Permissions Required to Join Azure Files Share to a Domain
This article explains the permissions required for the domain user used to join an Azure Files share to an AD domain. If these permissions are not correct, you receive an error during the domain join step.
A Domain Admin account is sufficient to join the Azure Files share to your domain. However, if you are using a service account and delegating specific permissions to that account, the "Add/Remove computer accounts" permission won't be sufficient to add Azure Files shares.
Azure Files joins the domain as a service principal. In order for Nerdio Manager's automation to join Azure Files to the domain, you need to delegate permissions on the target OU that allows the service user to create & write user objects (including the advanced permissions of read & write serviceprincipalname).
Read/Write ServicePrincipalName permissions cannot be assigned via the AD Users & Computers (ADUC/dsa.msc) console. The only way to grant these permissions is connecting to AD via ADSI Edit (ADSI.msc). Once connected, navigate to the destination OU and delegate the Read/Write ServicePrincipalName permissions to your service account.
Download the ADSI Edit as part of the Remote Server Administration Tools here.
Comments (0 comments)