We have an SMB share set up in Azure.
Our infrastructure has an on-prem AD which synchronises with Azure AD and then there is an AADDS domain within Azure which has a copy of the user accounts.
If I log onto a computer within the AADDS domain as a user who has IAM read write access to the SMB share then it can be opened. If I try to access from a computer in the on-prem domain as that same user then it gives access denied. I can be logged onto my computer from the on-prem domain and access it as myself so I was assuming it would work for others, but this doesn't seem to be the case.
On the AADDS domain I ran the script like the one below in order to create an account in the Active Directory. I suspect it could be because the account doesn't exist on-prem? The thing is, how would I go about getting both domains to be able to access the SMB share without affecting what is already in place on AADDS?
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Import-Module -Name AzFilesHybrid
Connect-AzAccount
$subscriptionId = "<SUBID>"
$resourceGroupName = "<RESOURCEGROUP>"
$storageAccountName = "<STORAGEACCT>"
Select-AzSubscription $subscriptionId
Join-AzStorageAccountForAuth -ResourceGroupName $resourceGroupName -StorageAccountName $storageAccountName -DomainAccountType ServiceLogonAccount -OrganizationalUnitDistinguishedName "<OU_DN>" -OverwriteExistingADObject
BACKGROUND:
After more testing, it seems that there isn't a way to have authentication to work on two domains simultaneously against the same storage account. The reason why we require this is that the WVD app references a mapped drive. The users need to be able to transfer files to the same mapping from their local ad on-prem joined computers.
I looked into ways around this such as seeing if there is a way to publish the file explorer as an app, but can't seem to do that. If there were a file browser utility that came with the RD Client it would be perfect.
0 Answers