberos\Allow retrieving the cloud Kerberos ticket during the logon

This setting allows the client to retrieve a cloud-based Kerberos Ticket Granting Ticket (TGT) during user logon.

Set the following registry value on the clients by running this command from an elevated command prompt:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1

Changes aren't instant, and require a policy refresh or a reboot to take effect.

Important

After you apply this change, the clients can't connect to storage accounts that are configured for on-premises AD DS integration without configuring Kerberos realm mappings. If you want the clients to connect to storage accounts configured for AD DS as well as storage accounts configured for Microsoft Entra Kerberos, follow the steps in Configure coexistence with storage accounts using on-premises AD DS.

Configure coexistence with storage accounts using on-premises AD DS

To enable client machines to connect to storage accounts that are configured for AD DS as well as storage accounts configured for Microsoft Entra Kerberos, follow these steps. If you're only using Microsoft Entra Kerberos, skip this section.

Add an entry for each storage account that uses on-premises AD DS integration. Use one of the following three methods to configure Kerberos realm mappings. Changes aren't instant, and require a policy refresh or a reboot to take effect.

Configure this Intune Policy CSP and apply it to the clients: Kerberos/HostToRealm

Configure this Group Policy on the clients: Administrative Templates\System\Kerberos\Define host name-to-Kerberos realm mappings

Set the policy to Enabled.
Select the Show... button to define the list of host name-to-realm mappings. For each storage account configured for AD DS, add an entry where:
- Value is the AD DS-enabled storage account's host name, such as <your storage account name>.file.core.windows.net
- Value name is the AD DS realm name

Run the following ksetup Windows command on the clients:

ksetup /addhosttorealmmap <hostname> <REALMNAME>

For example, if your realm is CONTOSO.LOCAL, run ksetup /addhosttorealmmap <your storage account name>.file.core.windows.net CONTOSO.LOCAL

Important

In Kerberos, realm names are case sensitive and uppercase. Your Kerberos realm name is usually the same as your domain name, in uppercase letters.

Undo the client configuration to retrieve Kerberos tickets

If you no longer want to use a client machine for Microsoft Entra Kerberos authentication, you can disable the Microsoft Entra Kerberos functionality on that machine. Use one of the following three methods, depending on how you enabled the functionality:

Configure this Intune Policy CSP and apply it to the clients: Kerberos/CloudKerberosTicketRetrievalEnabled, set to 0

Set the following registry value on the clients by running this command from an elevated command prompt:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 0

Changes aren't instant, and require a policy refresh or a reboot to take effect.

If you followed the steps in Configure coexistence with storage accounts using on-premises AD DS, you can optionally remove all host name to Kerberos realm mappings from the client machine. Use one of the following three methods:

Configure this Intune Policy CSP and apply it to the clients: Kerberos/HostToRealm

Run the following ksetup Windows command on the clients:

ksetup /delhosttorealmmap <hostname> <realmname>

For example, if your realm is CONTOSO.LOCAL, run ksetup /delhosttorealmmap <your storage account name>.file.core.windows.net CONTOSO.LOCAL.

You can view the list of current host name to Kerberos realm mappings by inspecting the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm.

Changes aren't instant, and require a policy refresh or a reboot to take effect.

Important

After you apply this change, the clients can't connect to storage accounts that are configured for Microsoft Entra Kerberos authentication. However, they can connect to storage accounts configured to AD DS, without any additional configuration.

Disable Microsoft Entra authentication on your storage account

If you want to use another authentication method, you can disable Microsoft Entra authentication on your storage account by using the Azure portal, Azure PowerShell, or Azure CLI.

Note

If you disable this feature, there won't be any identity-based access for file shares in your storage account until you enable and configure one of the other identity sources.

To disable Microsoft Entra Kerberos authentication on your storage account by using the Azure portal, follow these steps.

Sign in to the Azure portal and select the storage account you want to disable Microsoft Entra Kerberos authentication for.
Under Data storage, select File shares.
Next to Identity-based access, select the configuration status.
Under Microsoft Entra Kerberos, select Configure.
Uncheck the Microsoft Entra Kerberos checkbox.
Select Save.

To disable Microsoft Entra Kerberos authentication on your storage account by using Azure PowerShell, run the following command. Remember to replace placeholder values, including brackets, with your values.

Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $false

To disable Microsoft Entra Kerberos authentication on your storage account by using Azure CLI, run the following command. Remember to replace placeholder values, including brackets, with your values.

az storage account update --name <storageaccountname> --resource-group <resourcegroupname> --enable-files-aadkerb false

Debugging

If needed, run the Debug-AzStorageAccountAuth cmdlet to conduct a set of basic checks on your Microsoft Entra ID configuration with the signed in Entra ID user. The Entra checks that are part of this cmdlet are supported on the AzFilesHybrid PowerShell module beginning with version 0.3.0+. This cmdlet works for Microsoft Entra Kerberos and AD DS authentication but doesn't work for Microsoft Entra Domain Services enabled storage accounts. For more information on the checks performed in this cmdlet, see Unable to mount Azure file shares with Microsoft Entra Kerberos.

Next steps

Feedback

Was this page helpful?

Last updated on 2026-03-04

Share via

Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities (preview) on Azure Files

Prerequisites

Minimum prerequisites

Operating system and domain prerequisites

Regional availability

Enable Microsoft Entra Kerberos authentication

Grant admin consent to the new service principal

Enable cloud-only groups support (mandatory for cloud-only identities)

Disable multifactor authentication on the storage account

Assign share-level permissions

Configure directory and file-level permissions

Configure the clients to retrieve Kerberos tickets

Configure coexistence with storage accounts using on-premises AD DS

Undo the client configuration to retrieve Kerberos tickets

Disable Microsoft Entra authentication on your storage account

Debugging

Next steps

Feedback

Additional resources