Hello Bojan Zivkovic,
Thank you for posting your query here!
You can use Azure RBAC roles which allow you to grant share-level permissions to users in the synced forest.
For users from non-synced forests, employing default share-level permissions applicable to all authenticated identities ensures that they can still access the Azure File Shares using Azure AD authentication. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions#share-level-permissions-for-all-authenticated-identities
You can configure domain suffixes and modify the storage account's SPN suffix to enable cross-forest authentication, allowing users from different forests to authenticate against the Azure AD tenant. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-multiple-forests#configure-domain-suffixes
Considerations for security:
· Managing access via network rules and only allowing connections from permitted networks enhances network security, ensuring that access to Azure File Shares is restricted to authorized networks.
· Implementing SMB 3.0 and opening port 445 ensures secure, region-independent access to Azure File Shares. This is crucial for maintaining secure communication between the Bastion Servers and the Azure File Shares.
For further details please refer: Use Azure Files with multiple Active Directory (AD) forests | Microsoft Learn
End-user experience:
The end-user experience for accessing Azure File Shares from non-synced forests, once configured and mapped as network drives, would be similar to accessing any other network share.
Once the Azure File Share is configured and permissions are set, users can map it as a network drive on their local machines or Bastion Servers.
Once the drive is mapped, users can access files and folders on the Azure File Share using familiar file explorer interfaces.
Do let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.