Change the identity source for Azure file shares

Applies to: ✔️ SMB file shares

Azure Files supports only one identity source per storage account for identity-based authentication over SMB. If you want to switch from one identity source to another, you must first disable the current identity source and then enable the new one.

For guidance on choosing the right identity source for your environment, see Overview of Azure Files identity-based authentication for SMB access.

Important

Disabling the current identity source removes identity-based access for all file shares in the storage account immediately. Users can't access shares using identity-based authentication until you enable and configure a new identity source.

Step 1: Verify the current identity source

First, verify the identity source that's currently enabled on your storage account. Supported identity sources for SMB Azure file shares are Active Directory Domain Services (AD DS), Microsoft Entra Domain Services, and Microsoft Entra Kerberos.

Sign in to the Azure portal and select the storage account.
From the service menu, under Data storage, select File shares.
Next to Identity-based access, check the configuration status. If it shows Configured, proceed to the next step. If it shows Not configured, then no identity source is enabled on the storage account and you can proceed to Enable a new identity source.
Select Configured.
The portal shows the identity source that's enabled on the storage account and its configuration status. Other identity sources are grayed out. In this example, Microsoft Entra Kerberos is enabled as the identity source for the storage account.

Check the identity source that's enabled on your storage account by running the following cmdlet. Replace <resource-group-name> and <storage-account-name> with your values.

If the cmdlet returns None, then no identity source is enabled on the storage account and you can proceed to Enable a new identity source.

# Get the target storage account
$storageaccount = Get-AzStorageAccount `
        -ResourceGroupName "<resource-group-name>" `
        -Name "<storage-account-name>"

# List the identity source for the selected storage account
$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

Check the identity source that's enabled on your storage account by running the following command. Replace <resource-group-name> and <storage-account-name> with your values.

If the command returns None, then no identity source is enabled on the storage account and you can proceed to Enable a new identity source.

az storage account show --name <storage-account-name> --resource-group <resource-group-name> --query "azureFilesIdentityBasedAuthentication.directoryServiceOptions" --output tsv

Step 2: Disable the current identity source

Disable your current identity source by using the Azure portal, Azure PowerShell, or Azure CLI.

Active Directory Domain Services (AD DS)

To disable AD DS on the storage account, follow these steps.

Under Active Directory Domain Services (AD DS), select Configure.
Select the Disable Active Directory for this storage account checkbox.
Select Save.

Important

After disabling AD DS authentication, consider deleting the AD DS computer account or service logon account that you created to represent the storage account in your on-premises AD. If you leave the identity in AD DS, it remains as an orphaned object.

To disable AD DS on the storage account, run the following cmdlet. Replace the placeholder values with your own.

Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableActiveDirectoryDomainServicesForFile $false

To disable AD DS on the storage account, run the following command. Replace the placeholder values with your own.

az storage account update --name <storage-account-name> --resource-group <resource-group-name> --enable-files-adds false

Microsoft Entra Domain Services

To disable Microsoft Entra Domain Services on the storage account, follow these steps.

Under Microsoft Entra Domain Services, select Configure.
Uncheck the Enable Microsoft Entra Domain Services checkbox.
Select Save.

To disable Microsoft Entra Domain Services on the storage account, run the following cmdlet. Replace the placeholder values with your own.

Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryDomainServicesForFile $false

To disable Microsoft Entra Domain Services on the storage account, run the following command. Replace the placeholder values with your own.

az storage account update --name <storage-account-name> --resource-group <resource-group-name> --enable-files-aadds false

Microsoft Entra Kerberos

To disable Microsoft Entra Kerberos on the storage account, follow these steps.

Under Microsoft Entra Kerberos, select Configure.
Uncheck the Microsoft Entra Kerberos checkbox.
Select Save.

To disable Microsoft Entra Kerberos on the storage account, run the following cmdlet. Replace the placeholder values with your own.

Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $false

To disable Microsoft Entra Kerberos on the storage account, run the following command. Replace the placeholder values with your own.

az storage account update --name <storage-account-name> --resource-group <resource-group-name> --enable-files-aadkerb false

Step 3: Enable a new identity source

After disabling the current identity source, follow the instructions for the new identity source you want to enable:

Active Directory Domain Services (AD DS): See Enable AD DS authentication.
Microsoft Entra Domain Services: See Enable Microsoft Entra Domain Services authentication.
Microsoft Entra Kerberos: See Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities.

Last updated on 2026-03-23