Introduction: Why Azure Files Cool Tier Requires Careful Design
Azure Files Cool tier is often marketed as “cheap file storage in the cloud,” but in practice it behaves much closer to a distributed file server platform than traditional object storage.
When you introduce Active Directory authentication, NTFS permissions, and SMB drive mapping, you are effectively extending your on-premises file server into Azure. That power comes with complexity — and most failed deployments fail not because Azure Files is unreliable, but because the design assumptions were wrong.
This guide walks through the entire lifecycle of deploying Azure Files Cool tier in a hybrid Active Directory environment, based on real-world implementations across engineering, legal, and enterprise IT environments.
High-Level Architecture Overview
Before touching the Azure portal, it’s critical to understand the moving parts:
- Azure Storage Account (General Purpose v2)
- Azure Files share using Cool tier
- On-premises Active Directory Domain Services
- Kerberos authentication over SMB
- NTFS permissions enforced at the file system level
- Optional VPN or ExpressRoute for private access
This solution allows users to access Azure Files exactly like a traditional Windows file share, while data physically resides in Azure.
Prerequisites and Design Considerations
Active Directory Requirements
Your on-premises Active Directory must meet the following:
- Windows Server 2012 R2 or newer
- Domain functional level 2012 R2 or higher (recommended)
- Reliable time synchronization (Kerberos is unforgiving)
- Permission to create computer accounts in a chosen OU
Real-world advice:
Always dedicate a specific OU for Azure Files computer objects. This avoids accidental deletion and simplifies auditing.
Network Connectivity Requirements
Azure Files uses SMB over TCP port 445. This must be reachable from client devices.
Check connectivity before proceeding:
Test-NetConnection -ComputerName <storageaccount>.file.core.windows.net -Port 445
If this fails:
- Many ISPs block outbound 445
- Public Wi-Fi almost always blocks it
- Some corporate firewalls silently drop it
Solutions include:
- Site-to-site VPN
- Point-to-site VPN
- ExpressRoute (best for scale)
Step 1: Create the Azure Storage Account
Storage Account Configuration
In the Azure Portal:
- Create a Storage Account
- Select General Purpose v2
- Choose a region close to your users
- Performance: Standard
- Redundancy:
- LRS for lowest cost
- ZRS if availability is critical
Naming rule (critical):
The storage account name must be 15 characters or fewer if you plan to integrate with Active Directory. This is due to NetBIOS naming limits — a common and costly oversight.
Networking Settings
For security-conscious environments:
- Disable public access
- Use private endpoints
- Restrict access to trusted networks
For simpler deployments:
- Allow public network access initially
- Harden later once functionality is confirmed
Step 2: Create the Azure File Share (Cool Tier)
Once the storage account is created:
- Navigate to File shares
- Create a new file share
- Select Cool access tier
- Specify quota (can be adjusted later)
Tiering Reality Check
Cool tier is designed for infrequent access. Expect:
- Slightly higher latency
- Higher transaction costs than Hot
- Massive savings on storage capacity
This tier works best for:
- Archive data
- Completed projects
- Regulatory or compliance storage
Step 3: Enable Active Directory Authentication for Azure Files
This is the most complex — and most important — step.
Choose Authentication Method
For hybrid environments, select:
- Active Directory Domain Services (AD DS)
This allows:
- Kerberos authentication
- NTFS permissions
- Group-based access control
Join Azure Files to the Domain
Microsoft provides PowerShell tooling to handle the domain join process.
At a high level, this process:
- Creates a computer account in AD
- Configures SPNs
- Enables Kerberos authentication
You’ll need:
- Domain admin or delegated permissions
- The target OU distinguished name
- Storage account details
Expert tip:
Perform this step from a domain-joined management workstation, not a random VM.
Step 4: Configure Role-Based Access Control (RBAC)
Azure RBAC controls who can access the file share at all.
At minimum:
- Assign Storage File Data SMB Share Reader/Contributor
- Apply permissions at the file share level
- Use security groups, not users
RBAC is not a replacement for NTFS — it is an additional gate.
Step 5: Configure NTFS Permissions (The Right Way)
Mount the File Share as an Administrator
From a domain-joined machine:
net use Z: \\<storageaccount>.file.core.windows.net\<share>
Once mapped:
- Right-click → Properties → Security
- Apply NTFS permissions exactly like a file server
Recommended Permission Model
Based on real-world operations:
- Root folder:
- Read-only for authenticated users
- Subfolders:
- Write access via AD security groups
- No individual user permissions
- No inheritance breaks unless justified
Rule of thumb:
If permissions require a spreadsheet to explain, they’re too complex.
Step 6: Mapping the Drive for End Users
Manual Mapping (Testing)
net use Z: \\<storageaccount>.file.core.windows.net\<share> /persistent:yes
Authentication uses the user’s Kerberos ticket, not storage keys.
Group Policy Drive Mapping (Recommended)
- Create a GPO
- Use Drive Maps
- Action: Update
- Location: Azure Files UNC path
- Security filtering via AD groups
This provides:
- Automatic reconnect
- Centralised control
- Seamless user experience
Step 7: Validation and Testing
Before production rollout, test:
- Authentication from multiple users
- Access from offsite locations
- NTFS permission enforcement
- Performance expectations
- Backup and restore (if enabled)
Never skip restore testing.
A backup that hasn’t been restored is an assumption, not a strategy.
Operational Best Practices (Hard-Won Lessons)
Logging and Monitoring
- Enable Azure Storage diagnostics
- Monitor failed authentications
- Track access patterns over time
Backup Strategy
- Azure Backup for file shares
- Separate retention from production data lifecycle
- Test restores quarterly
Cost Monitoring
- Monitor transaction charges
- Watch for unexpected Hot-tier rehydration
- Review access logs before tier changes
Common Pitfalls to Avoid
- ❌ Storage account name too long
- ❌ Port 445 blocked
- ❌ Overly complex NTFS permissions
- ❌ Treating Cool tier like Hot storage
- ❌ No documented restore process
Conclusion: Treat Azure Files Like a Real File Server
Azure Files Cool tier is not “cheap blob storage with SMB.” It is a fully fledged, domain-integrated file platform that rewards thoughtful design and punishes shortcuts.
When deployed correctly, it delivers:
- Predictable costs
- Familiar user experience
- Enterprise-grade security
- Minimal operational overhead
For organisations with large volumes of cold data, it is one of the most cost-effective and elegant hybrid storage solutions available in Azure today.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.