Azure Files share maps but only gets the Default share-level permissions

Question

Azure Files share maps but only gets the Default share-level permissions

Brian Gawith 20

I have gone through the AzFilesHybrid setup as indicated for using the Active Directory Domain Services configuration and that all checks out fine as far as I can tell. I have the default share-level permissions set to Storage File Data SMB Share Reader since for at least this test environment I don't mind having the minimum access being read only. And then I have setup a non-administrative test user in the Access Control to have Storage File Data SMB Share Contributor role for the file share. I use the provided script for Active Directory or Microsoft Entra to map the drive to the letter Z and it successfully maps without issue. However, when I try to create a new file or folder I am given the message that I need permission to perform this action. If I change the default permissions to Share Contributor and disconnect the drive and re-run the connection script, then I can write to my heart's content. If I disable the share-level permissions entirely then I am unable to map the drive at all which tells me that the IAM Access Controls are doing nothing but I am unsure as to why. But at the same time if I try to map the drive logged into the computer as a local user it fails regardless of any of the above scenarios meaning that some sort of authentication must be taking place. I'm not sure if I missed a step somewhere or if there isn't something configured correctly somewhere else within our account. So how do I make the RBAC roles actually work on a synced AD?

Accepted answer

1 additional answer

Your answer

Answer 1

Nehruji R 8,181 Microsoft External Staff Moderator

Hello Brian Gawith,

Greetings! Welcome to Microsoft Q&A Platform.

In Azure Files, when you create a file share, you can configure both share-level and file/directory-level permissions. Share-level permissions apply to the entire file share, while file/directory-level permissions apply to specific files or directories within the share.

To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Microsoft Entra ID. As per Azure documentation, "If you want to set share-level permissions for specific Microsoft Entra users or groups using Azure role-based access control (RBAC), then you must first sync the on-premises AD accounts to Microsoft Entra ID using Microsoft Entra Connect. Otherwise, you can use a default share-level permission." https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-multiple-forests

Because computer accounts don't have an identity in Microsoft Entra ID, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a default share-level permission.

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

Based on your description, I understand that once you change the user default permissions to Share Contributor, you were able to successfully write in the file. This indicates that the issue might be with the permissions assigned to the specific users or groups. You can try assigning the required permissions to the specific users or groups and check if the issue is resolved.

Also, IAM Access Controls are used to manage access to Azure resources and services. They are not related to Azure Files share permissions. If you are unsure about the access controls, please review the below Microsoft documentation Overview - Azure Files identity-based authentication | Microsoft Learn for guidance.

Hope this answer helps! If yes please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Brian Gawith 20 Reputation points

2024-01-22T13:50:27.2566667+00:00

Ok I must be confused as to where I set the RBAC permissions then because the documentation indicates that I go to the SMB File Share in the portal and then click on Access Control (IAM) and then add Role Assignments. I added my test user John Doe as a Storage File Data SMB Share Contributor, and that user is synced between our local AD and Azure.
Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-02-01T11:46:35.8333333+00:00

Ok, I understand that you would like to know about setting the RBAC roles assignment to an file share and IAM controls.

To set RBAC roles for Azure file shares, you can assign share-level permissions to specific Microsoft Enterprise users or groups, and you can assign them to all authenticated identities as a default share-level permission. Once you’ve enabled an Active Directory (AD) source for your storage account, you must configure share-level permissions in order to get access to your file share. You can assign an Azure role to a Microsoft Enterprise identity using the Azure portal.

To make RBAC roles work on a synced AD, you must configure share-level permissions in order to get access to your file share. Once you’ve enabled an Active Directory (AD) source for your storage account, you can assign share-level permissions to specific Microsoft Entra users/groups, and you can assign them to all authenticated identities as a default share-level permission.

If you intend to use a specific Microsoft Entra user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Microsoft Entra ID. For example, say you have a user in your AD that is ******@onprem.contoso.com and you have synced to Microsoft Entra ID as ******@contoso.com using Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync. For this user to access Azure Files, you must assign the share-level permissions to ******@contoso.com. The same concept applies to groups and service principals.

refer - Control access to Azure file shares by assigning share-level permissions | Microsoft Learn for more information on creating the RBAC roles and describes about syncing your AD with on-premises environment configurations as well.
Brian Gawith 20 Reputation points

2024-02-05T23:10:22.12+00:00

I'm not sure if I missed something in the documentation but I was able to get the permissions to work correctly if I used a group synced from the Local AD to Azure, but not individual users that are also synced from the Local AD to Azure.
Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-02-06T14:58:53.46+00:00

Hi Brian Gawith, If the issue persists, it might require a deeper investigation. If you have a support plan, please raise a support ticket or else please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID. Apologies for any inconvenience with this issue. Thanks for your patience and co-operation.
Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-02-12T09:29:55.6266667+00:00

Hi Brian, following up to see if you had a chance to send the requested details to above mentioned email address.
Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-02-15T05:13:39.62+00:00

Hi Brain, just checking in to see if you had a chance to send the requested details for further proceed with offline traction.
Brian Gawith 20 Reputation points

2024-02-15T13:53:48.14+00:00

We unfortunately do not have a support plan. However, using the group, though a little more effort than I wanted to put in on the test, was able to at least allow me to connect a user and unfortunately it increased the load time of the associated application significantly. It would normally only take about 30-45 seconds to open, when attempting to pull files from Azure on load it increased it to about 3 minutes. So not ideal. But that was only 1 test of many I have planned I just have not had the capacity to move forward on any other tests.

Answer 2

Brian Gawith 20

I was able to get the RBAC role assignments to work when using an AD Synchronized group with the wanted users in that group and then the roles assigned to the group.

Nehruji R 8,181 Reputation points Microsoft External Staff Moderator

2024-02-19T05:45:50.87+00:00

Brian Gawith, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

Issue: Customer was facing issues in accessing the file share in hybrid environment.

Error Message: Getting permission/authorization error

Solution: the RBAC role assignments to work when using an AD Synchronized group with the wanted users in that group and then the roles assigned to the group.

Share via

Azure Files share maps but only gets the Default share-level permissions

1 additional answer

Your answer