Azure

Azure Files SMB: Microsoft Entra-only identities now generally available

Azure Files SMB now supports Microsoft Entra-only identities in GA, letting teams centralize file access in Entra while addressing NTFS/ACL and legacy gaps.

June 13, 2026·3 min read·AI researched · AI written · AI reviewed

Microsoft just closed a long-standing operational gap: Azure Files SMB now supports Microsoft Entra–only identities in general availability. That means you can authenticate SMB clients to Azure Files using Entra identities without standing up AD Domain Services, trusts, or hybrid Kerberos plumbing. For cloud-first platform teams, it's a clean line: identity, governance, and conditional access live in Entra instead of being split across AD and Azure.

Why this matters

For a decade the Windows/SMB world forced one of two compromises: run AD infrastructure in-cloud (Azure AD Domain Services or AD DS) and keep NTLM/Kerberos patterns, or cobble together token-based flows and accept operational risk. Entra-only SMB finally gives a native path that aligns with modern identity stacks: Conditional Access, device signals, and the Microsoft Entra principal model become the primary controls for file access.

This is the right call. Azure's file shares are a natural fit for cloud-native apps and automation; making identity first-class in Entra removes a lot of brittle glue that has driven incident toil. But don't confuse "simpler" with "no work." The hard parts are where they always were: ACL modeling, legacy Windows behavior, and migration risk.

What it changes (practically)

  • Access control and auditing: auth events, access tokens, and policy decisions are now visible through Microsoft Entra logs and Conditional Access signals. That centralizes governance but also changes where you look during an incident.

  • Migration surface: greenfield shares and new apps can go straight to Entra-only. Existing shares tied to NTFS ACLs, integrated Windows authentication, or legacy apps will need mapping or a coexistence plan.

  • Operational tooling: provisioning scripts, IaC templates, and onboarding playbooks that previously handled domain-join, GPOs, or AD service accounts need updates to provision Entra principals and assign share-level permissions.

Related identity moves in the week

Azure SQL Database recently added support for Microsoft Entra server principals, which pairs with Entra-only Azure Files: Microsoft is expanding where Entra-native principals — rather than shadowed AD objects — are the canonical identity for platform resources. On the AI side, Microsoft Foundry added additional third-party models (including Anthropic and OpenAI options) to its catalog, signaling continued investment in model routing and enterprise-hosted inference. AKS had routine node image refreshes and security patches across supported Kubernetes versions; nothing breaking, but the usual upstream cadence you need in your node-image pipeline. For more on Azure's AI trajectory this month see June 2026: Azure AI Search GA (RAG), AKS Arc-enabled Fleet & Backup/Cosmos DB Updates.

What platform teams must stop pretending is "done"

If you're operating under the assumption that identity is a solved problem because you have AD integration, that's outdated. Entra-first file access changes incident post-mortems, least-privilege reviews, and template libraries. Specifically, you must resolve three things before rolling Entra-only into production at scale: how NTFS ACLs map to Entra subject types, how machine or service principals get delegated access without service-account passwords, and where your SREs will look for fast forensic signals during an outage.

A brief checklist to act on this week

  • Inventory shares and label which ones are greenfield vs. legacy (NTFS-heavy).
  • Update IaC to create Microsoft Entra service principals (app registrations) and role assignments as part of share provisioning.
  • Add Entra audit/log ingestion to your SIEM and update runbooks to use Entra signals for file-access incidents.

Final take

Microsoft moving SMB file auth into Entra is overdue and correct  identity should not be split between a cloud control plane and a legacy directory. Expect accelerated migrations for new workloads and a prolonged coexistence phase for Windows-dependent applications. If you ignore the migration surface (ACL semantics, toolchain changes, and logging), you will trade AD operational pain for a different kind of surprise during an outage. This change doesn't remove complexity; it relocates it into your identity model  which, if you manage Entra well, is an upgrade.

Sources

azure-filesmicrosoft-entramicrosoft-foundryaks
← All articles
More in Azure
Azure

AKS Weekly Platform Release — Early June 2026: Kubernetes Patch Rollouts & Node Image Refreshes

AKS release (early June 2026) rolls out upstream Kubernetes patches, node-image refreshes and CNI/autoscaler fixes; Azure AI, Entra, SDK and cost updates.

Jun 11, 2026·6maksazure
Azure

June 2026: Azure AI Search GA (RAG), AKS Arc-enabled Fleet & Backup/Cosmos DB Updates

June 2026 Azure updates: AI Search GA with RAG index enrichment; AKS adds Arc-enabled fleet lifecycle; Backup and Cosmos DB preview update recovery and SLAs.

Jun 10, 2026·6mazure-ai-searchaks-fleet-management
Azure

AKS Release Channels (June 2026): Patch Reliability, Azure AI Foundry Adds Claude Opus 4.8 & GPT-5.5, Entra-only Azure Files SMB GA

AKS release channels deliver patch-level reliability and networking fixes; Azure AI Foundry adds Claude Opus 4.8 and GPT-5.5; Entra-only Azure Files SMB is GA.

Jun 8, 2026·6mazure-aksaks-release-channels