Mapping an Azure File Share as a Network Drive


Introduction

This article describes how to map a Microsoft Azure file share as a network drive on your local computer. This functionality requires you

  • To be an organizational unit (OU) administrator or departmental IT administrator with the appropriate permissions across multiple services: Azure, Active Directory, PowerShell, etc.
  • To be joined to the Central Services domain or a domain with an appropriate trust relationship with the Central Services domain
  • To have an Azure subscription associated with your Hokies account
  • Be on the Virginia Tech network – directly or through Virginia Tech’s virtual private network (VPN) using Pulse Secure.
  • Must use your Hokies account. You cannot use local accounts as they will not be able to authenticate against Virginia Tech’s Azure Active Directory (AAD). For technical details and supported scenarios, see https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable.

 

The steps below include instructions for these requirements. If you have questions or concerns around this process, it is recommended to open a consultation using the Cloud Consultation Service Catalog entry. 

 

Instructions

  1. If you do not have an Azure subscription, you must obtain one using the following Service Catalog entry, Access to AWS, Azure, or GCP.
  2. If your computer is not joined to the Central Services domain, cntrlsrvs, or a domain which has a trust relationship with VT Active Directory Forest, then follow the directions for adding your computer at Central Services Domain Organizational Units.
  3. If you are not on the Virginia Tech network (i.e., working remotely), use the instructions for accessing Virginia Tech's Virtual Private Network (VPN).
  4. Create an Azure storage account and file share using the instructions at https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal
  5. Download the PowerShell script, Join-AzStorageAccount, located at https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable. The script has the following comment at the first line. Additional instructions and details can also be found at that same link.

    # Change the execution policy to unblock importing AzFilesHybrid.psm1 module

  6. Make the following edits to the variables in the script
    • $SubscriptionID: target Azure subscription ID
    • $ResourceGroupName: target Azure resource group name
    • $StorageAccountName: target Azure storage account name
    • $SamAccountName: desired AD computer object name
    • $DomainAccountType: recommend “ComputerAccount” for AES256 encryption support
    • $OuDistinguishedName: desired AD OU for computer object creation
    • $EncryptionType: recommend “AES256”
  7. Make the following edit to the Join-AzStorageAccount function call in the script: Add an explicit pass of the target “Domain” parameter for the domain in which the AD computer object is to be created.  For example (cntrlsrvs.w2k.vt.edu):

    Join-AzStorageAccount `
       -ResourceGroupName $ResourceGroupName `
       -StorageAccountName $StorageAccountName `
       -SamAccountName $SamAccountName `
       -DomainAccountType $DomainAccountType `
       -Domain “cntrlsrvs.w2k.vt.edu” `
       -OrganizationalUnitDistinguishedName $OuDistinguishedName `
       -EncryptionType $EncryptionType

  8. The script requires .NET Framework 4.7.2 and Azure PowerShell modules to be installed.  Download and extract a copy of the latest Azure Files PowerShell scripts from https://github.com/Azure-Samples/azure-files-samples/releases. The script and these modules must be in the same directory. The installation of the Azure PowerShell modules requires a local administrator account.
  9. Execute the script. The account being used to run the script needs permission to create a computer object in the target domain. For the Central Services domain, contact your organizational unit (OU) admin. For a trusted domain, contact that domain’s administrator.
  10. Provision user access to the Azure file share in the Azure portal.
  11. Map network drive with file share resource URL and valid Hokies credentials.
  12. Review Azure billing at https://learn.microsoft.com/en-us/azure/storage/files/understanding-billing?source=recommendations