@Xiwei Zhang Welcome to Microsoft Q&A Forum, Thank you for positing your query here!
To enable Active Directory authentication for Azure Files using the AzFilesHybrid PowerShell module, the account that executes the script must have the following permissions:
- The account must be a member of the Storage File Data SMB Share Contributor role for the storage account that contains the file share you want to enable for Active Directory authentication. This role allows the account to manage SMB shares and files in the storage account.
The account must have permissions to create and manage Azure AD resources, such as Azure AD users and groups. This can be achieved by assigning the account to the Global Administrator role in Azure AD or by assigning the account to a custom role that has the required permissions.
Note that granting the account the Storage Account Contributor role or the Storage Account Owner role is not sufficient to enable Active Directory authentication for Azure Files. These roles provide permissions to manage the storage account, but they do not provide permissions to manage SMB shares and files in the storage account.
Assign share-level permissions: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal
Additional information: Authenticate with your Microsoft Entra account
To switch to using your Microsoft Entra account, select the link highlighted in the image that says Switch to Microsoft Entra user account. If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. However, if you lack the necessary permissions, you'll see an error message that you don't have permissions to list the data using your user account with Microsoft Entra ID.
Two additional RBAC permissions are required to use your Microsoft Entra account:
-
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
-
Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
No file shares will appear in the list if your Microsoft Entra account lacks permissions to view them.
Authenticate with the storage account access key
To switch to using the account access key, select the link that says Switch to access key. If you have access to the storage account key, then you'll be able to proceed. However, if you lack access to the account key, you'll see an error message that you don't have permissions to use the access key to list data.
No file shares appear in the list if you don't have access to the storage account access key.
To access file data with the storage account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action. This Azure role may be a built-in role or a custom role. Built-in roles that support Microsoft.Storage/storageAccounts/listkeys/action include the following, listed in order from least to greatest permissions:
- The Reader and Data Access role
- The Storage Account Contributor role
- The Azure Resource Manager Contributor role
- The Azure Resource Manager Owner role
When you attempt to access file data in the Azure portal, the portal first checks whether you've been assigned a role with Microsoft.Storage/storageAccounts/listkeys/action. If you've been assigned a role with this action, then the portal uses the storage account key for accessing file data. If you haven't been assigned a role with this action, then the portal attempts to access data using your Microsoft Entra account.
See also
- Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST
- Authorize access to data in Azure Storage
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.