Attach File Share with multiple users

Vinay 20 Reputation points
2024-04-21T04:58:02.2266667+00:00

how do i attach multiple files in Azure Windows VM and assign Specific rights.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,916 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,205 questions
0 comments No comments
{count} votes

Accepted answer
  1. S.Sengupta 19,416 Reputation points MVP
    2024-04-21T06:21:44.5733333+00:00

    Two ways to attach files with specific rights on an Azure Windows VM:

    Azure Files with SMB Share:

    Upload files to an Azure file share.

    Mount the share on the VM as a local drive.

    Set NTFS permissions for granular access control.

    Azure Blob Storage with Download and Permissions:

    Upload files as blobs to an Azure storage account container.

    Download files to the VM with AzCopy or PowerShell.

    Configure container-level access control (IAM) for specific roles.

    Choose Azure Files for frequent VM access, Blobs for less frequent access or stricter security.


1 additional answer

Sort by: Most helpful
  1. Nehruji R 8,146 Reputation points Microsoft Vendor
    2024-04-22T06:59:02.94+00:00

    Hello Vinay,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you would like to add more users to a Azure File share with windows server to access the file storage with specific permissions.

    Azure Files offers fully managed file shares in the cloud that are accessible via the industry-standard Server Message Block (SMB) protocol and the Network File System (NFS) protocol. You can mount Azure file shares concurrently on cloud or on-premises deployments of Windows, Linux, and macOS. You also can cache Azure file shares on Windows Server machines by using Azure File Sync for fast access close to where the data is used.

    • Once you mount the file share with Windows server, you can create users and assign permissions, Share-level permissions are configured for Microsoft Entra users, groups, or service principals. You must assign share-level permissions to the Microsoft Entra identity representing the same user, group, or service principal in your AD DS (Active Directory Domain Services) to support AD DS authentication to your Azure file share.
    • Most users should assign share-level permissions to specific Microsoft Entra users or groups and then use Windows ACLs (Access Control Lists) for granular access control at the directory and file level.
    • If you’re unable to sync your on-premises AD DS to Microsoft Entra ID, you can use a default share-level permission to allow contributor, elevated contributor, or reader access to all authenticated identities.

    Share-level permissions are configured for Microsoft Entra users, groups, or service principals. These permissions control access at the share level itself.

    You can assign share-level permissions in two ways:

    a. Specific Users/Groups: - Assign share-level permissions to specific Microsoft Entra users or groups. This is the most secure configuration. - After enabling an Active Directory (AD) source for your storage account, configure share-level permissions for the corresponding Microsoft Entra identities. - Use Windows ACLs (Access Control Lists) for granular access control at the directory and file level within the share.

    b. Default Share-Level Permission: - If you’re unable to sync your on-premises AD DS (Active Directory Domain Services) to Microsoft Entra ID, you can use a default share-level permission. - This allows you to work around the sync requirement because you don’t need to specify permissions for identities in Microsoft Entra ID. - You can then use Windows ACLs for fine-grained permission enforcement on your files and directories. - This approach is useful when dealing with standalone Managed Service Accounts (sMSA), group Managed Service Accounts (gMSA), and computer accounts. - Additionally, if your on-premises AD DS syncs to a different Microsoft Entra ID than the one where the file share is deployed (common in multi-tenant environments), default share-level permissions can be helpful.

    Note that the file-level permissions you set using the SMB protocol will be enforced by Azure Files. This means that users who do not have the appropriate permissions will not be able to access the files, even if they have access to the file share or directory.

    refer - https://learn.microsoft.com/en-us/azure/storage/files/storage-files-introduction, https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal for detailed guidance.

    Similar thread for reference - https://learn.microsoft.com/en-us/answers/questions/1329471/connecting-to-azurefiles-for-users-on-azure-ad.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.