Azure AD DS Azure Files and NTFS permissions

Question

Azure AD DS Azure Files and NTFS permissions

Robert Young 26

I have run into something of an issue while building out Azure Files for our Azure AD only environment.

Some background:

We have an Azure AD DS Cloud Only environment with no infrastructure on premise, so a cloud native and non-hybrid setup.

Within the subscription, I have created the storage account, the file share and configured this for Azure Active Directory Domain Services.

I am able to mount the share either in the traditional manner, or via PowerShell. I can also mount this via the storage account key. No issues there.

What I am NOT able to do from an Azure AD Joined device is set NTFS permissions as the Location that appears is the storage account: "********.file.core.windows.net". I'm not able to set any NTFS permissions using our AADDS users/groups.

What I CAN do is log onto a management Server VM in Azure and set the NTFS permissions as the domain shows up correctly, however when I try to delete a file in the share as a user who has been assigned Read rights, I can still delete.

I've trawled through endless pages of Microsoft documentation without success.

Looking for a little guidance on this from someone who has either experienced this, or knows what the score is!

Thanks in advance.

SaiKishor-MSFT 17,336 Reputation points

2022-11-23T19:23:57.213+00:00

@Robert Young Thanks for reaching out to Microsoft Q&A. I understand that you are having issues with Azure Files where you are unable to set NTFS permissions.

Can you confirm if you have assigned share level permissions as shown here before assigning NTFS permissions? https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

1 answer

Your answer

SaiKishor-MSFT 17,336 Reputation points

2022-11-23T19:23:57.213+00:00

@Robert Young Thanks for reaching out to Microsoft Q&A. I understand that you are having issues with Azure Files where you are unable to set NTFS permissions.

Can you confirm if you have assigned share level permissions as shown here before assigning NTFS permissions? https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

Answer 1

@SaiKishor-MSFT

Thanks for getting back to me.

I have the share permissions set under Access Control (IAM) within the storage account which despite an Azure AD user having no rights to do so, they are still able to mount the share to their Azure AD Joined laptop (in this case my test Hyper-V VM) and read, create and delete files within the share. I'm guessing that the IAM takes some time to apply the permissions to a file share, so I can wait on that taking effect if this is the case. For reference, I have set the file shares aspect of Azure Files to the below:

The key issue that my post referred to is that an Azure AD domain joined (not hybrid but cloud only AADDS), device such as a laptop, can mount the share, but when querying the NTFS permissions that are set (having been set using an Azure based and domain joined Management VM), on the device the NTFS permissions show us as "Account Unknown" with the corresponding SID and any deny permissions that have been set against that share are ignored, thereby allowing the user on that device to delete files that their account has been specifically set to be denied.

My thoughts are that to allow these shares to apply NTFS permissions as set, the device must be connected to Azure via a VPN. Can you confirm this is the case?

SaiKishor-MSFT 17,336 Reputation points

2022-12-02T21:22:52.763+00:00

@Robert Young I apologize for the delay in responding to your issue.

Thanks for all the information. Are you using ADDS cloud only and want to sync an on-premise device to this ADDS to use with File share?

Please provide the exact document/steps you used to setup your environment so I can understand better. Thank you!

Share via

Azure AD DS Azure Files and NTFS permissions

1 answer

Your answer