Azure File Share Creation - brian-anderson01/Capstone GitHub Wiki

Create the initial storage account

Sign into Azure and search for storage
Choose storage accounts
Click create
Choose your Azure subscription
Choose a resource group, if you don't have any then click the dropdown and choose create, then name it.
Name the storage account and choose your region
Choose your performance, in this case, I'm not going to need super fast speeds so I chose standard
Finally, choose redundancy and choose the one that suits your needs best.
Click "Next: Advanced"
Under security check "Default to Azure Active Directory authorization in the Azure portal" this must be enabled
Scroll down more to Azure Files and check "Enable large file shares" this must be enabled
The rest of the settings can be left as is for now
Click "Review + create" at the bottom
Wait for it to authorize the settings then click create in the bottom left

Navigate to storage accounts again and select the one you created above
On the left under "data storage" click "file shares"
Click + File Share near the top
Name the file share and then choose your tier, I choose hot so files are available but not needed super fast
Click create
The share is now created, now we need to map it to the computers
Now we need to implement Azure AD permissions into our shares. Back on the file shared page click "Not configured" right next to Active directory (See screenshot below)
Now click "set up" under Azure Active Directory Domain Services
Next, check the box then click save
Now we need to assign permissions so that users can access the new share
From the file share you just created, click "Access Control (AIM) on the left
Choose role assignments near the top then click "Add" then "Add Role Assignment"
From the role dropdown select "Storage File Data SMB Share Contributor
Search for users or groups below and add them, then click save at the bottom
Back at the file share overview, near the top click "connect"
Choose the drive letter and copy the script that was generated
Save this script as a .ps1 (PowerShell file) in a text editor
Now that we have the script we can move on to deploying it.
If you want to map the drive manually, run the script through PowerShell as an Azure AD user with access to the share.

In the Azure Portal search for storage accounts and choose the one that your file share is under
Once in the storage account resource, scroll down on the left to "Security + networking" and choose "Networking"
From here click Private endpoint connections at the top
Now click + private endpoint near the top
Choose your existing subscription and resource group then name the endpoint, then click next
Click the Target sub-resource and choose file and click next
Choose a virtual network to have the private endpoint on, I chose my AADDS Vnet for this and then choose a subnet on that Vnet
If you would like the endpoint to have a DNS name then choose yes then click next
Click next again, then review + create
Finally, click Create
Once created, the storage resource will have a private IP address on the subnet that you chose earlier, to find that IP go to the network interface for the storage resource

Sign in to the Intune portal
Choose devices from the left, then scripts
Click add and choose Windows 10
Name the script, I named it file share main
Now we need to import the script that we saved in the previous step
Choose the script that you saved earlier after creating the share
Right under this is "Run this script using the logged on credential" change this to "yes" very important
Click next and assign groups that should have access to the drive then click next again
After reviewing click add again.