Azure File Shares… by default, they’re kind of dumb.
They only tell you the IP address of whoever touched the file.
So, it’s like:
“Yeah, somebody did it… came from this machine… good luck figuring out who.”
If you actually want Azure to tell you the real person who accessed something, you got to turn on one of two things:
Azure AD Domain Services authentication, or
Azure AD Kerberos for SMB (this one’s the real upgrade, the modern setup).
Without that, Azure just sees:
Computer to Storage,
not Person to File.
So, if you want real user identity in the logs, you got to flip on Azure AD Kerberos for SMB.
Once you do that, boom—you start getting the real details.
But you need a few things first:
Windows 10/11 or Server 2022+
Storage account with AD Kerberos turned on
Devices joined to Azure AD or hybrid joined
No NTLM fallback
SMB 3.1.1
And once that’s set up, your logs get way better.
Now you see:
Exactly who opened what
Which file or folder
What they did (read, write, delete… whatever)
When it happened
If it worked or failed
And it even tells you, “Yep, this was Azure AD Kerberos.”
Basically—you go from “mystery IP address”
to
“I know EXACTLY who touched my stuff.”