Azure Files with Entra-Only Identities: Elevating Cloud-Native Security and Identity Management

We are excited to announce the general availability (GA) of Entra-Only identities for Azure Files SMB. With native Microsoft Entra ID authentication, organizations can now grant secure, identity-based access to SMB file shares using cloud-native-only identities.

We’re thrilled to share that Entra-Only identities for Azure Files SMB are now generally available (GA). Thanks to built-in Microsoft Entra ID authentication, businesses can now provide secure, identity-driven access to SMB file shares using purely cloud-based identities.

This eliminates the need for Active Directory, hybrid synchronization, or managed domain controllers—dramatically streamlining your architecture while cutting down on ongoing management and maintenance expenses. Entra-Only identities bring Azure Files a tightly integrated, modern identity experience—setting a top-tier industry benchmark for secure, smooth, and fully cloud-native access.

For customers planning to move to Azure Files, dependence on on-premises Active Directory authentication has often been a major obstacle to achieving a fully cloud-native setup. Entra-Only identity support for Azure Files SMB removes that barrier, allowing organizations to authenticate users and devices directly through Microsoft Entra ID—helping modernize storage, compute, and identity while staying aligned with Zero-Trust principles.

Entra-Only identities make virtual desktop infrastructure (VDI) profile management on Azure Files seamless while meeting today’s security standards. In Azure Virtual Desktop (AVD), built-in B2B support takes this even further, letting external partners use their own existing identities with FSLogix profiles—no duplicate accounts needed.

For general-purpose use cases, this opens the door to migrating on-premises Windows-based workloads to a fully cloud-native platform, keeping native SMB compatibility while delivering a deeply integrated identity, security, and management experience. Users can securely access files from any location without domain configuration, VPNs, or complex networking requirements. Altogether, these capabilities help organizations lower operational complexity while bolstering their security posture.

Why choose Entra-Only identities with Azure Files

• Modern, cloud-native identity with simplified operations. Azure Files access is protected using native Entra ID authentication with client-side Intune integration, removing the burden of identity lifecycle maintenance and compliance, VPNs, and hybrid sync—making deployment easier, reducing maintenance overhead, and streamlining management.
• Coexistence with hybrid identity setups. Organizations running a mix of hybrid and cloud-native identities can use this feature side by side as they work toward retiring Active Directory.
• Secure access from anywhere. Users can reach file shares through Entra-joined clients, enabling smooth remote work without duplicating identities.
• Extended support for macOS clients (limited preview). Secure file share access now extends to modern macOS clients joined to Entra via Platform SSO, allowing creative and cross-platform workloads to connect with Azure Files using Entra-based identity.

What’s new with Entra-Only identities

• Portal-based NTFS permissions management: Granular file and directory ACLs for Entra-Only (and hybrid) users and groups can be set directly from the Azure portal, removing the need for domain-joined clients or legacy tools. This is now available to all users in every region.

• Expanded RBAC support for secure authorization: Share-level RBAC assignments for specific users and groups are now available for Entra-only users and groups in select regions. For regional availability, please check here.

How Entra-Only identities work with Azure Files

This feature modernizes SMB authentication by turning Microsoft Entra ID into the primary Kerberos Key Distribution Center (KDC). Clients authenticate directly with Microsoft Entra ID to obtain Kerberos tickets for cloud identities—no Active Directory or Entra Connect sync required. While the SMB protocol stays the same for compatibility, ticket issuance and identity validation are entirely handled by Entra.

How it works:

1. When a user accesses the file share, the client requests a Kerberos ticket from Entra ID for Azure Files.

2. This ticket, which contains cloud-based security identifiers (SIDs), is presented during the SMB session setup.

3. Azure Files validates the ticket and establishes the session—enabling secure, identity-based access. Authorization continues to use NTFS

1. Access Control Lists (ACLs) have now been expanded to include Entra-Only users and groups. Permissions can be managed directly through the Azure portal, eliminating the need for domain-joined clients or outdated tools.

This approach maintains Kerberos security and scalability while moving identity management fully to Entra, paving the way for a smooth shift to cloud-native file access.

Key workloads upgraded with Entra-Only identities

Transforming VDI deployments using Azure Files and Entra-Only identities

Entra-Only identities make VDI deployments with Azure Files simpler and more modern by providing a fully cloud-native identity, compute, and storage stack for managing user profiles. In Azure Virtual Desktop (AVD), FSLogix profile containers can be stored on Azure Files Premium and accessed via Kerberos using Microsoft Entra-based users, ensuring secure and seamless SMB access.

Why this is important:

• It eliminates reliance on hybrid identity infrastructure.
• It streamlines deployments.
• It cuts down on operational overhead, particularly for distributed or remote teams.

With Entra ID as the authentication provider, users can log into their virtual desktops and access profiles using cloud-native identities, enabling end-to-end single sign-on without needing connectivity to on-premises systems.

By implementing Entra-Only identity access with Azure Files, WTW has been able to deliver insurance applications to customers on AVD using their existing Entra identities. FSLogix profile containers stored on Azure File Shares ensure users get a consistent profile experience regardless of which AVD host they connect to. This solution removes the need for legacy domain controllers and file share infrastructure, replacing it with a fully Entra-joined environment supported by AVD hosts and Azure File Shares—resulting in a more secure, streamlined, and less complex architecture.

—Gordon Griffin, Technical Director, Willis Tower Watson

B2B identity support further enhances VDI scenarios by allowing external users to access desktops and load their profiles securely using their existing identities. Together, these capabilities enable organizations to deliver a consistent, scalable, and secure VDI experience while speeding up their move to a fully cloud-native architecture.

Entra-Only identities with Azure Files represent a major leap forward in simplifying and securing modern desktop and application environments. By enabling Kerberos-based Entra user access, we can offer a truly cloud-native experience for our customers, with identity, compute, and storage all in Azure, while preserving seamless SMB compatibility. This greatly reduces deployment complexity and allows organizations to adopt secure, scalable VDI and file access solutions faster than ever before.

—Chuck Mikuzis, Product Manager, Nerdio

Making file sharing easier for today’s workforce

Entra-Only identities simplify general-purpose file sharing and collaboration for information workers. Access to shared folders is managed directly through Entra ID, providing consistent, identity-driven access across distributed teams without requiring domain-joined devices or connectivity to on-premises infrastructure.

This makes onboarding and daily operations smoother—new users can be granted access via Entra groups, and permissions are enforced uniformly across locations. Combined with NTFS ACL portal support, organizations can retain familiar file-level security while modernizing their access model.

The benefits:

• Quicker onboarding.
• Lower helpdesk workload.
• Smooth collaboration across regions.

Effortless cloud-native access for remote and distributed energy teams

Entra-Only identities allow oil and gas organizations to securely access critical datasets from remote and field locations without depending on complex multi-domain/multi-forest Active Directory setups or hybrid infrastructure. Engineers and geoscientists working across offshore rigs, exploration sites, and global offices can authenticate directly with Entra ID and access Azure Files, removing VPN dependencies and improving reliability in low-connectivity environments.

This approach simplifies deployment and operations while upholding enterprise-grade security and compliance. Combined with support for thin clients and remote access, teams can collaborate in real-time on large datasets without managing distributed infrastructure.

Ongoing investments in Azure Files identity

Secure Entra-native application access with Managed Identities (GA)

Managed Identities support introduces Entra-native application access to Azure Files, eliminating the need for shared keys or secrets. Applications, virtual machines, or Azure services use Managed Identities with Entra-issued OAuth tokens to establish secure SMB sessions, reducing credential sprawl and simplifying access. This helps streamline DevOps workflows and enables scalable integration across Azure Kubernetes Service (AKS) and enterprise applications.

Delivering secure, cloud-native access to macOS workloads (limited preview)

Secure Azure Files support for macOS clients allows creative design teams and educational institutions to work seamlessly across operating systems with uninterrupted access. Designers, media professionals, and higher education staff can authenticate directly with Entra ID and access SMB file shares, aligning Mac workflows with the same enterprise-grade identity used across the organization.

What’s next with Azure Files Entra-Only Identities

Native NTFS ACL editing experience

We are continuing to improve the permissions management experience by introducing native support for editing NTFS ACLs directly through familiar client workflows. This addresses a key gap between cloud and traditional

This feature brings Entra-Only identities to traditional file server setups, allowing both admins and end users to control access to files and folders with the same familiar tools and workflows they already use.

Expanding to sovereign cloud regions

We’re actively working to bring Entra-Only identities for Azure Files to sovereign cloud regions. This will allow organizations operating under strict regulatory requirements to use cloud-native identities for their SMB-based workloads. By doing so, they can take advantage of SMB Kerberos authentication and centralized identity management while still meeting compliance and enterprise-level regulatory standards.

Start using Entra-Only identities and explore more Azure Files features

Entra-Only identities for Azure Files SMB is now generally available. It works with both HDD and SSD storage tiers and all billing options, with no extra charge. Check out our documentation for detailed setup instructions and prepare your workloads for what’s ahead.

If you have questions about enabling this on macOS, please sign up here. For any other inquiries, contact us at azurefiles@microsoft.com.