Azure Files Entra-only Identity — UK South Supportability Escalation
Summary
Microsoft documents "Entra-only identity support for SMB Azure file shares" as generally available since 2026 Q2. The same enablement article restricts "Azure RBAC support for specific users and groups for cloud-only identities" to a region subset that excludes UK South, and a related article still states the assigned identity "must be a hybrid identity and can't be a cloud-only identity". These three statements cannot all be true.
I require an authoritative answer on whether my planned configuration is supported in UK South before I deploy, because the contradiction cannot be resolved from the public documentation. UK South is mandatory on data residency grounds, so a region change is not an available remedy.
Planned configuration to confirm
This is the configuration I intend to build. I am asking you to confirm its supportability in UK South, not to review the design.
- Region: UK South (
uksouth) — mandatory, UK data residency and processing constraint.
- Storage account: classic (
Microsoft.Storage), Standard tier, HDD media, provisioned v2 billing, SMB.
- Identity source: Microsoft Entra Kerberos, cloud-only only — no on-premises AD DS, no Microsoft Entra Domain Services, no Entra Connect Sync, no Entra Cloud Sync.
- Share-level authorisation: per-group Azure RBAC using the Storage File Data SMB Share roles assigned to cloud-only Microsoft Entra security groups.
- Directory and file authorisation: Windows ACLs set via the Azure portal or the RestSetAcls PowerShell module (the cloud-only supported tools).
- Clients: Windows 11 Enterprise or Windows Server 2025, Microsoft Entra joined, cloud-only.
The contradiction in official documentation — why I cannot self-serve
1. GA announcement — feature is generally available, no AD or hybrid sync required.
"Entra-only identity support for SMB Azure file shares is now generally available ... no Active Directory, hybrid sync, or managed domain controllers required."
2. Enablement article — per-group RBAC for cloud-only is region-limited and UK South is absent.
"Azure RBAC support for specific users and groups for cloud-only identities with Microsoft Entra Kerberos is currently available only for the following subset of regions in the Azure Public cloud."
The listed subset is Australia Central, Australia Central 2, Brazil Southeast, Canada East, France South, Germany North, Jio India Central, Jio India West, Norway West, South Africa West, South India, Sweden South, Switzerland West, UAE Central and West India. UK South is not listed. Of the entire subset only Sweden South carries the "HDD/standard only" note.
3. Share-level permissions article — still states cloud-only is unsupported for assignment.
"The selected Microsoft Entra identity must be a hybrid identity and can't be a cloud-only identity."
Either the region list and the "must be hybrid" statement are stale post-GA and UK South is in fact supported, or the region gating is real and the GA announcement is misleading for UK South. I need engineering to state which, on the record.
To show this is not answerable from the public material:
- Read the GA announcement and GA blog — both assert general availability with no regional caveat.
- Read the enablement article in full — it carries the region subset that excludes UK South and shows only Sweden South as HDD/standard.
- Read the share-level permissions and the directory and file-level permissions articles — the former still says cloud-only cannot be assigned, the latter confirms cloud-only ACLs are set via the portal or RestSetAcls, which is internally inconsistent.
- Confirmed the provisioned v2 HDD SMB classic billing model is documented as GA in all public regions, so the storage shape itself is not the question.
Questions requiring confirmation
- Regional support. Is cloud-only Microsoft Entra Kerberos with per-group share-level RBAC supported and backend-enabled in UK South (
uksouth)? The GA announcement implies yes, the enablement region list implies no. Which is authoritative?
- Media support. Is HDD (standard) media supported for this capability, or does it require SSD (premium)? The region subset shows only Sweden South as HDD/standard, which suggests HDD support may be narrower than the GA wording implies.
- Enablement path. If UK South is gated, can it be enabled for my subscription via a backend feature registration or allowlisting that support can action ahead of deployment? If so, please state the exact process or
az feature register namespace and action it.
- Roadmap. If it cannot be enabled now, what is the committed GA date or roadmap item for UK South for this specific capability?
- Documentation correction. Please reconcile and correct the three sources above so the public guidance is internally consistent on region and on cloud-only support.
Business impact
UK data residency and data processing requirements make UK South mandatory for the storage account and its data plane. Sweden South and the other subset regions are not viable, as moving the data outside the UK is not permitted. The project is blocked pending an authoritative answer, so a regional-gating response without a UK South enablement path or a dated roadmap is a blocking outcome.
Requested resolution
One of, in order of preference:
- Written confirmation that cloud-only per-group RBAC Entra Kerberos is supported in UK South, including whether Standard HDD provisioned v2 is covered or SSD is required.
- Backend enablement of the capability for my subscription in UK South ahead of deployment.
- A dated commitment for UK South GA of this capability, plus a definitive statement on HDD versus SSD support.
In all cases, a documentation correction reconciling the GA announcement with the region list and the share-level permissions article.
Supporting excerpts from official documentation
The following verbatim excerpts evidence the contradiction. Source spelling is preserved as published.
GA announcement, Azure Files What's new.
"Entra-only identity support for SMB Azure file shares is now generally available. With native Microsoft Entra ID authentication, organizations can grant secure, identity-based access to SMB file shares using cloud-native-only identities. This means no Active Directory, hybrid sync, or managed domain controllers required, significantly simplifying architecture while reducing ongoing management and maintenance costs."
Enablement article, regional availability section.
"Microsoft Entra Kerberos support for hybrid identities is available for all regions in the Azure Public, Azure US Gov, and Azure China 21Vianet clouds. Azure RBAC support for specific users and groups for cloud-only identities with Microsoft Entra Kerberos is currently available only for the following subset of regions in the Azure Public cloud."
The published subset is: Australia Central (SSD/premium only), Australia Central 2 (SSD/premium only), Brazil Southeast (SSD/premium only), Canada East (SSD/premium only), France South (SSD/premium only), Germany North (SSD/premium only), Jio India Central, Jio India West, Norway West, South Africa West (SSD/premium only), South India (SSD/premium only), Sweden South (HDD/standard only), Switzerland West (SSD/premium only), UAE Central (SSD/premium only) and West India (SSD/premium only). UK South does not appear, and Sweden South is the only HDD/standard entry.
Enablement article, cloud-only is stated as supported on the same page.
"For cloud-only users, this authentication method means that Azure file shares no longer need a domain controller for authorization or authentication." And: "To set share-level permissions for hybrid or cloud-only identities, follow the instructions in Assign share-level permissions to an identity."
Share-level permissions article, which contradicts cloud-only support.
"The selected Microsoft Entra identity must be a hybrid identity and can't be a cloud-only identity. This requirement means that the same identity is also represented in AD DS."
Directory and file-level permissions article, confirming cloud-only with no domain controller dependency.
"To use the Azure portal or the PowerShell RestSetAcls module, there's no dependency on domain controllers. However, the identities must be hybrid or cloud-only."
Billing article, provisioned v2 is GA in all public regions, so the storage shape is not the question.
"The provisioned v2 model is generally available in all Azure public cloud regions and all Azure US Government cloud regions. Not all regions support all media tiers and redundancy options."
Official references
- Entra-only SMB GA announcement: https://learn.microsoft.com/azure/storage/files/files-whats-new
- Entra-only SMB GA blog: https://azure.microsoft.com/blog/azure-files-entra-only-identities-advancing-cloud-native-identity-and-security/
- Enable Microsoft Entra Kerberos for hybrid and cloud-only identities (region list): https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable
- Overview of identity-based authentication for SMB: https://learn.microsoft.com/azure/storage/files/storage-files-active-directory-overview
- Introduction to Microsoft Entra Kerberos (limitations): https://learn.microsoft.com/entra/identity/authentication/kerberos
- Assign share-level permissions (the "must be hybrid" statement): https://learn.microsoft.com/azure/storage/files/storage-files-identity-assign-share-level-permissions
- Configure directory and file-level permissions (cloud-only tool matrix): https://learn.microsoft.com/azure/storage/files/storage-files-identity-configure-file-level-permissions
- Azure built-in roles, storage (role names and IDs): https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/storage
- Understand Azure Files billing, provisioned v2 (HDD SMB classic matrix): https://learn.microsoft.com/azure/storage/files/understanding-billing
Azure Files Entra-only Identity — UK South Supportability Escalation
Summary
Microsoft documents "Entra-only identity support for SMB Azure file shares" as generally available since 2026 Q2. The same enablement article restricts "Azure RBAC support for specific users and groups for cloud-only identities" to a region subset that excludes UK South, and a related article still states the assigned identity "must be a hybrid identity and can't be a cloud-only identity". These three statements cannot all be true. I require an authoritative answer on whether my planned configuration is supported in UK South before I deploy, because the contradiction cannot be resolved from the public documentation. UK South is mandatory on data residency grounds, so a region change is not an available remedy.Planned configuration to confirm
This is the configuration I intend to build. I am asking you to confirm its supportability in UK South, not to review the design.
- Region: UK South (
uksouth) — mandatory, UK data residency and processing constraint.
- Storage account: classic (
Microsoft.Storage), Standard tier, HDD media, provisioned v2 billing, SMB.
- Identity source: Microsoft Entra Kerberos, cloud-only only — no on-premises AD DS, no Microsoft Entra Domain Services, no Entra Connect Sync, no Entra Cloud Sync.
- Share-level authorisation: per-group Azure RBAC using the Storage File Data SMB Share roles assigned to cloud-only Microsoft Entra security groups.
- Directory and file authorisation: Windows ACLs set via the Azure portal or the RestSetAcls PowerShell module (the cloud-only supported tools).
- Clients: Windows 11 Enterprise or Windows Server 2025, Microsoft Entra joined, cloud-only.
The contradiction in official documentation — why I cannot self-serve
1. GA announcement — feature is generally available, no AD or hybrid sync required.
"Entra-only identity support for SMB Azure file shares is now generally available ... no Active Directory, hybrid sync, or managed domain controllers required."
2. Enablement article — per-group RBAC for cloud-only is region-limited and UK South is absent.
"Azure RBAC support for specific users and groups for cloud-only identities with Microsoft Entra Kerberos is currently available only for the following subset of regions in the Azure Public cloud."
The listed subset is Australia Central, Australia Central 2, Brazil Southeast, Canada East, France South, Germany North, Jio India Central, Jio India West, Norway West, South Africa West, South India, Sweden South, Switzerland West, UAE Central and West India. UK South is not listed. Of the entire subset only Sweden South carries the "HDD/standard only" note.
3. Share-level permissions article — still states cloud-only is unsupported for assignment.
"The selected Microsoft Entra identity must be a hybrid identity and can't be a cloud-only identity."
Either the region list and the "must be hybrid" statement are stale post-GA and UK South is in fact supported, or the region gating is real and the GA announcement is misleading for UK South. I need engineering to state which, on the record.
To show this is not answerable from the public material:
- Read the GA announcement and GA blog — both assert general availability with no regional caveat.
- Read the enablement article in full — it carries the region subset that excludes UK South and shows only Sweden South as HDD/standard.
- Read the share-level permissions and the directory and file-level permissions articles — the former still says cloud-only cannot be assigned, the latter confirms cloud-only ACLs are set via the portal or RestSetAcls, which is internally inconsistent.
- Confirmed the provisioned v2 HDD SMB classic billing model is documented as GA in all public regions, so the storage shape itself is not the question.
Questions requiring confirmation
- Regional support. Is cloud-only Microsoft Entra Kerberos with per-group share-level RBAC supported and backend-enabled in UK South (
uksouth)? The GA announcement implies yes, the enablement region list implies no. Which is authoritative?
- Media support. Is HDD (standard) media supported for this capability, or does it require SSD (premium)? The region subset shows only Sweden South as HDD/standard, which suggests HDD support may be narrower than the GA wording implies.
- Enablement path. If UK South is gated, can it be enabled for my subscription via a backend feature registration or allowlisting that support can action ahead of deployment? If so, please state the exact process or
az feature register namespace and action it.
- Roadmap. If it cannot be enabled now, what is the committed GA date or roadmap item for UK South for this specific capability?
- Documentation correction. Please reconcile and correct the three sources above so the public guidance is internally consistent on region and on cloud-only support.
Business impact
UK data residency and data processing requirements make UK South mandatory for the storage account and its data plane. Sweden South and the other subset regions are not viable, as moving the data outside the UK is not permitted. The project is blocked pending an authoritative answer, so a regional-gating response without a UK South enablement path or a dated roadmap is a blocking outcome.
Requested resolution
One of, in order of preference:
- Written confirmation that cloud-only per-group RBAC Entra Kerberos is supported in UK South, including whether Standard HDD provisioned v2 is covered or SSD is required.
- Backend enablement of the capability for my subscription in UK South ahead of deployment.
- A dated commitment for UK South GA of this capability, plus a definitive statement on HDD versus SSD support.
In all cases, a documentation correction reconciling the GA announcement with the region list and the share-level permissions article.
Supporting excerpts from official documentation
The following verbatim excerpts evidence the contradiction. Source spelling is preserved as published.
GA announcement, Azure Files What's new.
"Entra-only identity support for SMB Azure file shares is now generally available. With native Microsoft Entra ID authentication, organizations can grant secure, identity-based access to SMB file shares using cloud-native-only identities. This means no Active Directory, hybrid sync, or managed domain controllers required, significantly simplifying architecture while reducing ongoing management and maintenance costs."
Enablement article, regional availability section.
"Microsoft Entra Kerberos support for hybrid identities is available for all regions in the Azure Public, Azure US Gov, and Azure China 21Vianet clouds. Azure RBAC support for specific users and groups for cloud-only identities with Microsoft Entra Kerberos is currently available only for the following subset of regions in the Azure Public cloud."
The published subset is: Australia Central (SSD/premium only), Australia Central 2 (SSD/premium only), Brazil Southeast (SSD/premium only), Canada East (SSD/premium only), France South (SSD/premium only), Germany North (SSD/premium only), Jio India Central, Jio India West, Norway West, South Africa West (SSD/premium only), South India (SSD/premium only), Sweden South (HDD/standard only), Switzerland West (SSD/premium only), UAE Central (SSD/premium only) and West India (SSD/premium only). UK South does not appear, and Sweden South is the only HDD/standard entry.
Enablement article, cloud-only is stated as supported on the same page.
"For cloud-only users, this authentication method means that Azure file shares no longer need a domain controller for authorization or authentication." And: "To set share-level permissions for hybrid or cloud-only identities, follow the instructions in Assign share-level permissions to an identity."
Share-level permissions article, which contradicts cloud-only support.
"The selected Microsoft Entra identity must be a hybrid identity and can't be a cloud-only identity. This requirement means that the same identity is also represented in AD DS."
Directory and file-level permissions article, confirming cloud-only with no domain controller dependency.
"To use the Azure portal or the PowerShell RestSetAcls module, there's no dependency on domain controllers. However, the identities must be hybrid or cloud-only."
Billing article, provisioned v2 is GA in all public regions, so the storage shape is not the question.
"The provisioned v2 model is generally available in all Azure public cloud regions and all Azure US Government cloud regions. Not all regions support all media tiers and redundancy options."
Official references