Some issues here. working with Microsoft Support for over a week with no resolution. Any update on this case?
I'm unable to add Azure users to NTFS permissions for file share (Azure FIles, AAD DS-joined)
I am trying to set up a file share on Azure Files so that I can use it to store my FSLogix profiles for an Azure Virtual Desktop environment. I'm following this MS guide: [https://learn.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-azure-ad
However, I am stuck when it comes to adding the NTFS permissions on the mounted share. I have tried doing this by both the GUI and using icacls. By the GUI, I cannot add the Azure group because the "location" in the ACL dialog box is set to <storageaccountname>.file.core.windows.net. If try to change this to my AAD DS domain (mydomain.onmicrosoft.com) I just get prompted for credentials, and nothing works - it just loops. If I try and edit the permissions by icacls I get "there is no mapping between acocunt names and SID".
It's basically like the file share can't talk to AD DS? But it seems to have joined successfully in the Azure management GUI, and the Azure Virtual Desktops have all joined OK (eg I can log in with Azure AD user credentials to the VM).
4 answers
Sort by: Most helpful
-
-
Limitless Technology 43,926 Reputation points
2023-01-26T16:32:47.3+00:00 Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.
If you are unable to add Azure users to NTFS permissions for a file share on Azure Files that is AAD DS-joined, it could be caused by a few different issues. Here are a few troubleshooting steps you can try:
- Check the Azure Active Directory (AAD) Domain Services (DS) settings: Make sure that your Azure Files storage account is correctly configured with AAD DS. You can check this by going to the "Active Directory" section in the Azure portal, and verifying that your storage account is showing as "AAD DS-joined".
- Make sure that the NTFS permissions on the file share are set correctly. You can check this by right-clicking on the file share and going to "Properties", then "Security" tab. Make sure that the users you want to give access to have the appropriate permissions.
- Check the Azure AD group membership: Make sure that the Azure AD group that you are trying to add to the NTFS permissions has the correct members. You can check this by going to the Azure AD portal and viewing the group properties.
- Check the Azure AD users: Make sure that the Azure AD users you are trying to add to the NTFS permissions are not disabled or deleted. You can check this by going to the Azure AD portal and viewing the user properties.
- Check if the storage account is in the same tenant as the AAD DS instance: Make sure that the storage account and the A
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
-
Limitless Technology 43,926 Reputation points
2023-01-26T16:32:57.77+00:00 double post
-
D Chamberlain 5 Reputation points
2023-01-27T10:20:16.98+00:00 - Check the Azure Active Directory (AAD) Domain Services (DS) settings: Make sure that your Azure Files storage account is correctly configured with AAD DS. You can check this by going to the "Active Directory" section in the Azure portal, and verifying that your storage account is showing as "AAD DS-joined". It is AAD DS- joined
- Make sure that the NTFS permissions on the file share are set correctly. You can check this by right-clicking on the file share and going to "Properties", then "Security" tab. Make sure that the users you want to give access to have the appropriate permissions. This is the problem - I am trying to add a group to the NTFS permissions, but am unable. That is because the "location" is wrong (see screenshot). It is showing the name of the storage account instead of my Azure domain, so when I try to add the Azure group they are unable to be found.
- Check the Azure AD group membership: Make sure that the Azure AD group that you are trying to add to the NTFS permissions has the correct members. You can check this by going to the Azure AD portal and viewing the group properties. Azure group membership is correct, but I am unable to add it.
- Check the Azure AD users: Make sure that the Azure AD users you are trying to add to the NTFS permissions are not disabled or deleted. You can check this by going to the Azure AD portal and viewing the user properties. N/A
- Check if the storage account is in the same tenant as the AAD DS instance It is, and both the VM and storage account are Azure domain-joined