WEBVTT 0:00:02.580000 --> 0:00:08.320000 Hi. All right. Full disclosure before I go into this video, I am not a 0:00:08.320000 --> 0:00:14.700000 huge fan of the file service component of Azure Storage accounts. 0:00:14.700000 --> 0:00:19.280000 I think that the current implementation that I'm going to go through is 0:00:19.280000 --> 0:00:23.000000 unnecessarily complex, so they'll understand why. 0:00:23.000000 --> 0:00:26.860000 So just before I warn about that, this will be a relatively short topic, 0:00:26.860000 --> 0:00:32.280000 and I will try to be as engaging as possible, if not necessarily totally 0:00:32.280000 --> 0:00:35.720000 enthusiastic. So let's go ahead and let's take a look. 0:00:35.720000 --> 0:00:40.020000 We're going to talk about Azure AD Domain Services authentication for 0:00:40.020000 --> 0:00:46.340000 Azure Files. Now, the topics that we're going to cover, we're going to 0:00:46.340000 --> 0:00:51.140000 talk about big picture file service access and authorization, and how 0:00:51.140000 --> 0:00:54.460000 Azure ADDS comes into play now with that. 0:00:54.460000 --> 0:01:00.560000 Then I'm going to just go through some points about Azure ADDS and file 0:01:00.560000 --> 0:01:05.040000 service. Let's go ahead and let's jump right into this. 0:01:05.040000 --> 0:01:12.180000 Now, file service and Azure authorization in general. 0:01:12.180000 --> 0:01:26.380000 I've got a story that is similar to stories I've told in other videos. 0:01:26.380000 --> 0:01:37.060000 All right, we have an Azure subscription, a resource group, and we have 0:01:37.060000 --> 0:01:42.540000 a storage account, and that storage account has keys for access. 0:01:42.540000 --> 0:01:56.980000 Right, and we have some user that wants access, an interesting little 0:01:56.980000 --> 0:02:01.020000 smile there. It's important that the user have a hat. 0:02:01.020000 --> 0:02:06.180000 Okay, I've got a user that wants access specifically, they want access 0:02:06.180000 --> 0:02:14.040000 to that file. Well, there are a couple of ways that we can go about giving 0:02:14.040000 --> 0:02:16.840000 the user access to that file. 0:02:16.840000 --> 0:02:26.920000 The first thing that we can do is we can use the HTTPS protocol and API. 0:02:26.920000 --> 0:02:34.660000 Okay, and if I use HTTPS, then I'm going to go either using the key, which 0:02:34.660000 --> 0:02:41.720000 is going to give me direct access or, or I should say the user is, we 0:02:41.720000 --> 0:02:50.300000 can assign a secure access, excuse me, shared access signature, and give 0:02:50.300000 --> 0:02:52.740000 the user rights that are granular. 0:02:52.740000 --> 0:02:58.520000 Again, this is going through the HTTPS API, the interface if you will, 0:02:58.520000 --> 0:03:01.700000 but I will kind of say that if you're going to do that, you might as well 0:03:01.700000 --> 0:03:05.160000 use blob storage because there are some better things about blob storage 0:03:05.160000 --> 0:03:09.600000 for that kind of access, and get more options, et cetera. 0:03:09.600000 --> 0:03:13.760000 Okay, including the integration, full integration of Azure AD. 0:03:13.760000 --> 0:03:24.680000 Now, as an alternative to the HTTP access, in addition to that, we have, 0:03:24.680000 --> 0:03:32.240000 I'm going to take these guys away, there, all right, so in addition to 0:03:32.240000 --> 0:03:44.380000 HTTP access, we have SMB access at the file share, this is a file share. 0:03:44.380000 --> 0:03:49.460000 As well, label these things, this of course is a file, and you do have 0:03:49.460000 --> 0:03:52.720000 a folder structure available, okay? 0:03:52.720000 --> 0:03:59.180000 Now again, really the only reason that you would use a file share over 0:03:59.180000 --> 0:04:03.480000 blob storage is that a file share supports SMB, okay? 0:04:03.480000 --> 0:04:08.560000 Now traditionally, the way that you would work with SMB is you would authenticate 0:04:08.560000 --> 0:04:17.100000 using the key, and of course, if you authenticate using the key, then 0:04:17.100000 --> 0:04:19.480000 you've got full access to everything. 0:04:19.480000 --> 0:04:25.060000 And now, typically ideally, you're not having the user, oops, I completely 0:04:25.060000 --> 0:04:28.340000 hit the wrong button there. 0:04:28.340000 --> 0:04:33.840000 Sorry about that, I'll draw this out a little bit. 0:04:33.840000 --> 0:04:37.060000 Not going to label it. 0:04:37.060000 --> 0:04:40.020000 There's my file share, there's my file, right? 0:04:40.020000 --> 0:04:51.860000 And then we have our user. 0:04:51.860000 --> 0:04:57.700000 Okay, so the SMB, we know that in order to access the SMB traditionally, 0:04:57.700000 --> 0:05:03.040000 you have to have the storage key, which gives you absolute full access, 0:05:03.040000 --> 0:05:06.540000 right? And generally, you don't want the user accessing that directly, 0:05:06.540000 --> 0:05:09.340000 setting up a share from their own desktop. 0:05:09.340000 --> 0:05:13.540000 Usually you're going to have a server, the server is going to set up, 0:05:13.540000 --> 0:05:19.020000 a share, and then expose that out, right? 0:05:19.020000 --> 0:05:20.700000 And so that's fine. 0:05:20.700000 --> 0:05:30.420000 Okay, now however, what we have is we have Azure ADDS authentication for 0:05:30.420000 --> 0:05:33.260000 file shares, okay? 0:05:33.260000 --> 0:05:42.460000 And essentially, what that's going to do is it's going to put an authentication 0:05:42.460000 --> 0:05:51.500000 layer on top of really the entire structure. 0:05:51.500000 --> 0:06:02.160000 Now, with AADDS, AADDS, there we go, there's two additional components 0:06:02.160000 --> 0:06:13.660000 that you have. You have an Azure AD domain, or well, I should say, Azure 0:06:13.660000 --> 0:06:20.940000 AD tenant directory. 0:06:20.940000 --> 0:06:30.360000 And you also have an Azure managed domain controller. 0:06:30.360000 --> 0:06:36.300000 Okay, and so really, I set up AADDS, and then this would probably be a 0:06:36.300000 --> 0:06:46.340000 member, then an actual B there, or close to it, okay? 0:06:46.340000 --> 0:06:51.620000 Member server, and then SMB is going to play in this playground, frankly, 0:06:51.620000 --> 0:06:53.040000 like it would on premises. 0:06:53.040000 --> 0:06:59.880000 Okay, for me, fine, I will tell you my issue with this, and it's not an 0:06:59.880000 --> 0:07:05.620000 issue per se, but it would be what keeps me from doing it, is that it's 0:07:05.620000 --> 0:07:07.480000 a lot of complication, right? 0:07:07.480000 --> 0:07:09.440000 There's a lot of moving parts with this. 0:07:09.440000 --> 0:07:14.360000 And it's not that hard to spin up a virtual machine, and use that virtual 0:07:14.360000 --> 0:07:16.160000 machine as a file server. 0:07:16.160000 --> 0:07:20.140000 You're not really, okay, you have to pay for a virtual machine, but you 0:07:20.140000 --> 0:07:23.580000 gotta pay for Azure ADDS as well. 0:07:23.580000 --> 0:07:28.820000 So keep that in mind, again, I hate to talk about something that I'm not 0:07:28.820000 --> 0:07:32.140000 fully behind, but that's just what it is. 0:07:32.140000 --> 0:07:34.780000 A lot of moving parts, if it seems like there's a lot of moving parts, 0:07:34.780000 --> 0:07:36.020000 it does to me too. 0:07:36.020000 --> 0:07:38.880000 I'm gonna tell you, I was gonna demonstrate this, but then as I was going 0:07:38.880000 --> 0:07:42.300000 through it, this is not a good demonstration. 0:07:42.300000 --> 0:07:46.980000 It would take too long, be too complex, and frankly, put everyone to sleep. 0:07:46.980000 --> 0:07:51.400000 So just be aware of that, okay, this is the process. 0:07:51.400000 --> 0:07:55.180000 I do wanna go ahead, now that I've hyped it up so much, I do wanna go 0:07:55.180000 --> 0:08:02.680000 ahead and take a quick look at Azure ADDS for file services, all right? 0:08:02.680000 --> 0:08:06.640000 Some of the things this integrates with Azure ADDS, and it does integrate 0:08:06.640000 --> 0:08:12.820000 directly with Active Directory on premises, however, on premises in preview. 0:08:12.820000 --> 0:08:17.400000 I could see when that comes out into general availability that would be 0:08:17.400000 --> 0:08:18.620000 potentially useful. 0:08:18.620000 --> 0:08:23.520000 You do have very granular permissions, and they go apply to SMB. 0:08:23.520000 --> 0:08:27.760000 However, you do still have the storage account key, and the storage account 0:08:27.760000 --> 0:08:31.520000 key is still going to give you super user access, in other words, if I 0:08:31.520000 --> 0:08:34.020000 have the storage account key, I have access to everything permissions 0:08:34.020000 --> 0:08:36.260000 don't matter, okay? 0:08:36.260000 --> 0:08:39.240000 As far as setting it up, once you've got it set up, once you're connected 0:08:39.240000 --> 0:08:41.440000 to it, it's gonna act just like a share. 0:08:41.440000 --> 0:08:47.520000 You can set permissions to Windows Explorer, through iCalcs, or through 0:08:47.520000 --> 0:08:55.080000 set ACL, okay? And permissions are preserved on file copies, so file sync, 0:08:55.080000 --> 0:08:57.660000 any movement to tools like RoboCopy. 0:08:57.660000 --> 0:09:01.380000 Those are all things that, you know, good to know about it. 0:09:01.380000 --> 0:09:06.480000 Again, not necessarily my favorite topic, but it does exist, and it may 0:09:06.480000 --> 0:09:09.780000 be something that you have a use case for.