What access is required for enabling Microsoft Entra Kerberos on storage account

Question

What access is required for enabling Microsoft Entra Kerberos on storage account

Ram 0

What access is needed for enabling Microsoft Entra Kerberos on storage account

Vinod Kumar Reddy Chilupuri 3,750 Reputation points Microsoft External Staff

2025-04-16T12:31:42.5866667+00:00
Hi Ram,

To enable Microsoft Entra Kerberos on an Azure storage account, you need to have appropriate access permissions. Specifically, you must have the "Storage Account Contributor" role or higher on the storage account. Additionally, ensure that your Azure Active Directory (AAD) is properly configured to support Kerberos authentication.

Azure Storage Account Permissions: You must have permissions to modify the Azure storage account settings.

Hybrid Identity Requirements: Microsoft Entra Kerberos authentication primarily supports hybrid identities (on-prem AD DS synced with Microsoft Entra ID). If the customer has cloud-only identities, this method may not be applicable.

Network Connectivity: The storage account must be able to communicate with domain controllers for Kerberos authentication, which may require VPN or ExpressRoute connectivity.

Key Rotation & Security: Organizations should set up Kerberos key rotation to ensure secure authentication and avoid expired keys disrupting access.

Admin Consent: After enabling Microsoft Entra Kerberos authentication, you need to grant admin consent to the new Microsoft Entra application registered in your Microsoft Entra tenant.

These permissions ensure that you can configure the necessary settings and grant the required access for the service principal associated with the storage account.

Enable Microsoft Entra Kerberos authentication for hybrid user accounts
Azure Files identity-based authentication overview
Hope the above suggestion helps! Please let us know do you have any further queries.

Please do consider to “Accepting the answer” wherever the information provided helps you, this can be beneficial to other community members.
Ram 0 Reputation points

2025-04-16T17:08:36.7+00:00

With Storage account contributor role Microsoft Entra Kerberos is getting failed. App registration is getting created
Vinod Kumar Reddy Chilupuri 3,750 Reputation points Microsoft External Staff

2025-04-17T11:53:31.0466667+00:00
Hi Ram,

To successfully enable Microsoft Entra Kerberos for an Azure Storage account, the following permissions are necessary

You need to ensure that the Azure AD Global Administrator or Privileged Role Administrator role is assigned to the user enabling the Kerberos feature. This is because enabling Kerberos involves registering a service principal in Azure AD, and this step requires higher permissions at the Azure AD level than the "Storage Account Contributor" role provides.
The "Storage Account Contributor" role provides sufficient permissions to manage storage account settings. However, it does not grant the necessary permissions to create or modify Azure AD applications (app registrations).

Ensure you also have permissions to perform actions related to Azure AD integration with the storage account (often requiring tenant-wide Azure AD roles).

Application Registration in Microsoft Entra ID:

When enabling Microsoft Entra Kerberos, a service principal (application registration) is automatically created in the Azure AD tenant to represent the storage account. If this process is failing, the user enabling Kerberos might lack the Application Administrator or Cloud Application Administrator role required to create app registrations.

Ensure the hybrid identity setup is properly configured.

On-prem AD is synced with Azure AD.

Domain controllers are accessible for Kerberos.

Confirm admin consent for the registered app.

In the Microsoft Entra portal, go to Enterprise Applications -> Select the newly registered app -> Grant admin consent.

Troubleshoot Azure Files identity-based authentication and authorization issues (SMB)

Hope the above suggestion helps! Please let us know do you have any further queries.
Vinay B 255 Reputation points Microsoft External Staff

2025-04-21T11:41:56.6833333+00:00
Hi Ram,

Since the Storage Account Contributor role wasn’t sufficient and the App Registration is getting created, but Kerberos enablement still fails.

Once the app registration is created, Kerberos relies on SPN Verify Kerberos SPN registration status by following the command mentioned below

az storage account show --name <storage-account-name> --resource-group <resource-group-name> --query "azureFilesIdentityBasedAuth.directoryServiceOptions"

This should provide the relevant output you're looking for or else SPN registration likely failed.

Try force registration if the app was created but not linked properly to the storage account

az storage account update --name <storage-account-name> --resource-group <resource-group-name> --enable-files-aadds false --enable-files-azure-active-directory-kernel-support true --enable-files-aad-kubernetes true

As Vinod Kumar Reddy Chilupuri suggested Storage account contributor role is not works for you so go for Global Administrator or any Privileged Role Admin as these roles has privilages to Can Register SPN and Can Enable Entra Kerberos along with Creating App Registration.

Please let us know if it was helpful, and feel free to reach out if you have any further queries.
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-22T11:08:52.8766667+00:00

Hi Ram,

Just checking to see if the suggestion provided helped you to solve your issue, please let us know if you have any further queries. If the above suggestion helps you to solve your issue, please Up-vote, this can be beneficial to other community members.
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-23T05:58:49.25+00:00

Hi Ram,
Just checking to see if the suggestion provided helped you to solve your issue, please let us know if you have any further queries. If the above suggestion helps you to solve your issue, please Up-vote, this can be beneficial to other community members.

1 answer

Your answer

Vinod Kumar Reddy Chilupuri 3,750 Reputation points Microsoft External Staff

2025-04-16T12:31:42.5866667+00:00

Hi Ram,

To enable Microsoft Entra Kerberos on an Azure storage account, you need to have appropriate access permissions. Specifically, you must have the "Storage Account Contributor" role or higher on the storage account. Additionally, ensure that your Azure Active Directory (AAD) is properly configured to support Kerberos authentication.

Azure Storage Account Permissions: You must have permissions to modify the Azure storage account settings.

Hybrid Identity Requirements: Microsoft Entra Kerberos authentication primarily supports hybrid identities (on-prem AD DS synced with Microsoft Entra ID). If the customer has cloud-only identities, this method may not be applicable.

Network Connectivity: The storage account must be able to communicate with domain controllers for Kerberos authentication, which may require VPN or ExpressRoute connectivity.

Key Rotation & Security: Organizations should set up Kerberos key rotation to ensure secure authentication and avoid expired keys disrupting access.

Admin Consent: After enabling Microsoft Entra Kerberos authentication, you need to grant admin consent to the new Microsoft Entra application registered in your Microsoft Entra tenant.

These permissions ensure that you can configure the necessary settings and grant the required access for the service principal associated with the storage account.

Enable Microsoft Entra Kerberos authentication for hybrid user accounts
Azure Files identity-based authentication overview
Hope the above suggestion helps! Please let us know do you have any further queries.

Please do consider to “Accepting the answer” wherever the information provided helps you, this can be beneficial to other community members.
Ram 0 Reputation points

2025-04-16T17:08:36.7+00:00

With Storage account contributor role Microsoft Entra Kerberos is getting failed. App registration is getting created
Vinod Kumar Reddy Chilupuri 3,750 Reputation points Microsoft External Staff

2025-04-17T11:53:31.0466667+00:00

Hi Ram,

To successfully enable Microsoft Entra Kerberos for an Azure Storage account, the following permissions are necessary

You need to ensure that the Azure AD Global Administrator or Privileged Role Administrator role is assigned to the user enabling the Kerberos feature. This is because enabling Kerberos involves registering a service principal in Azure AD, and this step requires higher permissions at the Azure AD level than the "Storage Account Contributor" role provides.
The "Storage Account Contributor" role provides sufficient permissions to manage storage account settings. However, it does not grant the necessary permissions to create or modify Azure AD applications (app registrations).

Ensure you also have permissions to perform actions related to Azure AD integration with the storage account (often requiring tenant-wide Azure AD roles).

Application Registration in Microsoft Entra ID:

When enabling Microsoft Entra Kerberos, a service principal (application registration) is automatically created in the Azure AD tenant to represent the storage account. If this process is failing, the user enabling Kerberos might lack the Application Administrator or Cloud Application Administrator role required to create app registrations.

Ensure the hybrid identity setup is properly configured.

On-prem AD is synced with Azure AD.

Domain controllers are accessible for Kerberos.

Confirm admin consent for the registered app.

In the Microsoft Entra portal, go to Enterprise Applications -> Select the newly registered app -> Grant admin consent.

Troubleshoot Azure Files identity-based authentication and authorization issues (SMB)

Hope the above suggestion helps! Please let us know do you have any further queries.
Vinay B 255 Reputation points Microsoft External Staff

2025-04-21T11:41:56.6833333+00:00

Hi Ram,

Since the Storage Account Contributor role wasn’t sufficient and the App Registration is getting created, but Kerberos enablement still fails.

Once the app registration is created, Kerberos relies on SPN Verify Kerberos SPN registration status by following the command mentioned below

az storage account show --name <storage-account-name> --resource-group <resource-group-name> --query "azureFilesIdentityBasedAuth.directoryServiceOptions"

This should provide the relevant output you're looking for or else SPN registration likely failed.

Try force registration if the app was created but not linked properly to the storage account

az storage account update --name <storage-account-name> --resource-group <resource-group-name> --enable-files-aadds false --enable-files-azure-active-directory-kernel-support true --enable-files-aad-kubernetes true

As Vinod Kumar Reddy Chilupuri suggested Storage account contributor role is not works for you so go for Global Administrator or any Privileged Role Admin as these roles has privilages to Can Register SPN and Can Enable Entra Kerberos along with Creating App Registration.

Please let us know if it was helpful, and feel free to reach out if you have any further queries.
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-22T11:08:52.8766667+00:00

Hi Ram,

Just checking to see if the suggestion provided helped you to solve your issue, please let us know if you have any further queries. If the above suggestion helps you to solve your issue, please Up-vote, this can be beneficial to other community members.
Venkatesan S 1,625 Reputation points Microsoft External Staff

2025-04-23T05:58:49.25+00:00

Hi Ram,
Just checking to see if the suggestion provided helped you to solve your issue, please let us know if you have any further queries. If the above suggestion helps you to solve your issue, please Up-vote, this can be beneficial to other community members.

Answer 1

Hi Ram,

Prerequisites

Before you enable Microsoft Entra Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites.

Minimum prerequisites

The following prerequisites are mandatory. Without these, you can't authenticate using Microsoft Entra ID.

Your Azure storage account can't authenticate with both Microsoft Entra ID and a second method like AD DS or Microsoft Entra Domain Services. If you've already chosen another AD method for your storage account, you must disable it before enabling Microsoft Entra Kerberos.
This feature doesn't currently support user accounts that you create and manage solely in Microsoft Entra ID. User accounts must be hybrid user identities, which means you'll also need AD DS and either Microsoft Entra Connect or Microsoft Entra Connect cloud sync. You must create these accounts in Active Directory and sync them to Microsoft Entra ID. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Microsoft Entra ID.
The WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) and IP Helper service (iphlpsvc) are required. Their state should be set to running.
You must disable multifactor authentication (MFA) on the Microsoft Entra app representing the storage account. For instructions, see Disable multifactor authentication on the storage account.
This feature doesn't currently support cross-tenant access for B2B users or guest users. Users from a Microsoft Entra tenant other than the one configured won't be able to access the file share.
With Microsoft Entra Kerberos, the Kerberos ticket encryption is always AES-256. But you can set the SMB channel encryption that best fits your needs.

Please follow the Microsoft documentation. Minimum prerequisites
Grant admin consent to the new service principal User's image Hope the above suggestion helps! Please let us know do you have any further queries.

Vinod Kumar Reddy Chilupuri 3,750 Reputation points Microsoft External Staff

2025-04-21T10:27:43.3966667+00:00

Hi Ram,

Just checking to see if the suggestion provided helped you to solve your issue, please let us know if you have any further queries. If the above suggestion helps you to solve your issue, please Up-vote, this can be beneficial to other community members.

Share via

What access is required for enabling Microsoft Entra Kerberos on storage account

1 answer

Your answer