Azure Files with ACLs

Azure files is a file share as a service that you host on Azure. You can mount the file share to a server so that you get an extra file share without having to physically extend the storage of that server. This is especially handy when you want to go through the transition of moving from IAAS to SAAS. In a cloud only environment Azure files would be preferable over and VM which is configured as a file server. Azure Files is also the preferred location for saving your FSLogix profile containers, when using Windows Virtual Desktop.

All in all this sounds pretty good, but Azure files also had a downside. Azure Files had until now no support for Access Control Lists, meaning that setting more advanced permissions on files and folders was not possible. Until now! Microsoft announced the General Availability of the support of ACL’s on Azure File shares. This enables you to set advanced permissions on files and folders.

To make this work, this is what you need:

  • Set up Azure AD Domain Services
  • A Virtual Machine that is joined to Azure Active Directory Domain Services. Active Directory is not supported!
  • A Storage Account where you enable Azure Active Directory Domain Services (Azure AD DS) for the Identity-based Directory Service for Azure File Authentication
  • Set the general permissions to the share. You can compare this with the share settings in Windows.

You need Azure AD Domain Services for you authentication, since the file share make use of Kerberos authentication and your Azure AD doesn’t support Kerberos.

Azure File authentication

You can create a new storage account or use an existing storage account. All you need to do is configure Identity-based Directory Service for Azure File Authentication to Azure Active Directory Domain Services (Azure AD DS).

Set the authentication option to AADDS

Set the Access permissions on the share. You can compare this with the share settings in Windows, where you would set global share permissions and then set NTFS permissions for more detailed permissions. Microsoft introduced three new roles for this.

  • Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
  • Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
  • Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

After that just mount your share to the VM and you can set permissions!

Leave a Reply

Your email address will not be published.