Hello @michal ,
Thank you for reaching out to the Microsoft Q&A platform. Happy to answer your question.
Azure Files supports the full set of basic and advanced Windows ACLs.
Before you configure Windows ACLs, you must first mount the file share by using your storage account key. To do so follow Mount the file share using your storage account key
then proceed to configure Windows ACLs
Details on required roles:
You might see the Full Control ACL applied to a role already. This typically already offers the ability to assign permissions. However, because there are access checks at two levels (the share level and the file/directory level), this is restricted. Only users who have the SMB Elevated Contributor role and create a new file or directory can assign permissions on those new files or directories without using the storage account key. All other file/directory permission assignment requires connecting to the share using the storage account key first.
For full details refer to https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions#azure-rbac-permissions
Hope this helps.
Please "Accept as Answer" and Upvote if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.