On-premises AD DS authentication with Azure Files

Question

Hello,

our application (computer accounts) need full control permission to File share in Windows so I'm planning to use On-premises AD DS authentication with Azure Files. Do I need to create group that contains those computers account and sync them to cloud and then give that group e.g Storage File Data SMB Share Contributor rbac or should it work without syncing with just enabling default share-level permission? Referring to this docs but are a bit confused: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#which-configuration-should-you-use

Computer account do not have identity in AAD and at least in our company they are synced by default so I'm wondering how should this be done.

Answer 1

@Wool Sock Thank you for reaching out to Microsoft Q&A. I understand that you have issues with your

If you are unable to sync your on-premises AD DS to Azure AD, you can use a default share-level permission. Assigning a default share-level permission allows you to work around the sync requirement because you don't need to specify the permission to identities in Azure AD. Then you can use Windows ACLs for granular permission enforcement on your files and directories.

For more details, please refer to- https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#which-configuration-should-you-use

Does this answer your question? If not, please do let me know. Thanks!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.