Share via

Changing NTFS permissions on Azure file share folder does not restrict access to users not in permissions.

Nathan Rich 1 Reputation point
2022-10-07T14:57:38.857+00:00

After mounting an Azure File Share to an Azure VM and trying to restrict access to a folder within the file share, restricted users still have access. The File Share has Azure AD used for identity based access and the default Share-Level permissions are disabled. None of the users with access have a Role Assignment assigned to them.

The users access the VM with a Remote Desktop Workspace assigned to them. Any user I add to the assigned workspace has full permissions to the entire file share and can't be restricted via NTFS permissions on the folder. So it seems like there are permissions related to the group that has access to the remote desktop workspace, that give full access to all folders in the file share.

I don't know where to restrict specific permissions.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,420 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ramya Harinarthini_MSFT 5,366 Reputation points Microsoft Employee Moderator
    2022-10-10T04:50:12.297+00:00

    Hi @Nathan Rich

    Welcome to Microsoft Q&A Forum, Thanks for posting here!

    Configure NTFS permissions over SMB

    Azure Files supports the full set of NTFS basic and advanced permissions. You can view and configure NTFS permissions on directories and files in an Azure file share by mounting the share and then using Windows File Explorer or running the Windows icacls or Set-ACL command.

    Please let us know if you have any further queries. I’m happy to assist you further.

    ---------------------------------------------------------------------------------------------------------------------------

    Please do not forget to248851-image.png and248861-image.png wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Nathan Rich 1 Reputation point
    2022-10-10T16:42:32.013+00:00

    That is what I have done. I login to our Azure VM, then mount the file share from the storage account. I go to the properties of the folder I want to secure and remove users. However when those users login they can get into the folder anyway.

    0 comments
  3. PUTHENVEETIL, RANJITH 1 Reputation point
    2022-10-19T07:18:19.89+00:00

    It appears to be the same issue for me as well.

    You may please try the following to resolve the issue. It worked for me.

    ****How to remove cached credentials with storage account key and delete existing SMB connections before initializing new connection with Azure AD or AD credentials?
    You can follow the two step process below to remove the saved credential associated with the storage account key and remove the SMB connection:****

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-faq

    Run the cmdlet below in Windows Cmd.exe to remove the credential. If you cannot find one, it means that you have not persisted the credential and can skip this step.

    cmdkey /delete:Domain:target=storage-account-name.file.core.windows.net

    Delete the existing connection to the file share. You can specify the mount path as either the mounted drive letter or the storage-account-name.file.core.windows.net path.

    net use <drive-letter/share-path> /delete

    After that, try to map the drive using the command : net use [Drive Letter] \storage-account-name.file.core.windows.net\filesharename

    See if that helps.

    Thanks

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.