I'm trying to set up Azure Files with Kerberos authentication using Intune, but it's not functioning as I hoped. My users are coming from an on-premises Active Directory and are synchronized to Microsoft Entra ID as hybrid users, while the devices are only Azure AD Joined (not domain joined). The goal is to access Azure Files without requiring users to input a username or password, relying on Kerberos Single Sign-On (SSO). However, when I attempt to map the file share, Windows prompts for credentials or shows system error 86, indicating that Kerberos might not be in use. I've found mixed information about the necessity of being Domain Joined or Hybrid Azure AD Joined. Microsoft documentation states that clients should be Microsoft Entra joined or hybrid joined, not just bound to Microsoft Entra Domain Services or Active Directory alone. I would like to know if, for hybrid users, Azure Files Kerberos specifically requires Hybrid Azure AD Joined devices, or if Azure AD Joined devices can successfully work in this scenario. Has anyone else achieved Azure Files Kerberos SSO with just Azure AD Joined devices?
1 Answer
From what I've seen, you should not need to be domain joined to use Azure Files with Kerberos; Azure AD joined devices can work just fine. Azure AD is supposed to issue the Kerberos ticket, so there shouldn't be any requirement for an on-prem computer account. Just keep in mind that there could be other factors at play, so maybe check your logs for more details on the error you're experiencing.
Yeah, without more details about the setup, it's hard to troubleshoot. Sometimes, basic configurations can have unexpected issues.