Azure Files - AD permissions not working

SenhorDolas 1,146 Reputation points
2021-08-11T13:20:59.247+00:00

Hi
I would like to use my on-prem groups to manage AZ Files share folders permissions. I am hybrid and the groups have replicated up to AAD fine. I this is possible as listed storage-files-identity-ad-ds-assign-permissions

The problem is that the shares created in Azure Files are not honoring the AD DS NTFS permissions.

This is my work flow:

  1. Share created in Azure File (storage account in AD DS)
  2. Granted IAM > Storage File Data SMB Share Reader permissions to a synced AAD group (G-AZF-Share-X which my test account is a member of)
  3. Permissions take a while to replicate to waited 30 mins > logged on to the VM as my test account > able to net use map the share
  4. On my own VM mapped the share with storage account Access Keys and created a few folders > granted full control to AD group G-AZF-Share-X)
  5. Logged on to VM as test user > can see the new folders > can browse thru the folder but unable to create or delete files inside these folders
  6. The NTFS permissions are showing up fine and I can confirm that test user has access to Modify

Created another share:

  1. But this time granted IAM > Storage File Data SMB Share Contirbuter permissions to a synced AAD group (G-AZF-Share-X which my test account is a member of)
  2. Permissions take a while to replicate to waited 30 mins > logged on to the VM as my test account > able to net use map the new share
  3. On my own VM mapped the share with storage account Access Keys and created a few folders > Did not set any NTFS permissions this time
  4. Logged on to VM as test user > can see the new folders > can browse thru the folder but now I am able to create or delete files inside these folders
  5. Check on folders and confirmed that the AD group G-AZF-Share-X has no permissions

The question now is why is the Share Permissions ruling the folder permissions and why I am unable to manage it from NTFS/AD DS?

Many thanks :)

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,156 questions
0 comments
Accepted answer
  1. Sumarigo-MSFT 43,406 Reputation points Microsoft Employee
    2021-08-19T07:31:32.457+00:00

    @SenhorDolas Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    AD authentication for Azure Files is a hybrid setup. Permission has to be granted at share level(RBAC) and also NTFS(AD) level, we cannot override and use only NTFS(AD) which is what are you referring?
    If you have traditional File Server in that case where you will have full control on the share and all permission goes via on-prem AD.

    Azure RBAC share-level permissions as the high-level gatekeeper that determines whether a user can access the share. While the Windows ACLs operate at a more granular level to determine what operations the user can do at the directory or file level. Both share-level and file/directory level permissions are enforced when a user attempts to access a file/directory, so if there is a difference between either of them, only the most restrictive one will be applied. For example, if a user has read/write access at the file-level, but only read at a share-level, then they can only read that file. The same would be true if it was reversed, and a user had read/write access at the share-level, but only read at the file-level, they can still only read the file.
    For more information refer to this article: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions

    Note: So both are needed and this is by design.

    I assume your expectation of using NTFS(AD) only control might come up am I correct? If so I wish you may leave your feedback here All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    Additional information: You can refer to this thread how RBAC works

    If you still find any difficulties, I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you. Once again, apologies for any inconvenience with this issue.

    Thanks for your patience and co-operation.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. deherman-MSFT 33,141 Reputation points Microsoft Employee
    2021-08-11T19:52:22.503+00:00

    @SenhorDolas
    I believe this is working as intended. You are setting the share-level permissions to use Storage File Data SMB Share Reader and then assigning full permissions to the group at the file/directory level. Both share-level and file/directory level permissions are enforced when a user attempts to access a file/directory, so if there is a difference between either of them, only the most restrictive one will be applied. For example, if a user has read/write access at the file-level, but only read at a share-level, then they can only read that file. If you wish for your users to have full control you will need to give more permissions at the share level. The table in this section does a good job outlining this.

    Hope this helps! Let us know if you have further questions or issues and I will do my best to assist.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.