Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Entra ID Users Authenticate to AWS FSx Windows File Server

0

Hi all,

I’m hoping someone can help clarify a hybrid identity question!

Here’s my setup:

  • I have AWS FSx for Windows File Server and AWS Managed Active Directory (no on-premises AD).
  • My FSx file shares are joined to AWS Managed AD, and users can authenticate if they exist in AWS Managed AD.
  • I also have Microsoft Entra ID (Azure AD).
  • I set up Entra Connect/Azure AD Connect to sync users, but the default direction is from AWS Managed AD → Entra ID.

What I want: I want my Entra ID (Azure AD) users to be able to authenticate directly to the FSx file server—ideally using their Entra ID credentials, without having to manually recreate or sync every user into AWS Managed AD.

What I’ve tried/learned so far:

  • Entra Connect syncs users from AWS Managed AD up to Entra ID, but not the other way around.
  • Users created only in Entra ID do not appear in AWS Managed AD, and cannot authenticate to FSx.
  • There doesn’t seem to be a built-in or supported way to sync Entra ID (cloud-only) users down to AWS Managed AD.

Questions:

  • Is there any supported way (natively or with a tool/script) to allow Entra ID users to access AWS FSx for Windows File Server?
  • Are there any workarounds or third-party solutions for provisioning Entra ID users into AWS Managed AD automatically?
  • Has anyone made this scenario work, or is AD → Entra ID sync the only supported flow for AWS FSx?

Any advice or experience with this would be much appreciated!

Thanks in advance!

Topics
Security, Identity, & ComplianceStorage
Tags
AWS Directory ServiceAmazon FSx for Windows File Server
Language
English
asked 10 months ago860 views
1 Answer
0

Based on the information available, there are a few approaches you could consider for enabling Entra ID users to access AWS FSx for Windows File Server:

  1. Trust Relationship: You can establish a one-way forest trust relationship between your AWS Managed Microsoft AD domain and your Entra ID Domain Services. In this setup, the AWS managed forest would trust the Entra ID domain forest, allowing accounts in your Entra ID domain to authenticate against resources in the AWS managed domain, including your FSx file system. This requires Entra ID Domain Services (not just Entra ID).

  2. Active Directory Connector: You could use AWS Directory Service's Active Directory Connector to connect to your Entra ID Domain Services. This would allow you to take advantage of your existing Active Directory forest for authentication needs. The AD Connector acts as a proxy to redirect directory requests to your Entra ID Domain Services.

  3. Resource Forest Isolation Model: Another approach is to use a resource forest isolation model, where you isolate resources (including Amazon FSx file systems) into a separate Active Directory forest. This can be useful if you want to maintain separation between your Entra ID environment and AWS resources.

It's important to note that Amazon FSx for Windows File Server requires Active Directory for authentication - it doesn't directly integrate with cloud-only Entra ID. You'll need Entra ID Domain Services (the Azure AD DS offering) to provide the necessary Active Directory infrastructure that FSx can integrate with.

For any of these approaches, you'll need to ensure proper network connectivity between your AWS environment and Azure, typically through IPSEC VPN tunnels, and configure the appropriate security groups and network ACLs to allow communication on the required ports.

As a best practice for identity management across AWS services, consider using AWS IAM Identity Center for centralized access management, which can connect to external identity providers including Microsoft Entra ID through SAML 2.0 and SCIM protocols.
Sources
Working with Microsoft Active Directory - Amazon FSx for Windows File Server
Using Amazon FSx with AWS Directory Service for Microsoft Active Directory - Amazon FSx for Windows File Server
Using AWS Directory Service for Entra ID Domain Services - AWS Transfer Family
Manage an external identity provider - AWS IAM Identity Center
Identity and access management for Amazon FSx for Windows File Server - Amazon FSx for Windows File Server

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content