Share and NTFS permission best practice for Azure Storage Account File Share using On-premises AD DS authentication ?

EnterpriseArchitect 4,741 Reputation points
2021-07-02T07:10:43.62+00:00

People,

I have enabled the Azure Storage Account File Share On-premises AD DS authentication
According to this article: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#replace-on-premises-file-servers

If I wanted to give Read Write and Execute to the \StorageAccountName.file.core.windows.net\Shared-Directory for my AD security group 'Finance-Department', which role(s) should I grant below from Access Control (IAM)? 

Storage File Data SMB Share **Reader** allows read access in Azure Storage file shares over SMB.  
Storage File Data SMB Share **Contributor** allows read, write, and delete access in Azure Storage file shares over SMB.  
Storage File Data SMB Share **Elevated Contributor** allows read, write, delete, and modify Windows ACLs in Azure Storage file shares over SMB

Because by default, everyone in the company can open and perform anything on the shared file share: \StorageAccountName.file.core.windows.net\Shared-Directory
I wonder is it because of the below default permission below?

111245-image.png

Any help would be greatly appreciated.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,163 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,687 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,427 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,470 questions
Accepted answer
  1. Sumarigo-MSFT 43,641 Reputation points Microsoft Employee
    2021-07-05T14:19:29.013+00:00

    @EnterpriseArchitect Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    Let me explain how this roles works and they are been defined, see here based on your requirement you can assign
    You can do an AD integration with SMB to grant access to users. Here you can learn more about it : https://azure.microsoft.com/en-us/blog/better-security-with-enhanced-access-control-experience-in-azure-files/ also if possible review the RBAC roles article What is Azure role-based access control (Azure RBAC)?
    111834-image.png

    • Using Azure AD authentication and combination of READER on storage account plus different roles on the File Shares (in addition more granular user permissions on individual shares or even directories / files)
    OR
    • Managing Shared Access Signature per User / Group of users and giving that SAS particular access over a file share

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ---------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest