How to make an on-premises PC mount Azure Files over the Internet.

Morita 41 Reputation points
2021-12-06T09:39:37.937+00:00

日本語で失礼いたします。

Azure Filesのマウントに関してご質問です。

Azure上でVMを立ててADとして使用しており、AzureFIlesのアクセス制御をそのADで行っています。
そこで、「WORKGROUP」に所属しているローカルユーザーが、インターネット経由でAzureFilesをマウントさせる方法はありますか?
ストレージアカウントキーではマウントさせることができますが、その場合ローカルユーザーがアクセス制御を行うことができてしまいます。
ストレージアカウントキー以外の方法で、良いマウント方法があればご教示ください。

よろしくお願いいたします。

translation

Sorry for my Japanese.

I have a question about mounting Azure Files.

I have a VM on Azure and use it as AD, and access control for AzureFIles is done by that AD.
So, is there a way for local users who belong to the "WORKGROUP" to mount AzureFiles via the Internet?
You can mount them with a storage account key, but in that case, the local user will be able to control access.
Please let me know if there is a better way to mount the files other than using a storage account key.

Thank you very much.

Translated with www.DeepL.com/Translator (free version)

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,327 questions
Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,100 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sumarigo-MSFT 42,516 Reputation points Microsoft Employee
    2021-12-07T05:18:34.393+00:00

    @Morita Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    When you mount the Azure File share on client machine you will provide complete access in those scenario, you can use Azure Storage Explorer with RBAC. Where the user will have limited access to the users

    In this scenario Storage account key is an administrator key for a storage account, including administrator permissions to all files and folders within the file share you're accessing, and for all file shares and other storage resources (blobs, queues, tables, etc.) contained within your storage account. If this is not sufficient for your workload, Azure File Sync may be used, or you may use identity-based authentication over SMB.

    You can use shared access signatures to generate tokens that have specific permissions, and which are valid for a specified time interval. For example, you can generate a token that gives read/write-only access to a specific file, for a set period of time. Anyone who possesses the URL can access the file directly from any web browser while the token is valid. You can easily generate a shared access signature key from a UI like Storage Explorer.

    Addition information: How RBAC works

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------

    Please do not forget to 155347-image.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

0 additional answers

Sort by: Most helpful