I'm unable to add Azure users to NTFS permissions for file share (Azure FIles, AAD DS-joined)

D Chamberlain 5 Reputation points
2023-01-25T12:16:25.61+00:00

I am trying to set up a file share on Azure Files so that I can use it to store my FSLogix profiles for an Azure Virtual Desktop environment. I'm following this MS guide: [https://learn.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-azure-ad

However, I am stuck when it comes to adding the NTFS permissions on the mounted share. I have tried doing this by both the GUI and using icacls. By the GUI, I cannot add the Azure group because the "location" in the ACL dialog box is set to <storageaccountname>.file.core.windows.net. If try to change this to my AAD DS domain (mydomain.onmicrosoft.com) I just get prompted for credentials, and nothing works - it just loops. If I try and edit the permissions by icacls I get "there is no mapping between acocunt names and SID".

It's basically like the file share can't talk to AD DS? But it seems to have joined successfully in the Azure management GUI, and the Azure Virtual Desktops have all joined OK (eg I can log in with Azure AD user credentials to the VM).

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,667 questions
FSLogix
FSLogix
A set of solutions that enhance, enable, and simplify non-persistent Windows computing environments and may also be used to create more portable computing sessions when using physical devices.
463 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,380 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Max Crookston 10 Reputation points
    2023-04-27T15:00:14.1833333+00:00

    Some issues here. working with Microsoft Support for over a week with no resolution. Any update on this case?

    2 people found this answer helpful.
    0 comments
  2. Limitless Technology 43,926 Reputation points
    2023-01-26T16:32:47.3+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

    If you are unable to add Azure users to NTFS permissions for a file share on Azure Files that is AAD DS-joined, it could be caused by a few different issues. Here are a few troubleshooting steps you can try:

    1. Check the Azure Active Directory (AAD) Domain Services (DS) settings: Make sure that your Azure Files storage account is correctly configured with AAD DS. You can check this by going to the "Active Directory" section in the Azure portal, and verifying that your storage account is showing as "AAD DS-joined".
    2. Make sure that the NTFS permissions on the file share are set correctly. You can check this by right-clicking on the file share and going to "Properties", then "Security" tab. Make sure that the users you want to give access to have the appropriate permissions.
    3. Check the Azure AD group membership: Make sure that the Azure AD group that you are trying to add to the NTFS permissions has the correct members. You can check this by going to the Azure AD portal and viewing the group properties.
    4. Check the Azure AD users: Make sure that the Azure AD users you are trying to add to the NTFS permissions are not disabled or deleted. You can check this by going to the Azure AD portal and viewing the user properties.
    5. Check if the storage account is in the same tenant as the AAD DS instance: Make sure that the storage account and the A

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    1 person found this answer helpful.
    0 comments
  3. Limitless Technology 43,926 Reputation points
    2023-01-26T16:32:57.77+00:00

    double post

    1 person found this answer helpful.
    0 comments
  4. D Chamberlain 5 Reputation points
    2023-01-27T10:20:16.98+00:00
    1. Check the Azure Active Directory (AAD) Domain Services (DS) settings: Make sure that your Azure Files storage account is correctly configured with AAD DS. You can check this by going to the "Active Directory" section in the Azure portal, and verifying that your storage account is showing as "AAD DS-joined". It is AAD DS- joined
    2. Make sure that the NTFS permissions on the file share are set correctly. You can check this by right-clicking on the file share and going to "Properties", then "Security" tab. Make sure that the users you want to give access to have the appropriate permissions. This is the problem - I am trying to add a group to the NTFS permissions, but am unable. That is because the "location" is wrong (see screenshot). It is showing the name of the storage account instead of my Azure domain, so when I try to add the Azure group they are unable to be found.
    3. Check the Azure AD group membership: Make sure that the Azure AD group that you are trying to add to the NTFS permissions has the correct members. You can check this by going to the Azure AD portal and viewing the group properties. Azure group membership is correct, but I am unable to add it.
    4. Check the Azure AD users: Make sure that the Azure AD users you are trying to add to the NTFS permissions are not disabled or deleted. You can check this by going to the Azure AD portal and viewing the user properties. N/A
    5. Check if the storage account is in the same tenant as the AAD DS instance It is, and both the VM and storage account are Azure domain-joined
    1 person found this answer helpful.