question

varjsh avatar image
0 Votes"
varjsh asked GitaraniSharmaMSFT-4262 commented

Azure File Share Directory and File level permission

I have Azure AD, Azure AD DS, Azure VM connected to File Share; under IAM I have assigned Roles but I want to set permission on Directory Level.

I have tried "Configure Windows ACLs with Windows File Explorer" and getting password prompt.

FYR, I am able to login to VM using Azure AD users and File Share accessible for login user.

Thanks.



azure-storage-accountsazure-ad-domain-servicesazure-filesazure-storage-explorer
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
1 Vote"
GitaraniSharmaMSFT-4262 answered

Hello @varjsh ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have Azure AD, Azure AD DS, Azure VM connected to File Share and you want to set permission on Directory Level. You have tried "Configure Windows ACLs with Windows File Explorer" and getting password prompt.

As explained in the official doc, enabling AD DS authentication for your Azure file shares allows you to authenticate to your Azure file shares with your on-prem AD DS credentials. Further, it allows you to better manage your permissions to allow granular access control. Doing this requires synching identities from on-prem AD DS to Azure AD with AD connect. You control the share level access with identities synced to Azure AD while managing file/share level access with on-prem AD DS credentials.

So, you need to start with part 1 where after enabling the Active Directory Domain Services (AD DS) authentication feature, you must configure your storage account and your AD DS, to use AD DS credentials for authenticating to your Azure file share. To enable AD DS authentication over SMB for Azure file shares, you need to register your storage account with AD DS and then set the required domain properties on the storage account.
You need to run Join-AzStorageAccount cmdlet which performs the equivalent of an offline domain join on behalf of the specified storage account.
Refer : https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable

To configure ACLs with superuser permissions, you must mount the share by using your storage account key from your domain-joined VM.
Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Administrative control is not supported with Azure AD credentials.
Refer : https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions#supported-permissions
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

Also, as mentioned here, if you are not able to load the AD domain information correctly in Windows File Explorer, this is likely due to trust configuration in your on-prem AD environment. The client machine was not able to reach the AD domain controller registered for Azure Files authentication. In this case, use icacls for configurating Windows ACLs.

This is a known issue and is documented in the below troubleshooting doc:
https://docs.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems?tabs=azure-portal#unable-to-configure-directoryfile-level-permissions-windows-acls-with-windows-file-explorer

The recommended solution is to use icacls tool to configure the directory/file level permissions as a workaround.

If you wish you may leave your feedback in the below forum requesting a feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
https://feedback.azure.com/d365community/forum/a8bb4a47-3525-ec11-b6e6-000d3a4f0f84

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.