SMB SSO with Microsoft Entra (Azure AD) Domain Services
SMB Single-Sign-On with Microsoft Entra ID Domain Services (Azure AD Domain Services)
What Is Microsoft Entra Domain Services?
Microsoft Entra Domain Services (ME-ID DS), originally named Azure Active Directory (Azure AD), is a cloud-based identity and access management service. It empowers employees to access both internal and external resources seamlessly, including Microsoft 365, the Azure portal, and Software-as-a-Service (SaaS) applications.
In addition, Microsoft Entra Domain Services (ME-ID DS) offers managed domain services. This eliminates the necessity for deploying domain controllers in the cloud when users engage in domain join, utilize group policies, leverage LDAP, and employ Kerberos/NTLM authentication. ME-ID DS streamlines and simplifies domain-related functionalities, making it an efficient choice for organizations looking to manage their cloud-based and on-premises resources seamlessly.
Domain Services for the Cloud Era
Microsoft Entra Domain Services is designed for the cloud and is not meant for accessing on-prem resources or legacy applications running in Windows VMs on Azure. On-prem file sharing in a LAN environment, however, uses the SMB protocol and requires domain authentication. Microsoft Entra Domain Services (ME-ID DS) extends AD Domain Services to Microsoft Entra ID and enables
- AD-based authentication for SMB applications
- Consolidation of multiple on-prem domain controllers to the cloud
Cloud-Centric with On-Prem Performance
Global file availability at LAN speeds. Worldwide Active Directory services are manageable from a single site. These are some of the main benefits of the following cloud migration strategy:
- Migrate legacy on-prem file storage to Morro Data Global File Services: Seamlessly transition your legacy on-premises file storage to Morro Data Global File Services, ensuring that your files are accessible and perform at efficiency, regardless of location.
- Migrate authentication to Microsoft Entra Domain Services (ME-ID DS): By moving your authentication processes to Microsoft Entra Domain Services, you not only enhance security but also simplify user management on a global scale.
Additionally, with Morro Data’s Microsoft Entra Domain Services integration, users can enjoy the benefits of fast SMB access with the convenience of Single-Sign-On (SSO).
Which Authentication Modes for SMB SSO?
Morro Data supports Active Directory as well as Microsoft Entra ID for user authentication. In the context of CacheDrive share access, the following table shows the three different types of organizations:
-
Microsoft Entra ID (ME-ID)
- organization that uses Microsoft 365
- user must login separately when access CacheDrive
-
Active Directory
- organization that uses on-prem or cloud-based domain controller
- user can access CacheDrive from a domain-joined PC with SSO
-
Microsoft Entra Domain Services (ME-ID DS)
- organization that uses cloud-based domain services
- user can access CacheDrive from a domain-joined PC with SSO
As you can see, AD and ME-ID DS function exactly the same when it comes to SMB access authorization.
The following table gives more details:
| Method | Morro
Auth Mode |
Windows Login | SSO | Notes |
| ME-ID | ME-ID | ME-ID | Manual credential sync
Need password for access |
Simple setup |
| Active Directory | Active Directory
(*1) |
domain-joined PC | SSO for share access | (*2) |
| ME-ID DS | Active Directory
(*1) |
domain-joined PC | SSO for share access | (*2) |
| Non domain-joined PC | Automatic credential sync
Need password for access |
For BYOD (bring-your-own-device) |
(*1) When configuring the Morro authentication mode, “Active Directory” should be used for both AD and ME-ID DS setups.
(*2) For SMB access, Microsoft does not support SSO using WHFB (Windows Hello for Business) yet.
SSO Requires Domain-Joined PC
In a ME-ID DS environment, the CacheDrive becomes a trusted server when it joins the domain. When a user signs in to a domain-joined Windows PC, it also establishes a trust relation between the PC user and the domain. The combination of the above trust relations allow SSO access to the shares on the CacheDrive.
These diagrams illustrate the two Windows login scenarios with ME-ID DS.
Steps for Authentication with Microsoft Entra Domain Services
Enabling CacheDrive access using Microsoft Entra Domain Services with Single Sign-On (SSO) is a streamlined process that ensures secure and efficient authentication. Here are the steps involved in setting up this authentication method:
- Set up the Microsoft Entra Domain Services.
- ME-ID DS is created by syncing the directory from ME-ID to ME-ID DS.
- Join the Windows PC to the Microsoft Entra Domain Services
- Join the Morro Data CacheDrive to the Microsoft Entra Domain Services
For detailed instructions and best practices regarding each of these steps, refer to the Best Practice Guide. This guide offers configuration details and tips to ensure a smooth implementation of CacheDrive access using ME-ID DS with SSO.