Hi Eddie_d4,
Sumanth's answer is very close to correct - the subtlety that your point out is that you can use NTLMv2 to send AD credentials with Windows file server. In this particular scenario, this is not currently a supported scenario because Azure Files does not have
the ability to talk back to your domain controller as a Windows Server would.
I would strongly discourage you from pursuing this scenario simply because NTLMv2 is not a secure protocol. There are well documented attacks, such as "pass-the-hash" attacks, that NTLMv2 is vulnerable to. Kerberos is our recommended authentication
protocol for SMB.
In general, when I talk to customers who are exploring this, its because they're trying to prevent their clients from having two VPN connections: one to the on-premises network and one to Azure. Aside from customers who insist on using full tunnel VPNs, I have
yet to hear a satisfying explanation for why this is a goal. If you have one - I would seriously like to hear about it.
As a mitigation, one easy thing to consider is put a domain controller in an Azure VM. Doing this allows your client to have a single VPN connection to Azure, but still be able to talk to a domain controller.
I'm implicitly assuming you have at least one VPN connection to Azure, because you *should not* assume that because you are able to mount a file share over SMB from your office or with your ISP that all of your users will be able to. Most ISPs block port 445.
Unless your users are all accessing from a network you control, or you're all on the same ISP and working from somewhere else (a different home, from a hotel, etc.), you should not assume port 445 will be open.
Please don't hesitate to reach out if you have any further questions. You can reach us at AzureFiles@microsoft.com.
Thanks,
Will Gries
Program Manager, Azure Files
AD Authentication - Azure files over the Internet
