SMB Single-Sign-On with Azure AD Domain Services
Cloud-Centric with On-Prem Performance
Global file availability at LAN speeds. Worldwide Active Directory services manageable from a single site. These are some of the main benefits of the following cloud migration strategy:
- Migrate legacy on-prem file storage to Morro Data Global File Services and
- Migrate authentication to Azure Active Directory Domain Services (AAD DS)
Additionally, with Morro Data’s Azure AD DS integration, users can enjoy the benefits of fast SMB access with the convenience of Single-Sign-On (SSO).
Domain Services for the Cloud Era
Azure AD is designed for the cloud and is not meant for accessing on-prem resources or legacy applications running in Windows VMs on Azure. On-prem file sharing in a LAN environment, however, uses the SMB protocol and requires domain authentication. Microsoft’s Azure AD Domain Services extends AD Domain Services to Azure AD and enables
- AD-based authentication for SMB applications
- Consolidation of multiple on-prem domain controllers to the cloud
Which Authentication Modes for SMB SSO?
Morro Data supports Active Directory as well as Azure AD for user authentication. In the context of CacheDrive share access, the following table shows the three different types of organizations:
-
Azure AD
- organization that uses Microsoft 365
- user must login separately when access CacheDrive
-
Active Directory
- organization that uses on-prem or cloud-based domain controller
- user can access CacheDrive from a domain-joined PC with SSO
-
Azure AD Domain Services
- organization that uses cloud-based domain services
- user can access CacheDrive from a domain-joined PC with SSO
As you can see, AD and AAD DS function exactly the same when it comes to SMB access authorization.
The following table gives more details:
| Method | Morro
Auth Mode |
Windows Login | SSO | Notes |
| Azure AD | Azure AD | Azure AD | Manual credential sync
Need password for access |
Simple setup |
| Active Directory | Active Directory
(*1) |
domain-joined PC | SSO for share access | (*2) |
| Azure AD DS | Active Directory
(*1) |
domain-joined PC | SSO for share access | (*2) |
| Non domain-joined PC | Automatic credential sync
Need password for access |
For BYOD (bring-your-own-device) |
(*1) When configuring the Morro authentication mode, “Active Directory” should be used for both AD and Azure AD DS setups.
(*2) For SMB access, Microsoft does not support SSO using WHFB (Windows Hello for Business) yet.
SSO Requires Domain-Joined PC
In an Azure AD DS environment, the CacheDrive becomes a trusted server when it joins the domain. When a user signs in to a domain-joined Windows PC, it also establishes a trust relation between the PC user and the domain. The combination of the above trust relations allow SSO access to the shares on the CacheDrive.
These diagrams illustrate the two Windows login scenarios with Azure AD DS.
Steps for Authentication with AAD DS
Enabling CacheDrive access using Azure AD DS with SSO involves the following steps:
- Set up the Azure AD Domain Services.
- AAD DS is created by syncing the directory from AAD to AAD DS.
- Join the Windows PC to the Azure AD Domain Services
- Join the Morro Data CacheDrive to the Azure AD Domain Services
For the details of the above steps, please see the Best Practice Guide.
Did You Know
Azure Active Directory
Azure Active Directory (Azure AD) is a cloud-based identity and access management service. With Azure AD, employees can access internal and external resources, including Microsoft 365, the Azure portal, and SaaS applications.
Azure Active Directory Domain Services
Azure Active Directory Domain Services (AAD DS) provides managed domain services. There is no need to deploy domain controllers in the cloud when users use domain join, group policy, LDAP, and Kerberos/NTLM authentication.