I'm connecting to an Azure Storage Account from a device using Azure Active Directory with Single Sign-On through a Kerberos ticket, and it works seamlessly. However, whenever things are this easy, I wonder if I'm overlooking best practices. Normally, I'd access on-premises shares via VPN, requiring multi-factor authentication and a compliant device. How are you all managing access? Do you permit public access to Azure Files? Is it considered safe?
3 Answers
I personally don't allow any public access to Azure Files. We use private endpoints only, so access is strictly through Azure compute, which is secured through various measures, or from our campus network via VPN.
Are you connecting using SMB over QUIC (port 443 with certificates) and KDC Proxy, or just standard SMB (port 445)? I’ve had concerns about security with both methods, but QUIC seems to be Microsoft's approach for secure Azure File share access. We're still evaluating it for our VPN-less file share access to ensure we don't expose anything unnecessarily, especially with KDC Proxy risks and concerns about Kerberoasting that our CISO raised. I’m really hoping to gather more insights from this thread!
For now, I'm using straight SMB. I believe Microsoft's idea is that Kerberos tickets should only be issued from company-owned devices, meaning MFA is enforced when using Windows Hello for Business at logon.
You could always simplify things by configuring a conditional access policy that targets specific named locations.
Can you actually set up QUIC on a storage account?