Control access to Azure file shares by assigning share-level permissions (2023)

  • Article
  • 9 minutes to read

Once you've enabled an Active Directory (AD) source for your storage account, you must configure share-level permissions in order to get access to your file share. There are two ways you can assign share-level permissions. You can assign them to specific Azure AD users/groups, and you can assign them to all authenticated identities as a default share-level permission.

Important

Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Full administrative control isn't supported with identity-based authentication.

Applies to

File share typeSMBNFS
Standard file shares (GPv2), LRS/ZRSControl access to Azure file shares by assigning share-level permissions (1)Control access to Azure file shares by assigning share-level permissions (2)
Standard file shares (GPv2), GRS/GZRSControl access to Azure file shares by assigning share-level permissions (3)Control access to Azure file shares by assigning share-level permissions (4)
Premium file shares (FileStorage), LRS/ZRSControl access to Azure file shares by assigning share-level permissions (5)Control access to Azure file shares by assigning share-level permissions (6)

Which configuration should you use

Share-level permissions on Azure file shares are configured for Azure Active Directory (Azure AD) users, groups, or service principals, while directory and file-level permissions are enforced using Windows access control lists (ACLs). You must assign share-level permissions to the Azure AD identity representing the same user, group, or service principal in your AD DS in order to support AD DS authentication to your Azure file share. Authentication and authorization against identities that only exist in Azure AD, such as Azure Managed Identities (MSIs), aren't supported.

Most users should assign share-level permissions to specific Azure AD users or groups, and then use Windows ACLs for granular access control at the directory and file level. This is the most stringent and secure configuration.

(Video) Azure Files with SMB, NTFS permissions & Private Endpoint | Replace and Decommission File Server

There are three scenarios where we instead recommend using a default share-level permission to allow contributor, elevated contributor, or reader access to all authenticated identities:

  • If you are unable to sync your on-premises AD DS to Azure AD, you can use a default share-level permission. Assigning a default share-level permission allows you to work around the sync requirement because you don't need to specify the permission to identities in Azure AD. Then you can use Windows ACLs for granular permission enforcement on your files and directories.
    • Identities that are tied to an AD but aren't synching to Azure AD can also leverage the default share-level permission. This could include standalone Managed Service Accounts (sMSA), group Managed Service Accounts (gMSA), and computer accounts.
  • The on-premises AD DS you're using is synched to a different Azure AD than the Azure AD the file share is deployed in.
    • This is typical when you're managing multi-tenant environments. Using a default share-level permission allows you to bypass the requirement for an Azure AD hybrid identity. You can still use Windows ACLs on your files and directories for granular permission enforcement.
  • You prefer to enforce authentication only using Windows ACLs at the file and directory level.

Note

Because computer accounts don't have an identity in Azure AD, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a default share-level permission.

The following table lists the share-level permissions and how they align with the built-in Azure RBAC roles:

Supported built-in rolesDescription
Storage File Data SMB Share ReaderAllows for read access to files and directories in Azure file shares. This role is analogous to a file share ACL of read on Windows File servers. Learn more.
Storage File Data SMB Share ContributorAllows for read, write, and delete access on files and directories in Azure file shares. Learn more.
Storage File Data SMB Share Elevated ContributorAllows for read, write, delete, and modify ACLs on files and directories in Azure file shares. This role is analogous to a file share ACL of change on Windows file servers. Learn more.

If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD. For example, say you have a user in your AD that is user1@onprem.contoso.com and you have synced to Azure AD as user1@contoso.com using Azure AD Connect sync or Azure AD Connect cloud sync. For this user to access Azure Files, you must assign the share-level permissions to user1@contoso.com. The same concept applies to groups and service principals.

Important

(Video) How to Create a File Share with NTFS Permissions Using Azure File Storage in just a few minutes

Assign permissions by explicitly declaring actions and data actions as opposed to using a wildcard (*) character. If a custom role definition for a data action contains a wildcard character, all identities assigned to that role are granted access for all possible data actions. This means that all such identities will also be granted any new data action added to the platform. The additional access and permissions granted through new actions or data actions may be unwanted behavior for customers using wildcard.

In order for share-level permissions to work, you must:

  • Sync the users and the groups from your local AD to Azure AD using either the on-premises Azure AD Connect sync application or Azure AD Connect cloud sync, a lightweight agent that can be installed from the Azure Active Directory Admin Center.
  • Add AD synced groups to RBAC role so they can access your storage account.

Tip

Optional: Customers who want to migrate SMB server share-level permissions to RBAC permissions can use the Move-OnPremSharePermissionsToAzureFileShare PowerShell cmdlet to migrate directory and file-level permissions from on-premises to Azure. This cmdlet evaluates the groups of a particular on-premises file share, then writes the appropriate users and groups to the Azure file share using the three RBAC roles. You provide the information for the on-premises share and the Azure file share when invoking the cmdlet.

You can use the Azure portal, Azure PowerShell, or Azure CLI to assign the built-in roles to the Azure AD identity of a user for granting share-level permissions.

Important

(Video) Azure Files SMB Access with Windows AD

The share-level permissions will take up to three hours to take effect once completed. Please wait for the permissions to sync before connecting to your file share using your credentials.

  • Portal
  • Azure PowerShell
  • Azure CLI

To assign an Azure role to an Azure AD identity, using the Azure portal, follow these steps:

  1. In the Azure portal, go to your file share, or create a file share.
  2. Select Access Control (IAM).
  3. Select Add a role assignment
  4. In the Add role assignment blade, select the appropriate built-in role from the Role list.
    1. Storage File Data SMB Share Reader
    2. Storage File Data SMB Share Contributor
    3. Storage File Data SMB Share Elevated Contributor
  5. Leave Assign access to at the default setting: Azure AD user, group, or service principal. Select the target Azure AD identity by name or email address. The selected Azure AD identity must be a hybrid identity and cannot be a cloud only identity. This means that the same identity is also represented in AD DS.
  6. Select Save to complete the role assignment operation.

You can add a default share-level permission on your storage account, instead of configuring share-level permissions for Azure AD users or groups. A default share-level permission assigned to your storage account applies to all file shares contained in the storage account.

When you set a default share-level permission, all authenticated users and groups will have the same permission. Authenticated users or groups are identified as the identity can be authenticated against the on-premises AD DS the storage account is associated with. The default share-level permission is set to None at initialization, implying that no access is allowed to files or directories in the Azure file share.

  • Portal
  • Azure PowerShell
  • Azure CLI

To configure default share-level permissions on your storage account using the Azure portal, follow these steps.

  1. In the Azure portal, go to the storage account that contains your file share(s) and select Data storage > File shares.

    (Video) Azure FILE Share Explained with DEMO Step by step Tutorial

  2. You must enable an AD source on your storage account before assigning default share-level permissions. If you've already done this, select Active Directory and proceed to the next step. Otherwise, select Active Directory: Not configured, select Set up under the desired AD source, and enable the AD source.

  3. After you've enabled an AD source, Step 2: Set share-level permissions will be available for configuration. Select Enable permissions for all authenticated users and groups.

  4. Select the appropriate role to be enabled as the default share permission from the dropdown list.

  5. Select Save.

What happens if you use both configurations

You could also assign permissions to all authenticated Azure AD users and specific Azure AD users/groups. With this configuration, a specific user or group will have whichever is the higher-level permission from the default share-level permission and RBAC assignment. In other words, say you granted a user the Storage File Data SMB Reader role on the target file share. You also granted the default share-level permission Storage File Data SMB Share Elevated Contributor to all authenticated users. With this configuration, that particular user will have Storage File Data SMB Share Elevated Contributor level of access to the file share. Higher-level permissions always take precedence.

Next steps

Now that you've assigned share-level permissions, you can configure directory and file-level permissions. Remember that share-level permissions can take up to three hours to take effect.

FAQs

How do users access Azure file share? ›

Mount the Azure file share
  1. Sign in to the Azure portal.
  2. Navigate to the storage account that contains the file share you'd like to mount.
  3. Select File shares.
  4. Select the file share you'd like to mount.
  5. Select Connect.
  6. Select the drive letter to mount the share to.
  7. Copy the provided script.
Dec 13, 2022

How do I manage shared folder permissions? ›

To change share permissions:
  1. Right-click the shared folder.
  2. Click “Properties”.
  3. Open the “Sharing” tab.
  4. Click “Advanced Sharing”.
  5. Click “Permissions”.
  6. Select a user or group from the list.
  7. Select either “Allow” or “Deny” for each of the settings.
May 3, 2018

For which resource can you assign the storage file data SMB share reader role? ›

Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB. Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.

Which two options must be specified when creating an Azure file share? ›

Name: the name of the file share to be created. Quota: the quota of the file share for standard file shares; the provisioned size of the file share for premium file shares. For standard file shares, the quota will also determine what performance you receive.

How do I restrict access to Azure file sharing? ›

In the Azure portal, go to your file share, or create a file share. Select Access Control (IAM). In the Add role assignment blade, select the appropriate built-in role from the Role list. Leave Assign access to at the default setting: Azure AD user, group, or service principal.

How do I give access to a file share? ›

To share a file or folder over a network in File Explorer, do the following:
  1. Right-click (or long-press) a file, and then select Show more options > Give access to > Specific people.
  2. Select a user on the network to share the file with, or select Everyone to give all network users access to the file.

What are the two types of permissions used to control access to a shared folder? ›

There are three types of share permissions: Full Control, Change, and Read. Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files. Change: Change means that user can read/execute/write/delete folders/files within share.

How could you share the folder with the ability to assign permissions? ›

To configure permissions for the folder structure

In Windows Explorer, right-click the folder you want to share, and then click Properties. On the Security tab, click Edit. In the Permissions dialog box, add the appropriate users or groups that should have access at each level of the folder structure.

How do you control a shared folder who can access a shared folder? ›

Resolution
  1. Press and hold (or right-click) the shared folder.
  2. Select Properties, and then select Advanced Sharing on the Sharing tab.
  3. Select Permissions, check Allow for Full Control of Everyone, and then press Enter.
  4. Select OK on the Advanced Sharing dialog box.
Mar 8, 2022

Which group type allows you to assign to the shared resources? ›

Security groups: Use to assign permissions to shared resources.

Which file protocols can be used to access Azure file shares? ›

Azure Files offers two industry-standard protocols for mounting Azure file share: the Server Message Block (SMB) protocol and the Network File System (NFS) protocol.

What are the SMB share permissions? ›

Share-level permissions let administrators set access permissions on the SMB share itself. Administrators can specify users and groups and designate access for each from an Active Directory service, an LDAP server, or a local Qumulo user account by using the API.

How do I set up Azure file sharing? ›

Create an Azure file share
  1. When the Azure storage account deployment is complete, select Go to resource.
  2. Select File shares from the storage account pane.
  3. Select + File Share.
  4. Name the new file share qsfileshare, enter "1" for the Quota, leave Transaction optimized selected, and select Create.
Oct 25, 2022

What is the difference between Azure blob and file share? ›

Azure Blob is an object storage solution. It allows you to store a large amount of unstructured data, whereas Azure files permit you to develop managed file share for the cloud. Moreover, Azure file share can also be mounted by the on premises deployment of Windows, Linux, and macOS.

What is required before creating an Azure file share? ›

Before you can work with an Azure file share, you have to create an Azure storage account. A general-purpose v2 storage account provides access to all of the Azure Storage services: blobs, files, queues, and tables.

How can you restrict people for accessing your file or document? ›

When you change an item's general access to Restricted, only people with access can open the file.
  1. Find the file or folder in Google Drive, Google Docs, Google Sheets, or Google Slides.
  2. Open or select the file or folder.
  3. Click Share or Share. ...
  4. Under “General access”, click the Down arrow .
  5. Select Restricted.
  6. Click Done.

How do I restrict access to a file? ›

Save the document. Select the File tab. Select Info, choose Protect Document, point to Restrict Permission by People, and then select Restricted Access. In the Permissions dialog box, select Restrict permission to this document, and then assign the access levels that you want for each user.

How do I prevent others from accessing my files? ›

Do one of the following:
  1. In Windows 10, go to Start > Settings > Privacy > File system and make sure Allow apps to access your file system is turned Off.
  2. In Windows 11, go to Start > Settings > Privacy & security > File system and make sure Let apps access your file system is turned Off.

Which permissions take precedence in a shared folder? ›

Permissions assigned directly to a particular file or folder (explicit permissions) take precedence over permissions inherited from a parent folder (inherited permissions).

Do file permissions override folder permissions? ›

Also true: File permissions override folder permissions, unless the Full Control permission has been granted to the folder.

What is the best way to access a shared folder? ›

View your shared folders using Computer Management (in all Windows versions) The best tool for getting the full list of folders that you're sharing on your PC is Computer Management. Open Computer Management and, on the left side of the window, browse "System Tools -> Shared Folders -> Shares."

What are the 3 types of access control? ›

Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC). DAC is a type of access control system that assigns access rights based on rules specified by users.

What are the three levels of share permissions? ›

Basically, share permissions apply more generally to files, folders, and have three different levels of sharing: Full Control, Change, and Read.

How do I assign permissions to a file? ›

Setting Permissions
  1. Access the Properties dialog box.
  2. Select the Security tab. ...
  3. Click Edit.
  4. In the Group or user name section, select the user(s) you wish to set permissions for.
  5. In the Permissions section, use the checkboxes to select the appropriate permission level.
  6. Click Apply.
  7. Click Okay.
Sep 9, 2022

When sharing a file in Drive You can assign permissions to? ›

Choose who to share with
  1. Go to drive.google.com.
  2. Select the folder you want to share.
  3. Select Share .
  4. Enter the email address or Google Group you want to share with. ...
  5. To decide what role people will have with your folder, select Viewer, Commenter, or Editor.

What type of permissions does someone set if they want to control access to individual files? ›

There are three types of share permissions: Full Control, Change, and Read. Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files. Change: Change means that user can read/execute/write/delete folders/files within share.

What is difference between sharing and Security permissions? ›

Unlike Share permissions, NTFS permissions apply to users who are logged on to the server locally. , Unlike NTFS permissions, share permissions allow you to restrict the number of concurrent connections to a shared folder. Share and NTFS permissions are configured in different locations.

How do I restrict access to a folder from another user? ›

STEP 1
  1. Open the folder containing the file you want to restrict. Right-click the file and click on Properties. ...
  2. If it issues, go to Step 3. If the user account is not there, go to Step 2. ...
  3. Select the newly added user account under Group and user name. Under the Permission Section/Full Control-click on Deny.

How do I access a shared folder with a different user? ›

In the Folder box, type the path of the folder or computer, or select Browse to find the folder or computer. To connect every time you log on to your PC, select the Reconnect at sign-in check box. ** This is the point where you should also choose "Connect using different credentials".

What two items do you need to access a shared resource? ›

Shared file and printer access require an operating system on the client that supports access to resources on a server, an operating system on the server that supports access to its resources from a client, and an application layer (in the four or five layer TCP/IP reference model) file sharing protocol and transport ...

What is difference between security group and distribution group? ›

Distribution groups are used for sending email notifications to a group of people. Security groups are used for granting access to resources such as SharePoint sites. Mail-enabled security groups are used for granting access to resources such as SharePoint, and emailing notifications to those users.

Which group scope is meant to be used to assign permissions to a local resource? ›

Domain local groups also have a scope that extends to the local domain, and are used to assign permissions to local resources. The difference between domain local and global groups is that user accounts, global groups, and universal groups from any domain can be added to a domain local group.

How do users access Azure files? ›

You can mount the file share on your local machine by using the SMB 3.0 protocol, or you can use tools like Storage Explorer to access files in your file share. From your application, you can use storage client libraries, REST APIs, PowerShell, or Azure CLI to access your files in the Azure file share.

What is shared access policy in Azure? ›

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who shouldn't be trusted with your storage account key but who need access to certain storage account resources.

What type of permissions are assigned directly to a file or folder? ›

Permissions assigned directly to a particular file or folder (explicit permissions) take precedence over permissions inherited from a parent folder (inherited permissions).

Is SMB used for file sharing? ›

The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.

What are the two most common permissions given when creating a share? ›

Full Control: The user can change folders and files within the share, as well as edit permissions and take control of files. Change: Users are permitted to read, execute, write and delete folders and files in the share.

Can you access Azure file share from browser? ›

From your application, you can use storage client libraries, REST APIs, PowerShell, or Azure CLI to access your files in the Azure file share. A file share can be accessed via browser if the application uses REST APIs.

What are the ways to access resources in Azure? ›

To open a resource by the service type:
  1. Sign in to the Azure portal.
  2. In the left pane, select the Azure service. In this case, Storage accounts. If you don't see the service listed, select All services, and then select the service type.
  3. Select the resource you want to open. A storage account looks like:
Jun 10, 2021

How do I access file share as a different user than the local user? ›

In the Folder box, type the path of the folder or computer, or select Browse to find the folder or computer. To connect every time you log on to your PC, select the Reconnect at sign-in check box. ** This is the point where you should also choose "Connect using different credentials".

How do I map Azure file sharing as a Network drive? ›

Mapping a File share to Azure Server:

Step 2: Open the file explorer and right on the Network and select Map network drive. Step 3: Now, specify the drive letter for the connection and the folder that you want to connect >> Select connect using different credentials and click on Finish.

What is the difference between Azure Blob and file share? ›

Azure Blob is an object storage solution. It allows you to store a large amount of unstructured data, whereas Azure files permit you to develop managed file share for the cloud. Moreover, Azure file share can also be mounted by the on premises deployment of Windows, Linux, and macOS.

What protocol does Azure file share use? ›

Azure Files offers two industry-standard protocols for mounting Azure file share: the Server Message Block (SMB) protocol and the Network File System (NFS) protocol.

What are the three types of role Basic access control in Microsoft Azure? ›

The way you control access to resources using Azure RBAC is to assign Azure roles. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: security principal, role definition, and scope.

How do I manage access in Azure? ›

Actions
  1. Go to Resource groups.
  2. Select a resource group.
  3. Select Access control (IAM).
  4. Select + Add > Add role assignment.
  5. Select a role, and then assign access to a user, group, or service principal.
Dec 1, 2022

What is recommended to restrict access to Azure resources? ›

Restrict network access for a subnet

You can limit communication to and from all resources in a subnet by creating a network security group, and associating it to the subnet: In the search box at the top of the Azure portal, search for Network security groups. On the Network security groups page, select + Create.

What are the 3 permissions available when sharing a file? ›

There are three types of share permissions: Full Control, Change, and Read.
  • Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files.
  • Change: Change means that user can read/execute/write/delete folders/files within share.
Oct 25, 2011

What is the difference between share and file system permissions? ›

Unlike NTFS permissions, Share permissions can be applied to FAT and FAT32 file systems. Unlike Share permissions, NTFS permissions apply to users who are logged on to the server locally. , Unlike NTFS permissions, share permissions allow you to restrict the number of concurrent connections to a shared folder.

Videos

1. Azure Files AD Authentication Integration
(John Savill's Technical Training)
2. Azure Files Tutorial | Easy file shares in the cloud
(Adam Marczak - Azure for Everyone)
3. Azure Learning #010 Azure File Shares with AD Authentication | Azure Storage #002
(Dino9021)
4. Stored Access Policy Vs Shared Access Signature (SAS) - Azure Blob Storage Access Permissions
(Scott Duffy @ GetCloudSkills)
5. Azure - File Share Protection !!!
(Girish Sharma)
6. Azure File Shares Active Directory Integration & MyWorkDrive for Remote Access over port 443 https
(MyWorkDrive)
Top Articles
Latest Posts
Article information

Author: Carlyn Walter

Last Updated: 11/29/2022

Views: 6329

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Carlyn Walter

Birthday: 1996-01-03

Address: Suite 452 40815 Denyse Extensions, Sengermouth, OR 42374

Phone: +8501809515404

Job: Manufacturing Technician

Hobby: Table tennis, Archery, Vacation, Metal detecting, Yo-yoing, Crocheting, Creative writing

Introduction: My name is Carlyn Walter, I am a lively, glamorous, healthy, clean, powerful, calm, combative person who loves writing and wants to share my knowledge and understanding with you.