@petersonal Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.
Regarding your question, we have logging for read/write/delete operations.
When using AD DS authentication, they need to look at SmbPrimarySID in the logs to determine the user that performed the operation.
Also, if they want to monitor for deletes that were performed over SMB, they need to look at the SMB minor command to determine if the file was deleted.
Example from storage logs: { "time": "2020-07-21T16:39:42.8712810Z", "resourceId": "/subscriptions/SubID_Removed/resourceGroups/afs/providers/Microsoft.Storage/storageAccounts/saname/fileServices/default", "category": "StorageWrite", "operationName": "Close", "operationVersion": "3.0", "schemaVersion": "1.0", "statusCode": 0, "durationMs": 3, "callerIpAddress": "IP_Removed", "correlationId": "d62bfd52-901d-0077-007d-5fa62a000000", "identity": {"type":"Kerberos","requester":{"smbPrimarySID":"S-1-5-99-2128259027-3510468894-3109476588-2110"}}, "location": "West US", "properties": {"accountName":"saname","etag":"0x8d82d949eb5ace","serviceType":"file","lastModifiedTime":"2020/07/21 16:39:19.7636302","serverLatencyMs":3,"operationCount":0,"requestHeaderSize":64,"requestBodySize":24,"responseHeaderSize":64,"responseBodySize":112,"smbSessionId":97576756713163325,"smbTreeConnectID":5,
"smbPersistentHandleID":7979073622,"smbVolatileHandleID":18446744069415632993,"smbCreditsConsumed":1,"smbMessageID":557,"smbCommandMajor":6,"smbCommandMinor":"FileCloseAndDelete","smbCommandDetail":"Detail=Client","smbFileId":13835093239654252544}, "uri": [\\saname.file.core.windows.net\westus\Azure Files\Azure Files Overview.pptx], "protocol": "SMB", "resourceType": "Microsoft.Storage/storageAccounts/fileServices"}
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.