r/TrueNAS: Microsoft 365 login support

💡

This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/truenas/comments/ybg5lr/microsoft_365_login_support/

Question

We are slowly moving all on-prem to m365 and intune.

Currently we have core running with login Auth from on prem AD.

Is there a way to get Auth to a share done via Microsoft account azure?

Or even just a hacked way of having user@domain.com login locally set on freeNas box so when users sign into windows ms will use their m365 login for access to shares.

Is there a way just to fake it? And have a local freeNas user but with a email sign-in?

Answer

Azure AD and OnPrem AD use entirely different auth protocols. AAD uses OpenID and SAML & OnPrem AD uses LDAP and Kerberos. And without subscribing to AAD DS, which cost 100$ per month per tenant, you will not get LDAP / Kerberos with AAD.

So there is nothing to fake.

And regarding your email signin, you can obviously just create the users from AAD locally on the TrueNAS box and give them the same passwords as the AAD accounts. However, since the two systems will not speak with each other, there is no way to sync the passwords in case of a change in the cloud.

And this solution is entirely dependent on Win 10/11 actually sending the right UPN to the TrueNAS server for auth, if it sends AzureAD\user@domain.com, it will not work since TrueNAS doesn't understand AzureAD\.