Created
September 9, 2022 04:38
-
-
Save MauricioZa/82d04fbf7b3a4e8d27d62cb880e0c966 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #------------------------------------------------------------ | |
| # Part A - Install necessary packages | |
| #------------------------------------------------------------ | |
| # 1) Install DotNet (necessary for the AzFilesHybrid module) https://dotnet.microsoft.com/en-us/download/dotnet-framework/thank-you/net472-web-installer | |
| # 2) Download the AzFilesHybrid module zip file from: https://github.com/Azure-Samples/azure-files-samples/releases | |
| # 3) Extract the file above to c:\temp | |
| # Change the execution policy to unblock importing AzFilesHybrid.psm1 module | |
| Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser | |
| # Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path | |
| cd c:\temp | |
| .\CopyToPSPath.ps1 | |
| # Import AzFilesHybrid module | |
| Import-Module -Name AzFilesHybrid | |
| # Install Active directory powershell modules. Works for Windows Server 2016 and above. | |
| Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature | |
| # Install PowerShell modules for Azure AD | |
| Install-Module AzureAD | |
| # Install these modules | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| Install-Module PackageManagement | |
| Install-Module PowerShellGet | |
| # Install PowerShell modules for Azure | |
| Set-ExecutionPolicy -ExecutionPolicy RemoteSigned | |
| Install-Module -Name Az -Repository PSGallery -Force | |
| #------------------------------------------------------------ | |
| # Part B - Connect to Azure | |
| #------------------------------------------------------------ | |
| # Login with an Azure AD credential that has either storage account owner or contributor Azure role | |
| # assignment. If you are logging into an Azure environment other than Public (ex. AzureUSGovernment) | |
| # you will need to specify that. | |
| # See https://docs.microsoft.com/azure/azure-government/documentation-government-get-started-connect-with-ps | |
| # for more information. | |
| Connect-AzAccount | |
| #------------------------------------------------------------ | |
| # Part C - Declare variables | |
| #------------------------------------------------------------ | |
| # Define parameters | |
| # $StorageAccountName is the name of an existing storage account that you want to join to AD | |
| # $SamAccountName is the name of the to-be-created AD object, which is used by AD as the logon name | |
| # for the object. | |
| # See https://docs.microsoft.com/en-us/windows/win32/adschema/a-samaccountname for more information. | |
| $SubscriptionId = "ca81765e-b4ed-4f90-98fc-a426fb58bb64" | |
| $ResourceGroupName = "rg-PASCAL" | |
| $StorageAccountName = "pascalsharefsad" | |
| $SamAccountName = "pascalsharefsad" | |
| $DomainAccountType = "ComputerAccount" # Default is set as ComputerAccount | |
| # If you don't provide the OU name as an input parameter, the AD identity that represents the | |
| # storage account is created under the root directory. | |
| $OuDistinguishedName = "OU=fileshares,DC=pascal,DC=local" | |
| # Specify the encryption algorithm used for Kerberos authentication. Using AES256 is recommended. | |
| # Note that ServiceLogonAccount does not support AES256 encryption. | |
| $EncryptionType = "AES256,RC4" | |
| #------------------------------------------------------------ | |
| # Part D - Select Subscription | |
| #------------------------------------------------------------ | |
| # Select the target subscription for the current session | |
| Select-AzSubscription -SubscriptionId $SubscriptionId | |
| #------------------------------------------------------------ | |
| # Part E - Enable Azure AD feature | |
| #------------------------------------------------------------ | |
| # Register the target storage account with your active directory environment under the target OU | |
| # (for example: specify the OU with Name as "UserAccounts" or DistinguishedName as | |
| # "OU=UserAccounts,DC=CONTOSO,DC=COM"). You can use this PowerShell cmdlet: Get-ADOrganizationalUnit | |
| # to find the Name and DistinguishedName of your target OU. If you are using the OU Name, specify it | |
| # with -OrganizationalUnitName as shown below. If you are using the OU DistinguishedName, you can set it | |
| # with -OrganizationalUnitDistinguishedName. You can choose to provide one of the two names to specify | |
| # the target OU. You can choose to create the identity that represents the storage account as either a | |
| # Service Logon Account or Computer Account (default parameter value), depending on your AD permissions | |
| # and preference. Run Get-Help Join-AzStorageAccountForAuth for more details on this cmdlet. Note that | |
| # Service Logon Accounts do not support AES256 encryption. | |
| Join-AzStorageAccount ` | |
| -ResourceGroupName $ResourceGroupName ` | |
| -StorageAccountName $StorageAccountName ` | |
| -SamAccountName $SamAccountName ` | |
| -DomainAccountType $DomainAccountType ` | |
| -OrganizationalUnitDistinguishedName $OuDistinguishedName ` | |
| -EncryptionType $EncryptionType | |
| #------------------------------------------------------------ | |
| # Part F - Enable AES256 | |
| #----------------------------------------------------------- | |
| # Run the command below to enable AES256 encryption. If you plan to use RC4, you can skip this step. | |
| # Note that if you set $DomainAccountType to ServiceLogonAccount, running this command will change | |
| # the account type to ComputerAccount because ServiceLogonAccount doesn't support AES256. | |
| Update-AzStorageAccountAuthForAES256 -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName | |
| #------------------------------------------------------------ | |
| # Part G - Add default permissions | |
| #----------------------------------------------------------- | |
| # Add default permissions | |
| $defaultPermission = "StorageFileDataSmbShareElevatedContributor" | |
| $account = Set-AzStorageAccount -ResourceGroupName $ResourceGroupName -AccountName $StorageAccountName -DefaultSharePermission $defaultPermission | |
| $account.AzureFilesIdentityBasedAuth | |
| #------------------------------------------------------------ | |
| # Part H - Finish congiguration | |
| #----------------------------------------------------------- | |
| # 1) Map the drive with the key | |
| # Right click "Computer" | |
| # "Map Network Drive" | |
| # \\storageaccount.file.windows.net\folder | |
| # Unselect "Reconnect at sign in" | |
| # Select "Connect using different credentials" | |
| # Account: AZURE\storageaccount | |
| # Password: get the key from the portal (Go to storage account > Access keys) | |
| # 2) Assign initial administrators permissions at root folder. | |
| # 3) Disconnect drive | |
| # 4) Map normally | |
| # 5) Never use key ever again |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment