Azure Storage account - File share - AD DS integration

Question

Hi

I have a question......

My environment (ALL in Azure, NO on-premise AD)
Azure AD is P2
Installed and configured Azure AD Domain Services
configured VNet for AD DS (DNS settings)
a domain joined VM in the Azure Active Directory Domain services
2x storage account (each blog has its own)
created with this blog:
https://www.rebeladmin.com/2019/08/step-step-guide-enable-azure-ad-authentication-azure-files/
and a second in this blog:
https://robertsmit.wordpress.com/2020/05/11/step-by-step-azure-files-share-smb-with-native-ad-support-and-more-microsoft-azurefiles-smb-snapshotmanagement-azure-cloud-mvpbuzz-wimvp/

Goal is: a file share which is available for all domain users without typing username/password (a standard fileshare for e.g. data or profiles)

What I get is (after blog 1)
I can mount the file share with the account which is member of the AAD DC Administrators (from the domain joined VM) without any key. So I can create subfolders, files, etc. Another standard user will be prompted for username/password. I cannot change the permission of this mapped drive in explorer (or iCACLS), access is denied. So I cannot add e.g. the domain users, or a domain group who can access this share

In the 2nd blog at the step to create DNS forwarder I get an error.
Get-ArmTemplateObject : A parameter cannot be found that matches parameter name 'Depth'.
I have installed the AzureFileHybrid in v0.2.3 (with closing the current PS session and install-module again)

Also I cannot create a conditional forwarder in the DNS domain controller, when I will try, I get also an Access denied

Has anyone an idea?

Best,
Lutz

Answer 1

If the user for testing is member in the "fileshare" group he is only allowed to read content in the "azfileshare02" File Share.
The user is not allowed to write to the fileshare or modify the permissions of the File Share.
Also the "adds@...." user is not allowed to change the permisssions of the File Share. But the user is allowed to read and write to the File Share.

It's almost the same like in the on-premises world:
The permissions you see in your screenshot you can compare with the "Share Level Permissions" on a Windows Server with file shares:

• Storage File Data SMB Share Reader -> Only read access on the share and containing folders and files (Read)
• Storage File Data SMB Share Contributor -> Read/Write access on the share and containing folders and files (Modify)
• Storage File Data SMB Share Elevated Contributor -> Full access on the share and containing folders and files (Full)

The permissions you can see in the explorer in my screenshot above are the NTFS Permissions.

In combination of the "Share Level Permissions" and "NTFS Permissions" the most restrictive permission "wins".

This means the "adds@...." is not allowed to change the NTFS permissions, because he is in the "Storage File Data SMB Share Contributor" role. To allow this user to change NTFS permissions he needs to be in the "Storage File Data SMB Share Elevated Contributor" role as well.

More details here: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 2

Adding the permission is possible this way:

• Login with an admin account (admin for the FileShare)
• Mount the FileShare to Y: (or what ever drive letter you prefer)
• Right click on the mapped drive
• Choose Security tab and click on Edit
• Add the Domain Users group of the AADDS domain and select the permissions for the group

If it's not possible this way and you get an "Access denied" you can map the network drive by PowerShell using the Primary Access Key:
https://learn.microsoft.com/de-de/azure/storage/files/storage-files-identity-ad-ds-configure-permissions#mount-a-file-share-from-the-command-prompt

Hope this helps.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 3

Hi Andreas

Thank you for your answer.
I have logged in with a "Global Administrator" account, who is also synced to the AD DS who is also member of the AAD DC Administrators group in Azure.
Trying this with the explorer, I will get the "Access denied error" (After a warniung, that adding this group (oruser) will replace all existing permissions.

Your 2nd idea with a different mapping (using the key) I will try tomorrow when back in office. I willl let you know the result

Best,
Lutz

Answer 4

The user (or a group the user is member of) is also added to the role Storage File Data SMB Share Elevated Contributor on the File Share or the Storage Account?

The Domain Users group is added to the role Storage File Data SMB Share Contributor? This is required for read/write access to the File Share.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 5

Hi Andreas

Here are my role assigments

and the user (for testing the access) is member of the group "fileshare"