Submit a request

Nerdio Help Center

Permissions required to join Azure file share to domain


This article explains the permissions required for the domain user used to join an Azure Files share to an AD domain. If these permissions are not correct, you will receive an error during the domain join step.

A Domain Admin account is sufficient to join the Azure Files share to your domain, however if you are using a service account and delegating specific permissions to that account, the "Add/Remove computer accounts" permission won't be sufficient to add Azure Files shares.

Azure Files joins the domain as a service principal. In order for Nerdio's automation to join Azure Files to the domain, you need to delegate permissions on the target OU that allows the service user to create & write user objects (including the advanced permissions of read & write serviceprincipalname).

Read/Write ServicePrincipalName permissions cannot be assigned via AD Users & Computers (ADUC / dsa.msc) console. The only way to grant these permissions is connecting to AD via ADSI Edit (ADSI.msc). Once connected, navigate to the destination OU and delegate the Read/Write ServicePrincipalName permissions to your service account.

Download ADSI Edit as part of the Remote Server Administration Tools here


Was this article helpful?
0 out of 0 found this helpful
Important Notification for NFA Partners Only
  • Microsoft is sunsetting Azure Classic (not Azure Virtual Desktop (AVD)) - Microsoft Article
  • NFA sunset occurs February 20th, 2023
  • NFA will be fully supported until the official sunset -


Please sign in to leave a comment.