# Install Azure Active Directory module
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
Install-Module AZ
Install-Module AzureAD

# Download AzFilesHybrid PowerShell module & extract it
Invoke-WebRequest -Uri "https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.2.4/AzFilesHybrid.zip" -OutFile "AzFilesHybrid.zip"
Expand-Archive -LiteralPath AzFilesHybrid.zip -DestinationPath AzFilesHybrid
cd AzFilesHybrid\AzFilesHybrid

# Install AzFilesHybrid PowerShell
Get-ExecutionPolicy
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
.\CopyToPSPath.ps1 
Import-Module -Name AzFilesHybrid

# Connect to Azure
Connect-AzAccount

# Join the storage account to AD
# Use Get-AzSubscription to get all subscriptions
$SubscriptionName = "Microsoft-Obay Subscription"
$SubscriptionId = (Get-AzSubscription -SubscriptionName $SubscriptionName).Id
# Use Get-AzResourceGroup to get all resource groups
$ResourceGroupName = "Contoso-rg"
# Use Get-AzStorageAccount -ResourceGroupName $ResourceGroupName to get all storage accounts
$StorageAccountName = "contososa"
$DomainAccountType = "ComputerAccount"
# The following Line assumes there is a new OU created under the domain root called AzFiles. This is where the computer account will be created
#$OuDistinguishedName = "OU=AzFiles,DC=meshmesh,DC=com"
# We will use RC4 only because using AES256 will require the storage account name to be limited to 15 characters
#$EncryptionType = "AES256,RC4"
$EncryptionType = "RC4"

Select-AzSubscription -SubscriptionId $SubscriptionId 

Join-AzStorageAccountForAuth `
        -ResourceGroupName $ResourceGroupName `
        -StorageAccountName $StorageAccountName `
        -DomainAccountType $DomainAccountType `
        -OrganizationalUnitDistinguishedName $OuDistinguishedName `
        -EncryptionType $EncryptionType

# Run the command below if you want to enable AES 256 authentication. If you plan to use RC4, you can skip this step.
Update-AzStorageAccountAuthForAES256 -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName

Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose

# The share level permissions will take upto 3 hours to take effect once completed. Please wait for the permissions to sync before connecting to your file share using your credentials
# Your options are:
# None
# StorageFileDataSmbShareContributor
# StorageFileDataSmbShareReader
# StorageFileDataSmbShareElevatedContributor
$defaultPermission = "StorageFileDataSmbShareElevatedContributor"
$account = Set-AzStorageAccount -ResourceGroupName $ResourceGroupName -AccountName $StorageAccountName -DefaultSharePermission $defaultPermission
$account.AzureFilesIdentityBasedAuth

$storageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName).Value[0]

$connectTestResult = Test-NetConnection -ComputerName "$StorageAccountName.file.core.windows.net" -Port 445
if ($connectTestResult.TcpTestSucceeded)
{
  net use A: \\$StorageAccountName.file.core.windows.net\testawey /user:Azure\$StorageAccountName $storageAccountKey
}
else
{
  Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN,   Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}