Which AAD role and permission to Enable Active Directory authentication

Xiwei Zhang 0 Reputation points
2024-04-16T06:58:23.65+00:00

I need to Enable Active Directory authentication for Azure File.

User's image

Regarding the guide:

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable?WT.mc_id=Portal-Microsoft_Azure_FileStorage#option-two-manually-perform-the-enablement-actions

I select option 1 (Use AzFilesHybrid PowerShell module) to enable the feature.

The question is what is the least privilege Azure role of Account which used to execute the script.

Thanks.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,285 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,538 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 46,206 Reputation points Microsoft Employee
    2024-04-16T10:17:29.4766667+00:00

    @Xiwei Zhang Welcome to Microsoft Q&A Forum, Thank you for positing your query here!

    To enable Active Directory authentication for Azure Files using the AzFilesHybrid PowerShell module, the account that executes the script must have the following permissions:

    1. The account must be a member of the Storage File Data SMB Share Contributor role for the storage account that contains the file share you want to enable for Active Directory authentication. This role allows the account to manage SMB shares and files in the storage account.

    The account must have permissions to create and manage Azure AD resources, such as Azure AD users and groups. This can be achieved by assigning the account to the Global Administrator role in Azure AD or by assigning the account to a custom role that has the required permissions.

    Note that granting the account the Storage Account Contributor role or the Storage Account Owner role is not sufficient to enable Active Directory authentication for Azure Files. These roles provide permissions to manage the storage account, but they do not provide permissions to manage SMB shares and files in the storage account.

    Assign share-level permissions: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

    Additional information: Authenticate with your Microsoft Entra account

    To switch to using your Microsoft Entra account, select the link highlighted in the image that says Switch to Microsoft Entra user account. If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. However, if you lack the necessary permissions, you'll see an error message that you don't have permissions to list the data using your user account with Microsoft Entra ID.

    Two additional RBAC permissions are required to use your Microsoft Entra account:

    • Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
    • Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action

    No file shares will appear in the list if your Microsoft Entra account lacks permissions to view them.

    Authenticate with the storage account access key

    To switch to using the account access key, select the link that says Switch to access key. If you have access to the storage account key, then you'll be able to proceed. However, if you lack access to the account key, you'll see an error message that you don't have permissions to use the access key to list data.

    No file shares appear in the list if you don't have access to the storage account access key.

    To access file data with the storage account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action. This Azure role may be a built-in role or a custom role. Built-in roles that support Microsoft.Storage/storageAccounts/listkeys/action include the following, listed in order from least to greatest permissions:

    When you attempt to access file data in the Azure portal, the portal first checks whether you've been assigned a role with Microsoft.Storage/storageAccounts/listkeys/action. If you've been assigned a role with this action, then the portal uses the storage account key for accessing file data. If you haven't been assigned a role with this action, then the portal attempts to access data using your Microsoft Entra account.

    See also

    Please let us know if you have any further queries. I’m happy to assist you further.    


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.