Azure file share NTFS permission

Question

Azure file share NTFS permission

Van Huy Tuyen 40

Dear all,

We are using 2 tenant:

Tenant A is used for M365. We sync user/group from on-premises AD
Tenant B is used for Azure services.

We plan to migrate on-premises file share to Azure file. We expect user will have the same experience like on-premises, by implementing NTFS permission. Please suggest me how can we implement identity solution with our scenario (2 different tenants).

Thank you!

Van Huy Tuyen 40 Reputation points

2025-09-24T02:08:46.45+00:00

Hi @Thanmayi Godithi ,

Thanks for your information.

I understand that the option 1 is the best choice for our scenario (identity tenant and file share tenant are different), right?

Currently, we have one Azure AD connect server, to sync users/groups from on-premises AD to identity tenant.

As your recommendation, with option 1, we have to implement the secondary Azure AD connect server, to sync users/groups to file share tenant, right?

Thank you!
Thanmayi Godithi 2,295 Reputation points Microsoft External Staff Moderator

2025-09-24T11:46:04.3833333+00:00

Hi @Van Huy Tuyen,

Yes, you're absolutely right ,Option 1 is the best choice when your identity tenant and file share tenant are different, and you want to preserve NTFS ACLs and user experience.

“You can only use one AD method for identity-based authentication with Azure Files.” — Microsoft Learn: Microsoft Entra Kerberos for hybrid identities [Microsoft...zure Files]

Since Azure AD Connect supports only one sync target per instance, you’ll need a second Azure AD Connect server (or Cloud Sync agent) to sync the same on-prem AD users/groups to the file share tenant.

“If you want to set share-level permissions for specific Microsoft Entra users or groups using Azure RBAC, then you must first sync the on-premises AD accounts to Microsoft Entra ID using Microsoft Entra Connect.” — Microsoft Learn: Use Azure Files with multiple AD forests [Use Azure...D) forests]

This ensures that SIDs match and NTFS ACLs resolve correctly in the file share tenant — giving you the “same NTFS experience” as on-prem.

Kindly let us know if the above helps or you need further assistance on this issue.
Thanmayi Godithi 2,295 Reputation points Microsoft External Staff Moderator

2025-09-25T09:40:14.14+00:00

Hi @Van Huy Tuyen,

Just checking in to see if you had a chance to see the previous response posted by me. Please "Upvote" if the information helped you. This will help us and others in the community as well.

If you have any further questions do let us know.
Thanmayi Godithi 2,295 Reputation points Microsoft External Staff Moderator

2025-09-26T09:20:28.7333333+00:00

Hi @Van Huy Tuyen,

Just checking in to see if you had a chance to see the previous response posted by me. Please "Upvote" if the information helped you. This will help us and others in the community as well.

If you have any further questions do let us know.

2 answers

Your answer

Van Huy Tuyen 40 Reputation points

2025-09-24T02:08:46.45+00:00

Hi @Thanmayi Godithi ,

Thanks for your information.

I understand that the option 1 is the best choice for our scenario (identity tenant and file share tenant are different), right?

Currently, we have one Azure AD connect server, to sync users/groups from on-premises AD to identity tenant.

As your recommendation, with option 1, we have to implement the secondary Azure AD connect server, to sync users/groups to file share tenant, right?

Thank you!
Thanmayi Godithi 2,295 Reputation points Microsoft External Staff Moderator

2025-09-24T11:46:04.3833333+00:00

Hi @Van Huy Tuyen,

Yes, you're absolutely right ,Option 1 is the best choice when your identity tenant and file share tenant are different, and you want to preserve NTFS ACLs and user experience.

“You can only use one AD method for identity-based authentication with Azure Files.” — Microsoft Learn: Microsoft Entra Kerberos for hybrid identities [Microsoft...zure Files]

Since Azure AD Connect supports only one sync target per instance, you’ll need a second Azure AD Connect server (or Cloud Sync agent) to sync the same on-prem AD users/groups to the file share tenant.

“If you want to set share-level permissions for specific Microsoft Entra users or groups using Azure RBAC, then you must first sync the on-premises AD accounts to Microsoft Entra ID using Microsoft Entra Connect.” — Microsoft Learn: Use Azure Files with multiple AD forests [Use Azure...D) forests]

This ensures that SIDs match and NTFS ACLs resolve correctly in the file share tenant — giving you the “same NTFS experience” as on-prem.

Kindly let us know if the above helps or you need further assistance on this issue.
Thanmayi Godithi 2,295 Reputation points Microsoft External Staff Moderator

2025-09-25T09:40:14.14+00:00

Hi @Van Huy Tuyen,

Just checking in to see if you had a chance to see the previous response posted by me. Please "Upvote" if the information helped you. This will help us and others in the community as well.

If you have any further questions do let us know.
Thanmayi Godithi 2,295 Reputation points Microsoft External Staff Moderator

2025-09-26T09:20:28.7333333+00:00

Hi @Van Huy Tuyen,

Just checking in to see if you had a chance to see the previous response posted by me. Please "Upvote" if the information helped you. This will help us and others in the community as well.

If you have any further questions do let us know.

Answer 1

Hi Van,

Basically the SMB File share is for local tenant - Hybrid access is allowed from the same AD Sync, Azure SMB file shares are typically associated with a specific Entra ID tenant, which means that they are not directly shareable across different tenants. Azure SMB file shares are designed for use within a single tenant's environment, and access control is managed through Entra ID authentication and authorization mechanisms.

There you can setup B2B guest users and invite users to access the data however this is between the 2 tenants, AD Users will require testing.

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-users

Also check this thread for similar query - https://learn.microsoft.com/en-us/answers/questions/2121225/cross-tenant-smb-access-for-data-delivery

My view and suggestion will be to migrate to Sharepoint and allow B2B sharing if possible but you can plan it for phase 2.

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @Van Huy Tuyen,

Thank you for reaching out on Microsoft Q&A forum and also thanks to @JimmySalian-2011 for sharing useful input.

Azure Files (SMB) identity-based access is scoped to a single tenant. The storage account’s authentication method (Active Directory DS, Microsoft Entra Domain Services, or Microsoft Entra Kerberos for hybrid identities) can only resolve users and groups that exist in the same tenant.

You can try the below steps:

1. Sync on-premises identities into Tenant B (recommended for “same NTFS experience”)

Deploy a supported identity sync (second Entra Connect, Cloud Sync, or Cross-tenant synchronization) so that the same on-prem AD objects exist in Tenant B.
Then configure Azure Files with a supported identity provider.

This ensures ACL SIDs map correctly, giving the same experience as on-prem.

2. Use cross-tenant B2B or cross-tenant sync (limited for NTFS)

As @JimmySalian-2011 mentioned, you can invite Tenant A users as B2B guest users into Tenant B and assign them RBAC roles at the share level-Role assignments for external users
However, note that B2B guest accounts do not carry the same SID as your on-prem users. This means existing NTFS ACLs won’t map seamlessly — you may need to rework permissions-Cross-tenant synchronization overview

3. Stage migration with Azure File Sync

If you want a phased cutover, you can deploy Azure File Sync on your on-prem server. Users continue to access files locally (NTFS ACLs enforced as-is), while the data syncs to Azure Files in Tenant B-What is Azure File Sync?

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Azure file share NTFS permission

2 answers

Your answer