One NFS pattern that I find very helpful is to use the "all_squash" pattern with a specific, nonzero UID/GID pair specified using "anonuid" and "anongid". For instance, I can use this in Kubernetes to provide a persistent storage mechanism that serves different subdirectories to each container, thus providing a physical form of access control. Because each container will launch as the same UID and GID, using "all_squash" eliminates any chance of accidental permissions corruption.
Currently, the NFS support for Azure Files supports the "all_squash" capability, but not the ability to specify anongid and anonuid. I would like to request that this be added!