Azure File Storage Permissions

Question

Hi,

Looking for some advise or solutions to the below scenario.

Requirement - Migrate 100 TB of storage from on-premise to Azure Storage.

Proposed Solution - Azure File Storage for DEV, Production, UAT environments ( separate Sv2)

Our on-premise is not integrated to Azure AD due to existing complication and security concerns. How do we manage security permissions on Azure File storage if there is no AD connect configured to sync the on-premise AD to Azure AD

Considering the VM's will have persistent mapping to the Azure File Storage using storage access keys, the user access to the Azure File Storage needs to be managed through AD security Groups on-premise. Can i consider Azure File server with multiple disk to accommodate 100 TB data and manage access permissions.

Thanks
RK

Answer 1

@rkum Welcome to Microsoft Q&A, Thank you for posting your query!

So, this business of using an Azure file share and map it to VMs and have users access the share through the VMs. We have Azure file shares so you don't have to run a file server VM.

There also are no security concerns with AD Connect. It's a requirement to use Office 365 correctly - so this is a known and secure way. I suspect "complications" in getting this to work are the real reason here but you might have more info than we can.

The correct way for you to use an Azure file share is by domain joining the storage account, setting the share ACLs and then have the user use the shares with their AD creds directly. (via a DFS-Namespace or by using the share URL).

What I would want to do next is figure out more details here. We need to understand your designing or other requirements.

Azure Files offers two additional ways to manage access control:

• You can use shared access signatures (SAS) to generate tokens that have specific permissions, and which are valid for a specified time interval. For example, you can generate a token with read-only access to a specific file that has a 10-minute expiry. Anyone who possesses the token while the token is valid has read-only access to that file for those 10 minutes. Shared access signature keys are supported only via the REST API or in client libraries. You must mount the Azure file share over SMB by using the storage account keys.

Azure File Sync preserves and replicates all discretionary ACLs, or DACLs, (whether Active Directory-based or local) to all server endpoints that it syncs to.

You can refer to Authorizing access to Azure Storage for a comprehensive representation of all protocols supported on Azure Storage services.

• Azure Files also support Azure Storage Service Encryption
• Access to your Azure file share can be restricted at the storage account level. For more information, see Configure Azure Storage Firewalls and Virtual Networks.
• You can also configure Azure Defender
• Require secure transfer to ensure secure connections

The section provides additional information regarding key features in Azure storage security and summary information about these capabilities.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

---------------------------------------------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.