Azure Files Entra-Only identities: Advancing cloud-native identity and security

We’re thrilled to announce that Entra-Only identities for Azure Files SMB are now generally available! With the introduction of Microsoft Entra ID authentication, businesses can securely provide identity-based access to SMB file shares using cloud-native identities with ease.

The general availability (GA) of Azure Files SMB is now here, featuring native Microsoft Entra ID authentication. This allows organisations to grant secure, identity-based access for SMB file shares using only cloud-native identities.

This new approach means there’s no need for Active Directory, hybrid sync, or managed domain controllers. It dramatically simplifies architecture and lowers ongoing management and maintenance costs. By adopting Entra-Only identities, Azure Files provides a seamless, modern identity experience, establishing a best-in-class standard for secure and comprehensive cloud-native access.

While moving to Azure Files, many businesses have been blocked by their reliance on on-premises Active Directory authentication. The introduction of Entra-Only identities eliminates this barrier, allowing organisations to authenticate users and devices directly through Microsoft Entra ID. This shift helps modernise storage, computation, and identity management, aligning with Zero-Trust principles.

Entra-Only identities also facilitate seamless profile management for virtual desktop infrastructure (VDI) on Azure Files, maintaining modern security standards. Within Azure Virtual Desktop (AVD), built-in B2B support enhances functionality, allowing external partners to use their existing identities with FSLogix profiles without the need for duplicate accounts.

For general-purpose tasks, this enables the migration of on-premises Windows-based workloads to a fully cloud-native platform, preserving native SMB compatibility while providing an integrated identity, security, and management experience. This means users can safely access files from anywhere, without needing domain setup, VPNs, or complicated networking configurations. Altogether, these capabilities simplify operations and strengthen security.

Why choose Entra-Only identities with Azure Files?

• Modern, cloud-native identity with simplified operations. Enjoy secure access to Azure Files through native Entra ID authentication integrated with client-side Intune capabilities, eliminating the hassle of managing identity lifecycles and compliance.
• Co-existing hybrid identities setup. Organisations can use this feature alongside both hybrid and cloud-native identities as they phase out their active directory.
• Secure access from anywhere. Users can easily access file shares via Entra-joined clients, promoting remote work without duplicating identities.
• Extended support for MacOS clients (currently in limited preview). Secure access is now available for modern MacOS clients, Entra-joined via Platform SSO, making it easier for creative teams to integrate with Azure Files using Entra-based identity.

What’s new with Entra-Only identities

• Portal-based NTFS permissions management: Manage granular file and directory ACLs directly through the Azure portal for Entra-Only (and hybrid) users and groups without requiring domain-joined clients or legacy tools. This feature is now accessible for all users in every region.

• Expanded RBAC support for secure authorisation: Share-level RBAC for specific users and groups is now available for Entra-only users and groups in selected regions. Check here for regional availability.

How Entra-Only identities work with Azure Files

Enlarge

This innovation advances SMB authentication by using Microsoft Entra ID as the primary Kerberos Key Distribution Center (KDC). Clients now directly obtain Kerberos tickets from Microsoft Entra ID for cloud identities, removing the necessity for Active Directory or Entra Connect sync. The SMB protocol remains unchanged for compatibility, while Entra manages ticket issuance and identity validation.

Here’s how it works:

1. When accessing a file share, the client requests a Kerberos ticket from Entra ID for Azure Files.

2. This ticket, which carries cloud-based security identifiers (SIDs), is presented during the SMB session setup.

3. Azure Files confirms the ticket and initiates the session—allowing secure, identity-driven access. Authorisation continues to utilise NTFS ACLs, extending to Entra-Only users and groups. Permissions can now be managed directly through the Azure portal, eliminating the dependence on domain-joined clients or outdated tools.

This method maintains Kerberos security while transferring identity control entirely to Entra, paving the way for smooth cloud-native file access.

Hero workloads modernised with Entra-Only identities

Re-imagining VDI deployments with Azure Files and Entra-Only identities

Entra-Only identities simplify and modernise VDI deployments with Azure Files by creating a fully cloud-native identity and storage system for user profile management. Within Azure Virtual Desktop (AVD), FSLogix profile containers can be stored on Azure Files Premium and accessed by Microsoft Entra-based users through Kerberos, ensuring secure and seamless SMB access.

Why does this matter?

• It removes reliance on hybrid identity infrastructure.
• It simplifies deployments.
• It reduces operational overhead, especially for remote or distributed teams.

With Entra ID acting as the authentication authority, users can easily log in to virtual desktops and access profiles using cloud-native identities, enabling a complete single sign-on experience without any need for on-premises systems.

By implementing Entra-Only identity access with Azure Files, WTW has successfully delivered insurance applications to clients on AVD using their existing Entra identities. FSLogix profile containers, stored on Azure File Shares, guarantee that users experience a consistent profile across any AVD host. This solution eliminates the dependency on outdated domain controllers and file share infrastructure, creating a fully Entra-joined environment supported by AVD hosts and Azure File Shares—resulting in a more secure and streamlined architecture.

—Gordon Griffin, Technical Director, Willis Tower Watson

B2B identities further broaden VDI scenarios by allowing external users to access desktops and load their profiles securely with existing identities. This combination provides organisations a consistent, scalable, and secure VDI experience while accelerating their transition to a fully cloud-native framework.

Entra-Only identities with Azure Files represent a significant advancement in simplifying and securing modern desktop and application environments. By enabling Kerberos-based access for Entra users, we deliver a genuinely cloud-native experience, with identity, computation, and storage all within Azure, while retaining seamless SMB compatibility. This significantly reduces deployment complexity and enables organisations to implement secure, scalable VDI and file access solutions more rapidly than ever.

—Chuck Mikuzis, Product Manager, Nerdio

Simplifying file sharing for the modern workforce

Entra-Only identities enhance general file sharing and information worker collaboration. Access to shared folders is managed directly through Entra ID, allowing consistent, identity-driven access for distributed teams without requiring domain-joined devices or connections to on-premises systems.

This approach simplifies both onboarding and daily usage—new users can gain access via Entra groups, ensuring that permissions are uniformly enforced across different locations. Coupled with NTFS ACL portal support, organisations can maintain traditional file-level security while modernising their access strategies.

The outcomes are:

• Faster onboarding timelines.
• Reduced helpdesk demands.
• Effortless collaboration across different regions.

Seamless cloud-native access for remote and distributed energy workforces

Entra-Only identities empower oil and gas companies to securely access vital data from remote locations without the complexities of a multi-domain/multi-forest Active Directory setup or hybrid systems. Engineers and geoscientists working in offshore rigs or exploration sites can authenticate directly with Entra ID and gain access to Azure Files, removing reliance on VPNs and enhancing reliability in areas with poor connectivity.

This strategy simplifies deployment and operations while sustaining enterprise-level security and compliance. In conjunction with support for thin clients and remote access, teams can collaborate in real-time on large datasets without managing scattered infrastructure.

Continued investments in Azure Files identity

Secure Entra-native application access with Managed Identities (GA)

Managed Identities integration brings Entra-native application access to Azure Files, eliminating the need for shared keys or secrets. Applications, virtual machines, and Azure services use Managed Identities with Entra-issued OAuth tokens to establish secure SMB sessions, reducing credential management headaches and simplifying access. This enhancement aids in streamlining DevOps operations and facilitates broader integration across Azure Kubernetes Service (AKS) and enterprise applications.

Bringing secure, cloud-native access to MacOS workloads (limited preview)

Azure Files now supports secure access for MacOS clients, empowering creative teams and educational institutions to effortlessly work across different operating systems. Designers and media professionals can authenticate directly with Entra ID and access SMB file shares, aligning Mac workflows with the enterprise-grade identity used organisation-wide.

What’s on the horizon for Azure Files Entra-Only Identities

Native NTFS ACL editing experience

We’re committed to enhancing the permissions management experience by enabling native editing of NTFS ACLs through familiar client functionalities. This closes a crucial gap between cloud and traditional file server environments, allowing administrators and users to manage detailed file and directory permissions using the same tools they currently rely on.

Adding support for sovereign cloud environments

We are working towards extending Entra-Only identities for Azure Files to sovereign cloud regions, allowing organisations in highly regulated sectors to embrace cloud-native identity solutions for SMB workloads. This opens up the benefits of SMB Kerberos-based authentication and centralised identity management while adhering to compliance and enterprise-grade regulatory standards.

Get started with Entra-Only identities and other Azure Files investments

Entra-Only identities for Azure Files SMB are now available across various HDD and SSD shares and all billing models, at no extra cost. Check out our documentation for detailed guidance to prepare your workload for the future!

For MacOS platform questions, please register here. For other queries, feel free to contact us at [email protected].