Does ONTAP support Azure AD with Oauth2.0?
Applies to
ONTAP 9+
Answer
- Currently we don’t support Azure AD with Oauth 2.0 for CIFS.
- Currently we support:
- Clients connecting to Azure Netapp Files(ANF) volumes do not need to join an on-premises AD domain. They only need to join Azure AD(currently Entra ID) with hybrid user (synced from on-premises Active Directory ) using Azure AD connect application.
- Access SMB volumes from Microsoft Entra joined Windows virtual machines
- Client don’t have line of sight to on-premises AD.
- ONTAP connects to Azure AD and gets OAuth token to connect with Azure Key Vault.
- Clients connecting to Azure Netapp Files(ANF) volumes do not need to join an on-premises AD domain. They only need to join Azure AD(currently Entra ID) with hybrid user (synced from on-premises Active Directory ) using Azure AD connect application.
Additional Information
To enable SMB/CIFS access using Entra ID identities, you can use Microsoft Entra Domain Services (EDS), which provides domain join and Kerberos/NTLM support for cloud-only identities:
-
Enable Microsoft Entra Domain Services:
- Set up EDS in your Azure environment to provide domain services like Kerberos and LDAP.
-
Domain-Join Your VMs:
- Ensure that the virtual machines accessing the NetApp volumes are domain-joined to the EDS domain.
-
Configure Azure NetApp Files:
- Set up Azure NetApp Files to use EDS for authentication.
- Assign appropriate permissions to users/groups in Entra ID that need access to the shares.
-
Hybrid Identity Support:
- For hybrid users (synced from on-prem AD), use Microsoft Entra Connect to sync identities.
- Ensure that these users are also part of the EDS domain or federated appropriately.