azure file share active directory permissions not working

Question

We have created a storage account and followed the directions listed here
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable

what we have found is that after following all of the instructions and applying "nftfs" permissions for users they are able to mount the drive but the "ntfs" permissions do not effect what users can do in the share. Specifically, we applied deny permissions and the user was able to get into the share and create and edit files.

after reading through the document under the FAQ section we found the information below:

Is it possible to specify read-only or write-only permissions on folders within the share?
If you mount the file share by using SMB, you don't have folder-level control over permissions. However, if you create a shared access signature by using the REST API or client libraries, you can specify read-only or write-only permissions on folders within the share.

Can anyone shed some light on this topic or provide some insight as to what we may be doing wrong when applying file share permissions?

Answer 1

@jpcapone Firstly, let me explain how this roles works and the define of the RBAC

This article will provide complete detailed information on permission over SMB

The share permissions have to be configured using the RBAC roles: We have introduced three Azure built-in roles for granting share-level permissions to users:

• Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
• Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
• Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

Use Azure AD Domain Services to authorize access to file data over SMB

Azure file share permissions by folder

• It is not possible to create a SAS token to restrict access to a directory only. You can either create a SAS token for an entire share or a file but not for a directory.

Adding more information: Azure Files doesn’t support local users and groups. If you want to set ACLs on your files and folders within an Azure file share, you will need to domain join your storage account, and set AD users and groups on the file share.

Please read here, https://learn.microsoft.com/en-ca/azure/storage/files/storage-files-active-directory-overview#ad-ds

You can either give users access through either Azure ad ds, or on-prem ad ds by making sure you have a hybrid environment with Azure ad connect so that your users are properly synced across.

After that, you create the Azure file share, then you can mount it and set directory level permissions in that share like you normally would with an on-prem server. See here

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

--------------------------------------------------------------------------------------------------------------------------------------

Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

It appears that there is some lag involved from when you make the change to the actual impact. Either way things appears to be working as documented, thanks for your reply.