Summary
AzFilesHybrid fails with a generic 409 Conflict when Managed Identity for SMB (SMB OAuth) is enabled on an Azure Files storage account.
The failure occurs because SMB OAuth and Native AD DS authentication are mutually exclusive, but the script does not:
- Detect this condition
- Warn the user
- Offer to disable SMB OAuth automatically
This leads to a difficult troubleshooting experience.
Background
Managed Identity support for SMB Azure file shares was released to public preview in November 2025.
The feature enables Windows and Linux VMs to access SMB shares using Microsoft Entra ID (OAuth) without credentials.
When this feature is enabled:
SmbOAuth = TrueSet-AzStorageAccount -EnableActiveDirectoryDomainServicesForFile $true fails with:
{
"code": "ConflictFeatureEnabled",
"message": "This operation is not allowed on a storage account with SmbOAuth set to 'True'."
}
solution
improve script with either:
1) check if Managed identity support for SMB Azure file shares is enabled and throw error
$acct = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName
$acct.AzureFilesIdentityBasedAuth
2) disable automatically during script run
Set-AzStorageAccount `
-ResourceGroupName $ResourceGroupName `
-Name $StorageAccountName `
-EnableSmbOAuth $false
Summary
AzFilesHybrid fails with a generic
409 Conflictwhen Managed Identity for SMB (SMB OAuth) is enabled on an Azure Files storage account.The failure occurs because SMB OAuth and Native AD DS authentication are mutually exclusive, but the script does not:
This leads to a difficult troubleshooting experience.
Background
Managed Identity support for SMB Azure file shares was released to public preview in November 2025.
The feature enables Windows and Linux VMs to access SMB shares using Microsoft Entra ID (OAuth) without credentials.
When this feature is enabled:
SmbOAuth = TrueSet-AzStorageAccount -EnableActiveDirectoryDomainServicesForFile $truefails with:{ "code": "ConflictFeatureEnabled", "message": "This operation is not allowed on a storage account with SmbOAuth set to 'True'." } solution improve script with either: 1) check if Managed identity support for SMB Azure file shares is enabled and throw error $acct = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName $acct.AzureFilesIdentityBasedAuth 2) disable automatically during script run Set-AzStorageAccount ` -ResourceGroupName $ResourceGroupName ` -Name $StorageAccountName ` -EnableSmbOAuth $false