Adding NTFS permission into Azure File Share

David 81 Reputation points
2022-04-21T16:11:53.597+00:00

When we ran icacls command to add as a security group for a file share on the Azure cloud, we received access denied error. The account we are using to open the command prompt on an on-premise server doesn't have full or modified access to the share. At this point, after the migration, none of our AD admin account has full access to the share.

What is the solution we could use to add a security group into an Azure file share if none of our AD account has full access to the share?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,227 questions
0 comments No comments
{count} votes

Accepted answer
  1. SaiKishor-MSFT 17,221 Reputation points
    2022-05-03T00:43:54.593+00:00

    @David We sincerely apologize that you did not get the answer for this issue. I understand that you received the error - access denied when attempting to add security group for the file share.

    To start with, I see that the on-premise server doesn't have full or modified access to the share. This seems like what is causing the error as you mentioned. Please check here.


    If end-users are accessing the Azure file share using Active Directory (AD) or Azure Active Directory Domain Services (Azure AD DS) authentication, access to the file share fails with "Access is denied" error if share-level permissions are incorrect.

    Solution:
    Validate that permissions are configured correctly:

    Active Directory (AD) see Assign share-level permissions to an identity.

    Share-level permission assignments are supported for groups and users that have been synced from the Active Directory (AD) to Azure Active Directory (Azure AD) using Azure AD Connect. Confirm that groups and users being assigned share-level permissions are not unsupported "cloud-only" groups.

    Azure Active Directory Domain Services (Azure AD DS) see Assign access permissions to an identity.

    What is the solution we could use to add a security group into an Azure file share if none of our AD account has full access to the share?

    • Please make sure that you have assigned "Storage File Data SMB Share Elevated Contributor" role in order to be able to enable/change NTFS permissions for Azure File Share.

    Share-level permissions are the high-level gatekeeper that determines whether a user can access the share. Whereas NTFS permissions act at a more granular level to determine what operations the user can do at the directory or file level. Therefore, without the correct share level permissions are required before you modify the NTFS permissions. Based on the type of AD that you are using, you can choose the right way to assign share level permission to the user or user account or for all authenticated users.

    Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. T. Kujala 8,706 Reputation points
    2022-04-21T16:30:18.517+00:00