![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 71%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
Azure Files
An Azure service that offers file shares in the cloud.
1,162 questions
Hello @Vardhan Joshi ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have Azure AD, Azure AD DS, Azure VM connected to File Share and you want to set permission on Directory Level. You have tried "Configure Windows ACLs with Windows File Explorer" and getting password prompt.
As explained in the official doc, enabling AD DS authentication for your Azure file shares allows you to authenticate to your Azure file shares with your on-prem AD DS credentials. Further, it allows you to better manage your permissions to allow granular access control. Doing this requires synching identities from on-prem AD DS to Azure AD with AD connect. You control the share level access with identities synced to Azure AD while managing file/share level access with on-prem AD DS credentials.
So, you need to start with part 1 where after enabling the Active Directory Domain Services (AD DS) authentication feature, you must configure your storage account and your AD DS, to use AD DS credentials for authenticating to your Azure file share. To enable AD DS authentication over SMB for Azure file shares, you need to register your storage account with AD DS and then set the required domain properties on the storage account.
You need to run Join-AzStorageAccount cmdlet which performs the equivalent of an offline domain join on behalf of the specified storage account.
Refer : https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable
To configure ACLs with superuser permissions, you must mount the share by using your storage account key from your domain-joined VM.
Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Administrative control is not supported with Azure AD credentials.
Refer : https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions#supported-permissions
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal
Also, as mentioned here, if you are not able to load the AD domain information correctly in Windows File Explorer, this is likely due to trust configuration in your on-prem AD environment. The client machine was not able to reach the AD domain controller registered for Azure Files authentication. In this case, use icacls for configurating Windows ACLs.
This is a known issue and is documented in the below troubleshooting doc:
https://learn.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems?tabs=azure-portal#unable-to-configure-directoryfile-level-permissions-windows-acls-with-windows-file-explorer
The recommended solution is to use icacls tool to configure the directory/file level permissions as a workaround.
If you wish you may leave your feedback in the below forum requesting a feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
https://feedback.azure.com/d365community/forum/a8bb4a47-3525-ec11-b6e6-000d3a4f0f84
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.