Azure AD DS Azure Files and NTFS permissions

Robert Young 16 Reputation points

I have run into something of an issue while building out Azure Files for our Azure AD only environment.

Some background:

We have an Azure AD DS Cloud Only environment with no infrastructure on premise, so a cloud native and non-hybrid setup.

Within the subscription, I have created the storage account, the file share and configured this for Azure Active Directory Domain Services.

I am able to mount the share either in the traditional manner, or via PowerShell. I can also mount this via the storage account key. No issues there.

What I am NOT able to do from an Azure AD Joined device is set NTFS permissions as the Location that appears is the storage account: "********". I'm not able to set any NTFS permissions using our AADDS users/groups.

What I CAN do is log onto a management Server VM in Azure and set the NTFS permissions as the domain shows up correctly, however when I try to delete a file in the share as a user who has been assigned Read rights, I can still delete.

I've trawled through endless pages of Microsoft documentation without success.

Looking for a little guidance on this from someone who has either experienced this, or knows what the score is!

Thanks in advance.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,217 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Robert Young 16 Reputation points


    Thanks for getting back to me.

    I have the share permissions set under Access Control (IAM) within the storage account which despite an Azure AD user having no rights to do so, they are still able to mount the share to their Azure AD Joined laptop (in this case my test Hyper-V VM) and read, create and delete files within the share. I'm guessing that the IAM takes some time to apply the permissions to a file share, so I can wait on that taking effect if this is the case. For reference, I have set the file shares aspect of Azure Files to the below:


    The key issue that my post referred to is that an Azure AD domain joined (not hybrid but cloud only AADDS), device such as a laptop, can mount the share, but when querying the NTFS permissions that are set (having been set using an Azure based and domain joined Management VM), on the device the NTFS permissions show us as "Account Unknown" with the corresponding SID and any deny permissions that have been set against that share are ignored, thereby allowing the user on that device to delete files that their account has been specifically set to be denied.

    My thoughts are that to allow these shares to apply NTFS permissions as set, the device must be connected to Azure via a VPN. Can you confirm this is the case?