Enabling AD DS Authentication for Azure Files with Bicep: A Step-by-Step Guide

Having had the chance to work in hybrid-enabled environments, it was time to go a bit old school and explore a different kind of identity-based access on Azure Files.

If you ever come across the available options to enable identity-based access, you quickly notice that there are some steps involved for each identity-based type of access.

When you are going for the AD DS option, Microsoft provides you with a PowerShell module called AzFilesHybrid. This module should provide ease to configuring the AD DS option on the Azure Storage Account by using a single command named Join-AzStorageAccount.

However, the module is strange because it presumes you already have a Storage Account created in Azure.

This made me wonder because it defeats the purpose of incremental deployments (or idempotent) when using Bicep as my IaC tooling.

To explain it in a bit more detail, imagine the following: you’ve gone through the documentation and noticed the following properties required if you develop your Bicep code:

azureFilesIdentityBasedAuthentication: {
  activeDirectoryProperties: {
    accountType: 'string'
    azureStorageSid: 'string'
    domainGuid: 'string'
    domainName: 'string'
    domainSid: 'string'
    forestName: 'string'
    netBiosDomainName: 'string'
    samAccountName: 'string'
  }
  defaultSharePermission: 'string'
  directoryServiceOptions: 'string'
}