Seeking Guidance on Azure Files Shares Access Setup

Question

We're currently exploring efficient methods to configure access to Azure Files shares, similar to our past practices. Previously, we typically granted broad permissions to everyone at the share level and then utilized NTFS permissions to control access to specific contents or subfolders.

For instance, we need to provide access to a share for a specific business unit, where some users require write access to certain folders while others need read-only access.

 

In our testing, we've attempted to replicate this setup in Azure. We've configured Share Permissions via the portal, assigning permissions to relevant groups such as "Group 1" and "Group 2." We've also set NTFS Permissions via SMB access, specifying access rights for different folders and groups.

 

However, this approach appears complex and potentially difficult to manage in the long term. We're curious if there are more streamlined methods or best practices for achieving similar access control within Azure Files shares.

 

Considering our Azure AD DS authentication setup, we're open to alternative strategies. One option we're contemplating is mirroring our on-premises approach by enabling default access for authenticated users at the share level and then utilizing NTFS permissions for restriction. However, we're unsure if this aligns with policy requirements.

 

Could you provide recommendations or insights into the most efficient way to set up access to Azure Files shares, particularly for scenarios requiring differentiated permissions for various user groups? Additionally, are there any features or functionalities within Azure that could simplify access management in such configurations?

 

Your expertise and guidance on this matter would be greatly appreciated.

 

Thank you.

#Sumanth Marigowda

Answer 1

@Mikko Haukkala Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Currently, the sole method at our disposal involves setting share-level permissions through RBAC and configuring ACLs using Explorer or the SMB mount iacls command. We are working on it , Presently I don't have ETA.

To configure access to Azure Files shares, you need to follow these steps:

1. Create and configure Azure file shares by creating a storage account, creating a file share, enabling SMB Multichannel, configuring identity, setting a default share-level permission, and mounting the Azure file share using your storage account key. You can refer to Configure Azure Files for HPC Pack for detailed steps.
2. Configure and use HPC Pack file shares by creating Azure file shares and configuring Windows ACLs according to the original file share. You can refer to Configure HPC Pack with Azure Files for detailed steps.

Please note that these steps are general guidelines and may need to be adjusted based on your specific requirements and environment.

Additional information:

When it comes to setting up access to Azure Files shares, there are a few best practices that you can follow to ensure efficient and secure access management:

Use Azure AD DS for authentication: Azure AD DS provides a managed domain service that can be used to authenticate users and computers in Azure. By using Azure AD DS, you can leverage your existing on-premises Active Directory infrastructure and extend it to the cloud. This can simplify access management and reduce the need for complex permission configurations.

Use RBAC to manage access: Azure Role-Based Access Control (RBAC) can be used to manage access to Azure resources, including Azure Files shares. By using RBAC, you can assign roles to users or groups that define the level of access they have to Azure Files shares. This can simplify access management and reduce the need for complex permission configurations.

Use Azure AD groups for access management: Azure AD groups can be used to manage access to Azure Files shares. By creating groups and assigning permissions to those groups, you can simplify access management and reduce the need for complex permission configurations.

Use Azure Files ACLs for fine-grained access control: Azure Files Access Control Lists (ACLs) can be used to provide fine-grained access control to files and folders within Azure Files shares. By using ACLs, you can assign permissions to individual files and folders, rather than relying on broad permissions at the share level.

Use Azure Policy to enforce access policies: Azure Policy can be used to enforce access policies for Azure resources, including Azure Files shares. By using Azure Policy, you can ensure that access to Azure Files shares is compliant with your organization's policies and standards.

In terms of your specific scenario, it may be beneficial to use a combination of RBAC, Azure AD groups, and Azure Files ACLs to manage access to Azure Files shares. By assigning roles to groups and using ACLs to provide fine-grained access control, you can simplify access management and reduce the need for complex permission configurations.

Additionally, you may want to consider using Azure Policy to enforce access policies for Azure Files shares. This can help ensure that access to Azure Files shares is compliant with your organization's policies and standards.

Overall, the key to efficient access management for Azure Files shares is to use a combination of best practices and tools to simplify access management and reduce the need for complex permission configurations.

Please let us know if you have any further queries. I’m happy to assist you further. 

---

 Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.