Share via

Identity-based access continually reverts to "Unconfigured" in Azure Files. Why?

MRH JSolis 0 Reputation points
2026-04-20T17:34:08.5766667+00:00

I have an Azure Storage account and in that account I have a File Share where I'm trying to enable "Identity-based access" using Entra Domain Services. However, every time I enable Entra DS on the File share the setting shows "Configured" for a few minutes and then switches back to "Unconfigured". There are no errors. It just flips back to "Unconfigured". I have checked my Entra DS configuration in Entra ID and everything looks good there. I'm just sure why setting this seems to work, but then it reverts back after a few minutes. Anyone seen this who can offer some advice?

Here are screenshots of the procedure:

First, as you can see, "Identity-based access" is not configured. User's image

I click on where it says "Not configured" and then choose "Entra Domain Services" and check the "Enable Microsoft Entra Domain Services..." checkbox and click "Save". User's image

Back at the 'Overview' screen for my Azure File Share I now see that it shows "Configured". That is great and should allow me to mount that file share to a Windows Server VM that I have in this environment and set file/folder level permissions.

User's image

Except that within a few minutes, it switches back to "Unconfigured". No error messages. No clues as to why it switched back.

Azure Storage
Azure Storage

Globally unique resources that provide access to data management services and serve as the parent namespace for the services.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganesh Patapati 11,990 Reputation points Microsoft External Staff Moderator
    2026-04-23T19:21:03.07+00:00

    Hello MRH JSolis

    Check the Activity Log for a failed join operation.

    • Go to your storage account’s Monitoring → Activity log and filter on the “Enable identity-based access” operation.
    • Look for any failed entries (even ones without a portal error) – they often include an HTTP status or error code that will tell you exactly what went wrong.

    Microsoft Entra Domain Services: Cloud-based VMs that are joined to Microsoft Entra Domain Services can access Azure file shares with Microsoft Entra credentials. In this solution, Microsoft Entra ID runs a traditional Windows Server AD domain that is a child of the customer's Microsoft Entra tenant. See the prerequisites.

    You need the following minimum prerequisites. Without these prerequisites, you can't authenticate by using Microsoft Entra ID.

    Your Azure storage account can't authenticate with both Entra ID and a second method like AD DS or Microsoft Entra Domain Services. If you already chose another identity source for your storage account, you must disable it before enabling Microsoft Entra Kerberos.

    If you want to authenticate hybrid identities, you also need AD DS and either Microsoft Entra Connect Sync or Microsoft Entra Cloud Sync. You must create these accounts in Active Directory and sync them to Entra ID. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Entra ID. This requirement doesn't apply to cloud-only identities.

    The WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) is required, and must be in the running state. For security reasons, you can optionally disable Web Proxy Auto-Discovery (WPAD) via registry keys. However, you shouldn't disable the entire WinHttpAutoProxySvc service, as it is responsible for a host of other functionalities, including Kerberos Key Distribution Center Proxy (KDC Proxy) requests.

    • The IP Helper service (iphlpsvc) is required, and must be in the running state.
    • Entra Domain Services directory must have password hash synchronization enabled.

    You must disable multifactor authentication (MFA) on the Entra app representing the storage account. For instructions, see Disable multifactor authentication on the storage account.

    If you have application management policies that block symmetric key addition on service principals, or that restrict service principal symmetric key lifetime to a value less than 366 days, you will need to adjust the policy or grant an exception for the "Storage Resource Provider" service (app ID a6aa9161-5291-40bb-8c5c-923b567bee3b). If using the Entra Admin Center, these policies are defined in the "Block password addition" and "Restrict max password lifetime" settings. If using the Graph API, these policies are defined in symmetricKeyAddition and symmetricKeyLifetime restrictions on servicePrincipalRestrictions.passwordCredentials.

    This feature currently doesn't support cross-tenant access for B2B users or guest users. Users from an Entra tenant other than the one configured won't be able to access the file share.

    With Microsoft Entra Kerberos, the Kerberos ticket encryption is always AES-256. But you can set the SMB channel encryption that best fits your needs.

    • Azure Files SMB support for external identities is currently limited to FSLogix scenarios running on Azure Virtual Desktop. This support applies to external users invited to a Microsoft Entra ID tenant in the public cloud, with the exception of cross-cloud users (those invited into the tenant from Azure Government or Azure operated by 21Vianet). Government cloud scenarios aren't supported. Scenarios not involving Azure Virtual Desktop aren't supported for business-to-business guest users or users from other Entra tenants.

    I hope this has been helpful!

    If the above is unclear or you are unsure about something, please add a comment below.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.