Authoritative confirmation needed - is cloud-only Microsoft Entra Kerberos with per-group share-level RBAC supported in UK South on Standard HDD, given the GA announcement and the enablement doc's region list contradict each other.

hcetticz 45 Reputation points
2026-06-06T19:40:39.4166667+00:00

Azure Files Entra-only Identity — UK South Supportability Escalation

Summary

Microsoft documents "Entra-only identity support for SMB Azure file shares" as generally available since 2026 Q2. The same enablement article restricts "Azure RBAC support for specific users and groups for cloud-only identities" to a region subset that excludes UK South, and a related article still states the assigned identity "must be a hybrid identity and can't be a cloud-only identity". These three statements cannot all be true.

I require an authoritative answer on whether my planned configuration is supported in UK South before I deploy, because the contradiction cannot be resolved from the public documentation. UK South is mandatory on data residency grounds, so a region change is not an available remedy.

Planned configuration to confirm

This is the configuration I intend to build. I am asking you to confirm its supportability in UK South, not to review the design.

  • Region: UK South (uksouth) — mandatory, UK data residency and processing constraint.
  • Storage account: classic (Microsoft.Storage), Standard tier, HDD media, provisioned v2 billing, SMB.
  • Identity source: Microsoft Entra Kerberos, cloud-only only — no on-premises AD DS, no Microsoft Entra Domain Services, no Entra Connect Sync, no Entra Cloud Sync.
  • Share-level authorisation: per-group Azure RBAC using the Storage File Data SMB Share roles assigned to cloud-only Microsoft Entra security groups.
  • Directory and file authorisation: Windows ACLs set via the Azure portal or the RestSetAcls PowerShell module (the cloud-only supported tools).
  • Clients: Windows 11 Enterprise or Windows Server 2025, Microsoft Entra joined, cloud-only.

The contradiction in official documentation — why I cannot self-serve

1. GA announcement — feature is generally available, no AD or hybrid sync required.

"Entra-only identity support for SMB Azure file shares is now generally available ... no Active Directory, hybrid sync, or managed domain controllers required."

2. Enablement article — per-group RBAC for cloud-only is region-limited and UK South is absent.

"Azure RBAC support for specific users and groups for cloud-only identities with Microsoft Entra Kerberos is currently available only for the following subset of regions in the Azure Public cloud."

The listed subset is Australia Central, Australia Central 2, Brazil Southeast, Canada East, France South, Germany North, Jio India Central, Jio India West, Norway West, South Africa West, South India, Sweden South, Switzerland West, UAE Central and West India. UK South is not listed. Of the entire subset only Sweden South carries the "HDD/standard only" note.

3. Share-level permissions article — still states cloud-only is unsupported for assignment.

"The selected Microsoft Entra identity must be a hybrid identity and can't be a cloud-only identity."

Either the region list and the "must be hybrid" statement are stale post-GA and UK South is in fact supported, or the region gating is real and the GA announcement is misleading for UK South. I need engineering to state which, on the record.

Self-service research already performed

To show this is not answerable from the public material:

  • Read the GA announcement and GA blog — both assert general availability with no regional caveat.
  • Read the enablement article in full — it carries the region subset that excludes UK South and shows only Sweden South as HDD/standard.
  • Read the share-level permissions and the directory and file-level permissions articles — the former still says cloud-only cannot be assigned, the latter confirms cloud-only ACLs are set via the portal or RestSetAcls, which is internally inconsistent.
  • Confirmed the provisioned v2 HDD SMB classic billing model is documented as GA in all public regions, so the storage shape itself is not the question.

Questions requiring confirmation

  1. Regional support. Is cloud-only Microsoft Entra Kerberos with per-group share-level RBAC supported and backend-enabled in UK South (uksouth)? The GA announcement implies yes, the enablement region list implies no. Which is authoritative?
  2. Media support. Is HDD (standard) media supported for this capability, or does it require SSD (premium)? The region subset shows only Sweden South as HDD/standard, which suggests HDD support may be narrower than the GA wording implies.
  3. Enablement path. If UK South is gated, can it be enabled for my subscription via a backend feature registration or allowlisting that support can action ahead of deployment? If so, please state the exact process or az feature register namespace and action it.
  4. Roadmap. If it cannot be enabled now, what is the committed GA date or roadmap item for UK South for this specific capability?
  5. Documentation correction. Please reconcile and correct the three sources above so the public guidance is internally consistent on region and on cloud-only support.

Business impact

UK data residency and data processing requirements make UK South mandatory for the storage account and its data plane. Sweden South and the other subset regions are not viable, as moving the data outside the UK is not permitted. The project is blocked pending an authoritative answer, so a regional-gating response without a UK South enablement path or a dated roadmap is a blocking outcome.

Requested resolution

One of, in order of preference:

  1. Written confirmation that cloud-only per-group RBAC Entra Kerberos is supported in UK South, including whether Standard HDD provisioned v2 is covered or SSD is required.
  2. Backend enablement of the capability for my subscription in UK South ahead of deployment.
  3. A dated commitment for UK South GA of this capability, plus a definitive statement on HDD versus SSD support.

In all cases, a documentation correction reconciling the GA announcement with the region list and the share-level permissions article.

Supporting excerpts from official documentation

The following verbatim excerpts evidence the contradiction. Source spelling is preserved as published.

GA announcement, Azure Files What's new.

"Entra-only identity support for SMB Azure file shares is now generally available. With native Microsoft Entra ID authentication, organizations can grant secure, identity-based access to SMB file shares using cloud-native-only identities. This means no Active Directory, hybrid sync, or managed domain controllers required, significantly simplifying architecture while reducing ongoing management and maintenance costs."

Enablement article, regional availability section.

"Microsoft Entra Kerberos support for hybrid identities is available for all regions in the Azure Public, Azure US Gov, and Azure China 21Vianet clouds. Azure RBAC support for specific users and groups for cloud-only identities with Microsoft Entra Kerberos is currently available only for the following subset of regions in the Azure Public cloud."

The published subset is: Australia Central (SSD/premium only), Australia Central 2 (SSD/premium only), Brazil Southeast (SSD/premium only), Canada East (SSD/premium only), France South (SSD/premium only), Germany North (SSD/premium only), Jio India Central, Jio India West, Norway West, South Africa West (SSD/premium only), South India (SSD/premium only), Sweden South (HDD/standard only), Switzerland West (SSD/premium only), UAE Central (SSD/premium only) and West India (SSD/premium only). UK South does not appear, and Sweden South is the only HDD/standard entry.

Enablement article, cloud-only is stated as supported on the same page.

"For cloud-only users, this authentication method means that Azure file shares no longer need a domain controller for authorization or authentication." And: "To set share-level permissions for hybrid or cloud-only identities, follow the instructions in Assign share-level permissions to an identity."

Share-level permissions article, which contradicts cloud-only support.

"The selected Microsoft Entra identity must be a hybrid identity and can't be a cloud-only identity. This requirement means that the same identity is also represented in AD DS."

Directory and file-level permissions article, confirming cloud-only with no domain controller dependency.

"To use the Azure portal or the PowerShell RestSetAcls module, there's no dependency on domain controllers. However, the identities must be hybrid or cloud-only."

Billing article, provisioned v2 is GA in all public regions, so the storage shape is not the question.

"The provisioned v2 model is generally available in all Azure public cloud regions and all Azure US Government cloud regions. Not all regions support all media tiers and redundancy options."

Official references

The contradiction in official documentation — why I cannot self-serve

1. GA announcement — feature is generally available, no AD or hybrid sync required.

"Entra-only identity support for SMB Azure file shares is now generally available ... no Active Directory, hybrid sync, or managed domain controllers required."

2. Enablement article — per-group RBAC for cloud-only is region-limited and UK South is absent.

"Azure RBAC support for specific users and groups for cloud-only identities with Microsoft Entra Kerberos is currently available only for the following subset of regions in the Azure Public cloud."

The listed subset is Australia Central, Australia Central 2, Brazil Southeast, Canada East, France South, Germany North, Jio India Central, Jio India West, Norway West, South Africa West, South India, Sweden South, Switzerland West, UAE Central and West India. UK South is not listed. Of the entire subset only Sweden South carries the "HDD/standard only" note.

3. Share-level permissions article — still states cloud-only is unsupported for assignment.

"The selected Microsoft Entra identity must be a hybrid identity and can't be a cloud-only identity."

Either the region list and the "must be hybrid" statement are stale post-GA and UK South is in fact supported, or the region gating is real and the GA announcement is misleading for UK South. I need engineering to state which, on the record.

Self-service research already performed

To show this is not answerable from the public material:

  • Read the GA announcement and GA blog — both assert general availability with no regional caveat.
  • Read the enablement article in full — it carries the region subset that excludes UK South and shows only Sweden South as HDD/standard.
  • Read the share-level permissions and the directory and file-level permissions articles — the former still says cloud-only cannot be assigned, the latter confirms cloud-only ACLs are set via the portal or RestSetAcls, which is internally inconsistent.
  • Confirmed the provisioned v2 HDD SMB classic billing model is documented as GA in all public regions, so the storage shape itself is not the question.

Questions requiring confirmation

  1. Regional support. Is cloud-only Microsoft Entra Kerberos with per-group share-level RBAC supported and backend-enabled in UK South (uksouth)? The GA announcement implies yes, the enablement region list implies no. Which is authoritative?
  2. Media support. Is HDD (standard) media supported for this capability, or does it require SSD (premium)? The region subset shows only Sweden South as HDD/standard, which suggests HDD support may be narrower than the GA wording implies.
  3. Enablement path. If UK South is gated, can it be enabled for my subscription via a backend feature registration or allowlisting that support can action ahead of deployment? If so, please state the exact process or az feature register namespace and action it.
  4. Roadmap. If it cannot be enabled now, what is the committed GA date or roadmap item for UK South for this specific capability?
  5. Documentation correction. Please reconcile and correct the three sources above so the public guidance is internally consistent on region and on cloud-only support.

Business impact

UK data residency and data processing requirements make UK South mandatory for the storage account and its data plane. Sweden South and the other subset regions are not viable, as moving the data outside the UK is not permitted. The project is blocked pending an authoritative answer, so a regional-gating response without a UK South enablement path or a dated roadmap is a blocking outcome.

Requested resolution

One of, in order of preference:

  1. Written confirmation that cloud-only per-group RBAC Entra Kerberos is supported in UK South, including whether Standard HDD provisioned v2 is covered or SSD is required.
  2. Backend enablement of the capability for my subscription in UK South ahead of deployment.
  3. A dated commitment for UK South GA of this capability, plus a definitive statement on HDD versus SSD support.

In all cases, a documentation correction reconciling the GA announcement with the region list and the share-level permissions article.

Supporting excerpts from official documentation

The following verbatim excerpts evidence the contradiction. Source spelling is preserved as published.

GA announcement, Azure Files What's new.

"Entra-only identity support for SMB Azure file shares is now generally available. With native Microsoft Entra ID authentication, organizations can grant secure, identity-based access to SMB file shares using cloud-native-only identities. This means no Active Directory, hybrid sync, or managed domain controllers required, significantly simplifying architecture while reducing ongoing management and maintenance costs."

Enablement article, regional availability section.

"Microsoft Entra Kerberos support for hybrid identities is available for all regions in the Azure Public, Azure US Gov, and Azure China 21Vianet clouds. Azure RBAC support for specific users and groups for cloud-only identities with Microsoft Entra Kerberos is currently available only for the following subset of regions in the Azure Public cloud."

The published subset is: Australia Central (SSD/premium only), Australia Central 2 (SSD/premium only), Brazil Southeast (SSD/premium only), Canada East (SSD/premium only), France South (SSD/premium only), Germany North (SSD/premium only), Jio India Central, Jio India West, Norway West, South Africa West (SSD/premium only), South India (SSD/premium only), Sweden South (HDD/standard only), Switzerland West (SSD/premium only), UAE Central (SSD/premium only) and West India (SSD/premium only). UK South does not appear, and Sweden South is the only HDD/standard entry.

Enablement article, cloud-only is stated as supported on the same page.

"For cloud-only users, this authentication method means that Azure file shares no longer need a domain controller for authorization or authentication." And: "To set share-level permissions for hybrid or cloud-only identities, follow the instructions in Assign share-level permissions to an identity."

Share-level permissions article, which contradicts cloud-only support.

"The selected Microsoft Entra identity must be a hybrid identity and can't be a cloud-only identity. This requirement means that the same identity is also represented in AD DS."

Directory and file-level permissions article, confirming cloud-only with no domain controller dependency.

"To use the Azure portal or the PowerShell RestSetAcls module, there's no dependency on domain controllers. However, the identities must be hybrid or cloud-only."

Billing article, provisioned v2 is GA in all public regions, so the storage shape is not the question.

"The provisioned v2 model is generally available in all Azure public cloud regions and all Azure US Government cloud regions. Not all regions support all media tiers and redundancy options."

Official references

Azure Files
Azure Files

An Azure service that offers file shares in the cloud.


Answer accepted by question author

Amira Bedhiafi 43,036 Reputation points MVP Volunteer Moderator
2026-06-07T12:21:12.8833333+00:00

Hello !

Thank you for posting on MS Learn Q&A.

The key distinction is that Entra-only identity support for SMB Azure file shares is GA but per-user/per-group Azure RBAC for cloud-only identities is still region-limited.

The GA announcement says Entra-only identity support is generally available and does not require AD DS, hybrid sync or managed domain controllers.

https://learn.microsoft.com/en-us/azure/storage/files/files-whats-new

However, Azure RBAC support for specific users and groups for cloud-only identities with Microsoft Entra Kerberos is available only in a listed subset of Azure Public regions. UK South is not in that list, and the only region explicitly marked for HDD/standard is Sweden South.

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable

So, for your exact planned configuration:

UK South + Standard HDD + Microsoft Entra Kerberos + cloud-only identities + per-group Storage File Data SMB Share RBAC is not currently documented as supported.

The share-level permissions article also now partially reflects the new model: it says a specific Microsoft Entra user or group can be cloud-only or hybrid but immediately limits cloud-only specific share-level permissions to the supported regional subset.

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-assign-share-level-permissions

The selected identity must be a hybrid identity and can’t be cloud-only appears to be stale or inconsistent documentation but it does not override the explicit regional limitation.

For directory or file ACLs, Azure portal ACL management works for both hybrid and cloud-only identities when Microsoft Entra Kerberos is the identity source.

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-configure-file-level-permissions

But that does not by itself confirm support for per-group Azure RBAC at the share level in UK South.

A possible workaround, if acceptable to your security model, is to use a default share-level permission for authenticated identities and enforce granular permissions with Windows ACLs. The share-level permissions article explicitly suggests default share-level permission when the desired region is not supported for specific cloud-only RBAC assignments. However, this is not the same as your requested design because it does not provide per-group Azure RBAC at the share level.

For HDD/provisioned v2, the storage shape itself is available for classic Microsoft.Storage SMB file shares, and provisioned v2 is generally available across Azure public regions, but Microsoft also notes that not all regions support all media tiers/redundancy options. More importantly, the identity/RBAC capability has its own narrower region/media support list, and UK South Standard HDD is not listed.

Was this answer helpful?

1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Ravi Varma Mudduluru 12,455 Reputation points Microsoft External Staff Moderator
    2026-06-08T03:37:51.53+00:00

    Hello @hcetticz

    Thank you for reaching out to Microsoft Q&A.

    The “Entra-only (cloud-only) identity” + “per-group share-level RBAC” capability is actually supported in the UK South region (and whether it works with Standard HDD / provisioned v2), given that the public docs you cited appear to conflict.

    Microsoft Entra Kerberos (Entra-only identities) for Azure Files SMB authentication is generally available across all Azure public regions, including UK South. This means cloud-only Entra-joined clients can authenticate without any on-premises AD, Entra Domain Services, or sync.

    However, per-user or per-group Azure RBAC share-level permissions (using roles like Storage File Data SMB Share Contributor) for cloud-only identities are currently available only in a specific subset of regions. Unfortunately, UK South is not included in that list at this time. Hybrid identities are supported everywhere, but the finer-grained cloud-only RBAC support has regional gating.

    Standard HDD (provisioned v2) is supported where the feature is enabled (e.g., explicitly noted for Sweden South).

    Recommended Path Forward

    For immediate unblocking (workaround): Enable Microsoft Entra Kerberos on your storage account (supported in UK South). Set a default share-level permission on the file share (e.g., Contributor for all authenticated identities). Then manage granular access using Windows NTFS ACLs via the Azure portal or the RestSetAcls PowerShell module. This fully supports cloud-only identities and is the documented approach for regions outside the current RBAC subset.

    Your feedback on the regional and cloud-only gaps is very helpful. https://feedback.azure.com/d365community

    Key Documentation

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Was this answer helpful?

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.