🔐 Secure, seamless, and passwordless—that’s the future of enterprise file access. With Azure Files and Entra Kerberos authentication, organizations can finally deliver a true single sign-on experience for both Windows and macOS devices, without relying on legacy Active Directory. This guide walks you through everything you need to know to make it happen.
🌍 Why This Matters
Traditional SMB access to file shares often depends on on-prem Active Directory and Kerberos tickets issued by domain controllers. In a cloud-first world, that model doesn’t scale. Azure Files combined with Entra Kerberos authentication solves this by:
- Eliminating dependency on on-prem AD
- Enabling passwordless access for cloud-only devices
- Supporting Windows Hello for Business and macOS PSSO
- Maintaining strong security and compliance
🧩 Understanding the Components
Before diving into configuration, let’s break down the key pieces:
- Azure Files: Fully managed file shares in Azure Storage.
- Entra Kerberos Authentication: Allows SMB access using Kerberos tickets issued by Entra ID.
- Cloud Kerberos Trust: Bridges Hello for Business and Kerberos without on-prem DCs.
- PSSO (Platform Single Sign-On): Enables macOS to acquire Kerberos tickets from Entra ID.
🛠 Prerequisites
To make this work, you need:
- ✅ An Azure Storage Account with Azure Files enabled
- ✅ Windows Entra-only devices with:
- Windows Hello for Business enabled
- Cloud Kerberos Trust enabled
- ✅ macOS devices enrolled with PSSO
- ✅ Conditional Access policies in Entra ID
- ✅ Appropriate RBAC roles for users accessing the file share
💡 Tip: Cloud Kerberos Trust is critical—it ensures devices can request Kerberos tickets from Entra without on-prem infrastructure.
1️⃣ Create the Storage Account & File Share
Start by creating a new Storage Account:
- Choose Premium for performance-sensitive workloads
- Chosse Azure Files
- Configure networking to allow access also from public networks if necessary
- Assign RBAC roles like Storage File Data SMB Share Contributor to users/groups
Then create your Azure File Share inside the Storage Account.
2️⃣ Enable Entra Kerberos Authentication
In the Storage Account settings:
- Navigate to Azure Files Identity-based Access
- Enable Entra Kerberos Authentication
- Select Default share-level permissions to Storage File Data SMB Share Reader of Read only default permission
3️⃣ Adjust the App Registration
Grant admin consent to the new service principal:
For Kerberos to work correctly edit the App Manifest:
- Ensure the servicePrincipal for the Storage Account has:
cifsin lowercase (required for macOS)- Add the tag: JSON”kdc_enable_cloud_group_sids”: true (This ensures proper SID handling for cloud groups.)
4️⃣ Conditional Access Policies
To avoid MFA prompts during SMB access:
- Exclude the Storage Account app from your MFA policy
- Optional: Create a dedicated CA policy enforcing compliant devices for this app
5️⃣ Windows Configuration
On Windows Entra-only devices ensure you have an Hello Policy with CloudKerberosTrust enabled and also CloudKerberosTicketRetrievalEnabled for getting a ticket already during Windows sign in.
Custom CSP Policy:
- Name:
CloudKerberosTicketRetrievalEnabled - OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled - Data type: Integer
- Value:
1
6️⃣ macOS Configuration
Deploy a custom Kerberos SSO mobileconfig in addition to your already existing PSSO Policy:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>ExtensionData</key>
<dict>
<key>usePlatformSSOTGT</key>
<true/>
<key>performKerberosOnly</key>
<true/>
<key>preferredKDCs</key>
<array>
<string>kkdcp://login.microsoftonline.com/<<<<<REPLACE with YOUR Tenant ID!!!!>>>>>/kerberos</string>
</array>
</dict>
<key>ExtensionIdentifier</key>
<string>com.apple.AppSSOKerberos.KerberosExtension</string>
<key>Hosts</key>
<array>
<string>windows.net</string>
<string>.windows.net</string>
</array>
<key>Realm</key>
<string>KERBEROS.MICROSOFTONLINE.COM</string>
<key>PayloadDisplayName</key>
<string>Single Sign-On Extensions Payload for Microsoft Entra ID Cloud Kerberos</string>
<key>PayloadIdentifier</key>
<string>com.apple.extensiblesso.00aa00aa-bb11-cc22-dd33-44ee44ee44ee</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>00aa00aa-bb11-cc22-dd33-44ee44ee44ee</string>
<key>TeamIdentifier</key>
<string>apple</string>
<key>Type</key>
<string>Credential</string>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Kerberos SSO Extension for macOS for Microsoft Entra ID Cloud Kerberos</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>11bb11bb-cc22-dd33-ee44-55ff55ff55ff</string>
<key>PayloadOrganization</key>
<string>headsinthecloud.blog Entra Kerberos Config</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>11bb11bb-cc22-dd33-ee44-55ff55ff55ff</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>✅ Testing & Validation
- From Windows:
net use \\<storageaccount>.file.core.windows.net\<share> - From macOS: Mount via Finder
Check Kerberos tickets using:
- Windows:
klist - macOS:
klist
⚠️ Best Practices & Gotchas
- Conditional Access misconfigurations can block access
- macOS requires correct realm settings in mobileconfig
✅ Key Takeaways
- Entra Kerberos brings passwordless SMB access to Azure Files
- Works for Windows Hello for Business and macOS PSSO
- Requires Cloud Kerberos Trust, proper CA policies, and manifest tweaks
- Delivers a modern, secure experience without legacy dependencies
Leave a Reply