top of page
Search

Azure Files Entra-Only Authentication: What It Means for AVD and Cloud-Native Identity

  • Writer: Alex Durrant
    Alex Durrant
  • 1 day ago
  • 3 min read


Microsoft just made Entra-Only identities for Azure Files SMB generally available, and for anyone working in the Azure Virtual Desktop or cloud infrastructure space, this quietly removes a blocker you've probably worked around dozens of times.


What's Actually Changed?

For years, getting identity-based access to Azure Files meant maintaining legacy infrastructure:

  • On-premises Active Directory with domain controllers

  • Entra Domain Services (managed AD in Azure)

  • Entra Kerberos with hybrid identities synced via Entra Connect


Now? Azure Files authenticates SMB clients directly using cloud-only Entra ID identities. No domain controllers, no sync jobs, no managed domains. Just cloud identity talking to cloud storage over SMB.


How Entra-Only identities work with Azure Files
How Entra-Only identities work with Azure Files

The protocol hasn't changed. It's still SMB. The difference is that Kerberos tickets now come from Entra ID rather than a traditional domain controller. Users mount file shares exactly as before, but your infrastructure just got considerably simpler.


Why This Matters for AVD

If you're running Azure Virtual Desktop, this is where it gets interesting.


FSLogix profiles, fully cloud-native:

  • Profile containers on Azure Files accessed with pure Entra identities

  • Session hosts can be Entra-joined only

  • Users can be cloud-only

  • Zero Windows Server infrastructure for profiles


We've been saying AVD is cloud-native for ages, but there's always been that asterisk. The profiles lived in Azure Files, but you still needed identity infrastructure that looked suspiciously like the old world. That asterisk just got considerably smaller.


B2B support has specific limitations. Azure Files SMB support for external identities is currently limited to FSLogix scenarios running on Azure Virtual Desktop, applying to external users invited to an Entra tenant in the public cloud (excluding cross-cloud users). Government cloud scenarios and non-AVD scenarios aren't currently supported for B2B guest users.


What It Looks Like in Practice

Permissions management:

  • Share-level permissions configured via Azure RBAC

  • File-level permissions use NTFS ACLs

  • For hybrid identities: configure directory and file-level permissions through Azure portal (requires domain name and GUID) or icacls

  • For cloud-only identities (preview): currently limited to default share-level permissions for all authenticated identities (Watch this space, Microsoft are looking to bring in functionality to update NTFS permissions within the portal itself!)


Authentication methods:

  • Windows Hello for Business

  • FIDO2 security keys

  • Passwordless sign-in

  • MFA support (note: MFA must be excluded from the storage account app itself)


The Practical Side

Reality check:

  • Two-layer permissions model remains (Azure RBAC + NTFS ACLs)

  • Years of nested groups and inherited permissions won't untangle themselves

  • Cloud-only identities support is currently in preview and limited to default share-level permissions

  • Available in Azure Public (cloud-only in select regions only), Azure US Gov, and Azure China clouds (hybrid identities)

  • Check documentation for regional availability


Hybrid coexistence: Cloud-native and hybrid identities can run side by side. Run both models during your transition, then retire the legacy bits when ready. No forklift replacement required.


Where This Fits

Microsoft's been chipping away at Windows infrastructure dependencies: Entra join, Intune management, Windows 365, now this. Each piece is incremental, but together they're adding up to something genuinely different.


It's not revolutionary. It's one less reason to keep domain controllers around, one less sync job to monitor, one less piece of infrastructure between users and their files.


Getting Started

For new AVD deployments: You can now genuinely architect the whole thing without Windows Server. Session hosts, storage, identity - all native Azure services.


For existing hybrid environments: You've got a migration path that doesn't require ripping everything out. Test thoroughly around permission inheritance and nested groups first.

If you're planning Azure Files or AVD work and want to talk through whether Entra-only authentication makes sense for your setup, get in touch. We've been working with these authentication models long enough to know where the edge cases live.


Learn More About Virtual Desktop Solutions

If you're evaluating virtual desktop options for your organisation, check out our comprehensive comparison guide:


We cover the key differences between AVD and Windows 365, when each makes sense, and how they can work together. Whether you're planning a new deployment or looking to optimise an existing environment, this guide breaks down what matters.


For more on HybrIT's virtual desktop services and how we help organisations design, deploy, and manage AVD and Windows 365 environments, visit hybrit.co.uk/vdi


bottom of page