top of page
matt4189

Add Azure AD Group to local Windows file Share

If you have an Azure-exclusive environment and wish to include cloud users in a local file share you can either login with each account separately and then add them via command line using the command 'net localgroup <group name> /add "AzureAD\<username>"'.


net localgroup <group name> /add AzureAD\<username>

This works well if you have a small number of users, but if you want to use a group it take a bit of extra work.

  • First login to the Azure portal and create the group

  • Now we need another Azure Security group to hold the device that will house the share.

  • Click on Properties and get the Object ID for the group

Use Graph explorer to get the group SID

  • Copy the security identifier, we will use it later

  • Login to Intune management center and create a new device configuration policy.

  • Click Create

  • Choose "Windows 10 and later" for Platform

  • Select "Templates"

  • Select "Custom"

  • Click "Create"

  • Give your new policy a name

  • Under Configuration Settings OMA-URI Click Add

  • OMA-URI:

./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
  • Data Type: String

  • Value:

<groupmembership>
    <accessgroup desc = "<Local Group Name">
        <member name = "<Security Identifier Copied earlier>" />
    </accessgroup>
</groupmembership>
  • Add the group you created to hold the device

  • Once the device syncs with the policy the SID should show up as a member of the local group

  • You can now use that local group to assign permissions as you normally would.

5 views0 comments

Comments


bottom of page