![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 35%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESF%3C/text%3E%3C/svg%3E)
7,023 questions
Hello Salman Farooq
It would be possible to restrict access to certain folders within your Azure file share for certain users, even when the primary file share has been designated as a network drive for all users. This can be accomplished by utilizing the dual-layer permission model that Azure Files offers when employing identity-based authentication (such as Microsoft Entra Domain Services, which you have set up).
The user account you will use to set the NTFS permissions must have at least the "Storage File Data SMB Share Elevated Contributor" Azure RBAC role assigned at the storage account or file share scope. This role allows you to modify NTFS permissions on the file share.
- Go to Azure Portal -> Your Storage Account -> Access control (IAM) -> Add role assignment.
- Select
Storage File Data SMB Share Elevated Contributor, select your admin user/group, and assign. Post which Log in to your domain-joined Windows VM using an Azure AD user account (the one you just assigned the RBAC role to). - Open File Explorer or a Command Prompt. Map the Azure file share as a network drive (e.g.,
Z:drive). You can do this using thenet usecommand or through File Explorer's "Map network drive" option. Since identity-based authentication is set up, you should be able to map it using your Azure AD DS credentials without needing the storage account key.net use Z: \\<storageaccountname>.file.core.windows.net\<filesharename> - You won't need
/user:or the key if your domain-joined VM and user are correctly configured with Azure AD DS authentication.
Once the network drive is mapped, open File Explorer and navigate to the root of your Azure file share (e.g., Z:\). Locate the specific folder you want to block access to (e.g., Z:\SecretProjectData).
- Right-click on the folder and select "Properties".
- Go to the "Security" tab.
- Click **"**Edit..." to change permissions.
- Click "Add..." to add a specific user or group.
Search for the Azure AD user(s) or Azure AD group(s) you want to block or grant specific permissions to. If these users/groups are synced from on-premises AD, ensure you're searching for their names as they appear in your domain-joined environment.
To block user/group add the user/group and for the user/group, in the "Permissions" box, check the "Deny" box next to "Full control". This will effectively deny them all access.
References:
- https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-configure-file-level-permissions
- https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable
Hope the above answer helps! Please let us know do you have any further queries.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.