Allow (AADDS) to authenticate access to storage account file shares for computer that is member of external domain or hybrid joined.
Currently if company decided to replicate their local file share resources via Azure File Sync to Azure storage account and decide that they want to use same ACLs from NTFS there are two options.
One is select Identity-based access for file shares and enable Azure Active Directory Domain Services (Azure AD DS) or integrate on premise Active Directory Domain Services (AD DS)
If company decide to go with AADDS then device that want to map file from azure storage account as a drive and use NTFS/ACLs then is must be joined to AADDS and here we have a problem because maybe you want connect to those resources from locally (o prem AD DS) and you don’t want or can’t or it’s not practical to disconnect this device from your primary domain. Probably there should be possibility to access/map those drive utilizing AADDS authentication to some quest computers with maybe Azure VPN with link to AADDS subnet network.
Someone can say that in this scenario second approach should be used and azure storage account should be joined with local domain but that is not a very good solution for few reasons.
In case of disaster or connectivity with on-prem ACL’S will not be able to enforced/verified because on prem will be not available.
So, you are forced to maintain a full windows server domain controller in the with all maintenance implications.
The best scenario for companies with many remote users (using VPN to connect to on prem office) who are still using heavily on prem network drives based on windows server file services and SMB protocol but have Azure AD connect synchronization enabled with writeback, SSO, users / security groups (responsible for NTFS access management and Azure Active Directory Domain Services (AADDS) deployed would be to replicated all local shares to cloud and allow mapping with AADDS authentication in hybrid deployment (when on-premise have site to site VPN connectivity with Azure but not using local AD to authentication for azure storage files access) and also when computer user decided or is forced by DR situation (on prem is not available) to connect to Azure VPN and ADDS network. Currently from what I understand and what was explained by Microsoft Support to me it is not possible.
So we can’t have a mix of on prem traditional windows files server and Azure file sync resources utilizing ACL’s/NTFS SMB permissions using computer joined to local domain even if that computer can connect to Azure VPN to network with AADDS.
I hope that there is so clever way to tell local/on prem Active Directory and DNS that for those type of domain/IPs that are correlated with azure storage account files authentication and all related Kerberos tickets etc should be handled/redirected to AADDS and in scenario when computer not joined to AADDs have access via Azure VPN and AADDS network be able to communicate with AADDS and authenticate access to storage account file share base only base on user account.
I know that modern company should actually keep on their files in Microsoft 365/SharePoint/Teams and OneDrive but not everyone are still ready for this move.
I think it would be very beneficial to have option that will allow selecting everything from local shares, replicate them to azure storage account and be able to map those resources to any computers (not joined to AADDS) utilizing replicated permissions to any computer that can VPN to network that will have access to AADDS network are required protocols like DNS,LDAP,Kerberos without on prem involvement and rejoining computer to AADDS.