From f1b7a89433d6ef9d20f7f56b6b756e0485ec4f7f Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Wed, 4 Feb 2026 14:14:49 -0800 Subject: [PATCH 1/8] Improve CheckEntraObject error reporting --- .../AzFilesHybrid/AzFilesHybrid.psm1 | 74 +++++++++---------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 index 6f64ecbf..beebd0e0 100644 --- a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 +++ b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 @@ -3885,51 +3885,51 @@ function Debug-AzStorageAccountEntraKerbAuth { -Scopes "Application.Read.All" ` -TenantId $TenantId + $spn = "api://${TenantId}/cifs/${fileEndpoint}" + # Requires Microsoft.Graph.Applications $Application = Get-MgApplication ` - -Filter "identifierUris/any (uri:uri eq 'api://${TenantId}/CIFS/${fileEndpoint}')" ` + -Filter "identifierUris/any (uri:uri eq '${spn}')" ` -ConsistencyLevel eventual - if($null -eq $Application) - { - Write-TestingFailed -Message "Could not find the application with SPN '$($PSStyle.Foreground.BrightCyan)api://${TenantId}/CIFS/${fileEndpoint}$($PSStyle.Reset)'" - $checks["CheckEntraObject"].Result = "Failed" - $checks["CheckEntraObject"].Issue = "Could not find the application with SPN ' api://${TenantId}/CIFS/${fileEndpoint}'." - } - - # Requires Microsoft.Graph.Applications - $ServicePrincipal = Get-MgServicePrincipal -Filter "servicePrincipalNames/any (name:name eq 'api://$TenantId/CIFS/${fileEndpoint}')" -ConsistencyLevel eventual - - [string]$aadServicePrincipalError = "SPN Value is not set correctly, It should be '$($PSStyle.Foreground.BrightCyan)CIFS/${fileEndpoint}$($PSStyle.Reset)'" - if($null -eq $ServicePrincipal) + if ($null -eq $Application) { - Write-TestingFailed -Message $aadServicePrincipalError + Write-TestingFailed -Message "Could not find the application with SPN '$($PSStyle.Foreground.BrightCyan)${spn}$($PSStyle.Reset)'" $checks["CheckEntraObject"].Result = "Failed" - $checks["CheckEntraObject"].Issue = "Service Principal is missing SPN 'CIFS/${fileEndpoint}'." + $checks["CheckEntraObject"].Issue = "Could not find Entra application with SPN '$spn'." } - if(-not $ServicePrincipal.AccountEnabled) - { - Write-TestingFailed -Message "Service Principal should have AccountEnabled set to true" - $checks["CheckEntraObject"].Result = "Failed" - $checks["CheckEntraObject"].Issue = "Expected AccountEnabled set to true" - } - elseif(-not $ServicePrincipal.ServicePrincipalNames.Contains("CIFS/${fileEndpoint}")) - { - Write-TestingFailed -Message $aadServicePrincipalError - $checks["CheckEntraObject"].Result = "Failed" - $checks["CheckEntraObject"].Issue = "Service Principal is missing SPN ' CIFS/${fileEndpoint}'." - } - - elseif (-not $ServicePrincipal.ServicePrincipalNames.Contains("api://${TenantId}/CIFS/${fileEndpoint}")) + else { - Write-TestingWarning -Message "Service Principal is missing SPN '$($PSStyle.Foreground.BrightCyan)api://${TenantId}/CIFS/${fileEndpoint}$($PSStyle.Reset)'." - Write-Host "`tIt is okay to not have this value for now, but it is good to have this configured in future if you want to continue getting kerberos tickets." - $checks["CheckEntraObject"].Result = "Partial" - } - else { - Write-TestingPassed - $checks["CheckEntraObject"].Result = "Passed" - } + # Requires Microsoft.Graph.Applications + $ServicePrincipal = Get-MgServicePrincipal -Filter "servicePrincipalNames/any (name:name eq '$spn')" -ConsistencyLevel eventual + + if ($null -eq $ServicePrincipal) + { + Write-TestingFailed -Message "SPN Value is not set correctly, It should be '$($PSStyle.Foreground.BrightCyan)${spn}$($PSStyle.Reset)'" + $checks["CheckEntraObject"].Result = "Failed" + $checks["CheckEntraObject"].Issue = "Could not find Entra service principal with SPN '$spn'." + } + elseif (-not $ServicePrincipal.AccountEnabled) + { + Write-TestingFailed -Message "Service Principal should have AccountEnabled set to true" + $checks["CheckEntraObject"].Result = "Failed" + $checks["CheckEntraObject"].Issue = "Expected AccountEnabled set to true" + } + elseif(-not $ServicePrincipal.ServicePrincipalNames.Contains("CIFS/${fileEndpoint}") -and + -not $ServicePrincipal.ServicePrincipalNames.Contains("cifs/${fileEndpoint}") -and + -not $ServicePrincipal.ServicePrincipalNames.Contains("api://${TenantId}/CIFS/${fileEndpoint}") -and + -not $ServicePrincipal.ServicePrincipalNames.Contains("api://${TenantId}/cifs/${fileEndpoint}")) + { + Write-TestingFailed -Message $aadServicePrincipalError + $checks["CheckEntraObject"].Result = "Failed" + $checks["CheckEntraObject"].Issue = "Service Principal does not have the required SPNs." + } + else + { + Write-TestingPassed + $checks["CheckEntraObject"].Result = "Passed" + } + } } catch { Write-TestingFailed -Message $_ $checks["CheckEntraObject"].Result = "Failed" From 09fabaec264e45a25da8f07adc28b432beec00a8 Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Wed, 4 Feb 2026 14:23:10 -0800 Subject: [PATCH 2/8] Clean up Fiddler proxy error reporting --- .../AzFilesHybrid/AzFilesHybrid.psm1 | 39 +++++++++---------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 index beebd0e0..3457b17f 100644 --- a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 +++ b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 @@ -4141,47 +4141,44 @@ function Debug-AzStorageAccountEntraKerbAuth { # if (!$filterIsPresent -or $Filter -match "CheckFiddlerProxy") { - Write-Host "Checking Fiddler Proxy" - try - { + Write-Host "Checking Fiddler Proxy" + try + { $checksExecuted += 1; $ProxysubFolder = Get-ChildItem ` -Path Registry::HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr ` -ErrorAction SilentlyContinue + $success = $true foreach ($folder in $ProxysubFolder) { $properties = $folder | Get-ItemProperty if (($null -ne $properties.StaticProxy) -and ($properties.StaticProxy.Contains("https=127.0.0.1:"))) { - # If this is the first failure detected, print "FAILED" - if ($success) - { - Write-TestingFailed -Message "Fiddler proxy detected" - $checks["CheckFiddlerProxy"].Result = "Failed" - $success = $false - } - # Report the registry path every time a failure is detected - Write-Host "`tFiddler Proxy is set, you need to delete any registry nodes under $($PSStyle.Foreground.BrightCyan)'$($folder.Name)'$($PSStyle.Reset)." + $success = $false + Write-Host "`Fiddler proxy detected in $($PSStyle.Foreground.BrightCyan)'$($folder.Name)'$($PSStyle.Reset)." } } + if ($success) { - Write-TestingPassed $checks["CheckFiddlerProxy"].Result = "Passed" + Write-TestingPassed } else { - Write-TestingFailed -Message "To prevent this issue from re-appearing in the future, you should also uninstall Fiddler." + $checks["CheckFiddlerProxy"].Result = "Failed" + $checks["CheckFiddlerProxy"].Issue = "Fiddler Proxy detected" + Write-TestingFailed -Message "Fiddler Proxy detected. Uninstall Fiddler and remove all registry entries listed above." } - } - catch - { - Write-TestingFailed -Message $_ - $checks["CheckFiddlerProxy"].Result = "Failed" - $checks["CheckFiddlerProxy"].Issue = $_ - } + } + catch + { + Write-TestingFailed -Message $_ + $checks["CheckFiddlerProxy"].Result = "Failed" + $checks["CheckFiddlerProxy"].Issue = $_ + } } # From 0fc0155f47cd0e857db8a62a740791ffa703387b Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Wed, 4 Feb 2026 14:29:05 -0800 Subject: [PATCH 3/8] Fix Test-IsCloudKerberosTicketRetrievalEnabled for empty folder --- AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 index 3457b17f..f76d4e24 100644 --- a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 +++ b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 @@ -4459,15 +4459,25 @@ function Get-DsRegStatus { } function Test-IsCloudKerberosTicketRetrievalEnabled { + $path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\CloudKerberosTicketRetrievalEnabled" $regKeyFolder = Get-ItemProperty -Path Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -ErrorAction SilentlyContinue - if ($null -eq $regKeyFolder) { + if ($null -eq $regKeyFolder -or + $null -eq $regKeyFolder.CloudKerberosTicketRetrievalEnabled) + { + Write-Verbose "$path not found." + + $path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CloudKerberosTicketRetrievalEnabled" $regKeyFolder = Get-ItemProperty -Path Registry::HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters -ErrorAction SilentlyContinue - } - if ($null -eq $regKeyFolder) { - return $false + if ($null -eq $regKeyFolder -or + $null -eq $regKeyFolder.CloudKerberosTicketRetrievalEnabled) + { + Write-Verbose "$path not found." + } } + + Write-Verbose "Found $path = $($regKeyFolder.CloudKerberosTicketRetrievalEnabled)" return $regKeyFolder.CloudKerberosTicketRetrievalEnabled -eq "1" } From 96f5d6e0f1919241ff4a56f74117852f2622c538 Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Wed, 4 Feb 2026 14:31:09 -0800 Subject: [PATCH 4/8] Fix syntax in CheckServerSupportedEncryptionTypes --- AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 index f76d4e24..23cd2329 100644 --- a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 +++ b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 @@ -4268,7 +4268,7 @@ function Debug-AzStorageAccountEntraKerbAuth { Write-TestingPassed } else { - $disabledConfiguration = (-not $serverEncryption.SupportsKerberos) ? "Kerberos Authentication" : "AES-256 encryption" + $disabledConfiguration = if (-not $serverEncryption.SupportsKerberos) { "Kerberos Authentication" } else { "AES-256 encryption" } $message = "Entra Kerberos requires $disabledConfiguration to be enabled on the storage account." if (-not $serverEncryption.SupportsKerberos) { From 12943b7820819ca2de3c749a1f26fcfe42055b6f Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Wed, 4 Feb 2026 14:31:48 -0800 Subject: [PATCH 5/8] Fix color of single quote --- AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 index 23cd2329..a15782dc 100644 --- a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 +++ b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 @@ -4157,7 +4157,7 @@ function Debug-AzStorageAccountEntraKerbAuth { { # Report the registry path every time a failure is detected $success = $false - Write-Host "`Fiddler proxy detected in $($PSStyle.Foreground.BrightCyan)'$($folder.Name)'$($PSStyle.Reset)." + Write-Host "`Fiddler proxy detected in '$($PSStyle.Foreground.BrightCyan)$($folder.Name)$($PSStyle.Reset)'." } } From 85eccc3b5c9cf125319ec596bf095162e6bd2724 Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Wed, 4 Feb 2026 16:32:47 -0800 Subject: [PATCH 6/8] Fix success message printing --- AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 | 16 ++++++++++------ .../AzFilesHybrid/AzFilesHybridUtilities.ps1 | 10 +++++++++- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 index a15782dc..c11a5545 100644 --- a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 +++ b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 @@ -4045,9 +4045,8 @@ function Debug-AzStorageAccountEntraKerbAuth { if ($DefaultSharePermission -and $DefaultSharePermission -ne "None") { - Write-TestingPassed + Write-TestingPassed "Access is granted via the default share permission" $checks["CheckRBAC"].Result = "Passed" - Write-Host "`tAccess is granted via the default share permission" } elseif (-not $UserName) { @@ -4070,7 +4069,8 @@ function Debug-AzStorageAccountEntraKerbAuth { -checkResult $checks["CheckRBAC"] } } - } catch + } + catch { Write-TestingFailed -Message $_ $checks["CheckRBAC"].Result = "Failed" @@ -4193,14 +4193,18 @@ function Debug-AzStorageAccountEntraKerbAuth { $status = Get-DsRegStatus if ($status.AzureAdJoined -eq "YES") { - Write-TestingPassed + if ($status.DomainJoined -eq "NO") { - Write-Host "`tEntra Join confirmed" + Write-TestingPassed "Entra Join confirmed" } elseif ($status.DomainJoined -eq "YES") { - Write-Host "`tHybrid Entra Join confirmed" + Write-TestingPassed "Hybrid Entra Join confirmed" + } + else + { + Write-TestingPassed "Unknown kind of Entra Join confirmed" } $checks["CheckEntraJoinType"].Result = "Passed" } diff --git a/AzFilesHybrid/AzFilesHybrid/AzFilesHybridUtilities.ps1 b/AzFilesHybrid/AzFilesHybrid/AzFilesHybridUtilities.ps1 index b5413bd9..d1958ddf 100644 --- a/AzFilesHybrid/AzFilesHybrid/AzFilesHybridUtilities.ps1 +++ b/AzFilesHybrid/AzFilesHybrid/AzFilesHybridUtilities.ps1 @@ -1,10 +1,18 @@ function Write-TestingPassed( [Parameter(Mandatory=$false, Position=0)] + [string]$Message = "", + + [Parameter(Mandatory=$false)] [int]$Indents = 1 ) { $indentation = "`t" * $Indents $checkmark = [System.Char]::ConvertFromUtf32([System.Convert]::ToInt32("2713", 16)) - Write-Host "$($PSStyle.Foreground.BrightGreen)${indentation}($checkmark) Passed$($PSStyle.Reset)" + + if ($Message) { + Write-Host "$($PSStyle.Foreground.BrightGreen)${indentation}($checkmark) Passed:$($PSStyle.Reset) $Message" + } else { + Write-Host "$($PSStyle.Foreground.BrightGreen)${indentation}($checkmark) Passed$($PSStyle.Reset)" + } } function Write-TestingFailed( From 0f08e0cf2f8728af80bc53d349767275130aad7d Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Wed, 4 Feb 2026 16:33:17 -0800 Subject: [PATCH 7/8] Fix indentation of Fiddler Proxy detected message --- AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 index c11a5545..b4dcfa9c 100644 --- a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 +++ b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 @@ -4157,7 +4157,7 @@ function Debug-AzStorageAccountEntraKerbAuth { { # Report the registry path every time a failure is detected $success = $false - Write-Host "`Fiddler proxy detected in '$($PSStyle.Foreground.BrightCyan)$($folder.Name)$($PSStyle.Reset)'." + Write-Host "`tFiddler proxy detected in '$($PSStyle.Foreground.BrightCyan)$($folder.Name)$($PSStyle.Reset)'." } } From 33130579017260defd89d648aea880ae01daa23b Mon Sep 17 00:00:00 2001 From: Maxime Kjaer Date: Thu, 5 Feb 2026 15:15:44 -0800 Subject: [PATCH 8/8] Refactor Test-IsCloudKerberosTicketRetrievalEnabled --- .../AzFilesHybrid/AzFilesHybrid.psm1 | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 index b4dcfa9c..18497098 100644 --- a/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 +++ b/AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1 @@ -4463,27 +4463,31 @@ function Get-DsRegStatus { } function Test-IsCloudKerberosTicketRetrievalEnabled { - $path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\CloudKerberosTicketRetrievalEnabled" - $regKeyFolder = Get-ItemProperty -Path Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -ErrorAction SilentlyContinue + [CmdletBinding()] + param () + + $path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" + $folder = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue - if ($null -eq $regKeyFolder -or - $null -eq $regKeyFolder.CloudKerberosTicketRetrievalEnabled) + if ($null -eq $folder -or + $null -eq $folder.CloudKerberosTicketRetrievalEnabled) { - Write-Verbose "$path not found." + Write-Verbose "CloudKerberosTicketRetrievalEnabled not found in ${path}." - $path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\CloudKerberosTicketRetrievalEnabled" - $regKeyFolder = Get-ItemProperty -Path Registry::HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters -ErrorAction SilentlyContinue + $path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" + $folder = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue - if ($null -eq $regKeyFolder -or - $null -eq $regKeyFolder.CloudKerberosTicketRetrievalEnabled) + if ($null -eq $folder -or + $null -eq $folder.CloudKerberosTicketRetrievalEnabled) { Write-Verbose "$path not found." + return $false } } - Write-Verbose "Found $path = $($regKeyFolder.CloudKerberosTicketRetrievalEnabled)" + Write-Verbose "Found ${path}\CloudKerberosTicketRetrievalEnabled = $($folder.CloudKerberosTicketRetrievalEnabled)" - return $regKeyFolder.CloudKerberosTicketRetrievalEnabled -eq "1" + return $folder.CloudKerberosTicketRetrievalEnabled -eq "1" } function Debug-EntraKerbAdminConsent {