You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-ad-ds-assign-permissions.md
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -48,17 +48,21 @@ The following table lists the share-level permissions and how they align with th
48
48
|[Storage File Data SMB Share Contributor](../../role-based-access-control/built-in-roles.md#storage-file-data-smb-share-contributor)|Allows for read, write, and delete access on files and directories in Azure file shares. [Learn more](storage-files-identity-auth-active-directory-enable.md). |
49
49
|[Storage File Data SMB Share Elevated Contributor](../../role-based-access-control/built-in-roles.md#storage-file-data-smb-share-elevated-contributor)|Allows for read, write, delete, and modify ACLs on files and directories in Azure file shares. This role is analogous to a file share ACL of change on Windows file servers. [Learn more](storage-files-identity-auth-active-directory-enable.md). |
50
50
51
-
52
51
## Share-level permissions for specific Azure AD users or groups
53
52
54
-
If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a **hybrid identity that exists in both on-premises AD DS and Azure AD**. For example, say you have a user in your AD that is [email protected] and you have synced to Azure AD as [email protected] using Azure AD Connect sync. For this user to access Azure Files, you must assign the share-level permissions to [email protected]. The same concept applies to groups or service principals. Because of this, you must sync the users and groups from your AD to Azure AD using Azure AD Connect sync.
53
+
If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a **hybrid identity that exists in both on-premises AD DS and Azure AD**. For example, say you have a user in your AD that is [email protected] and you have synced to Azure AD as [email protected] using Azure AD Connect sync. For this user to access Azure Files, you must assign the share-level permissions to [email protected]. The same concept applies to groups or service principals.
54
+
55
+
In order for share-level permissions to work, you must:
56
+
57
+
- Sync the users **and** the groups from your local AD to Azure AD using Azure AD Connect sync
58
+
- Add AD synced groups to RBAC role so they can access your storage account
55
59
56
60
Share-level permissions must be assigned to the Azure AD identity representing the same user or group in your AD DS to support AD DS authentication to your Azure file share. Authentication and authorization against identities that only exist in Azure AD, such as Azure Managed Identities (MSIs), are not supported with AD DS authentication.
57
61
58
62
You can use the Azure portal, Azure PowerShell module, or Azure CLI to assign the built-in roles to the Azure AD identity of a user for granting share-level permissions.
59
63
60
64
> [!IMPORTANT]
61
-
> The sharelevel permissions will take upto 3 hours to take effect once completed. Please wait for the permissions to sync before connecting to your file share using your credentials
65
+
> The share-level permissions will take up to three hours to take effect once completed. Please wait for the permissions to sync before connecting to your file share using your credentials.
62
66
63
67
# [Portal](#tab/azure-portal)
64
68
@@ -109,7 +113,7 @@ When you set a default share-level permission, all authenticated users and group
109
113
110
114
# [Portal](#tab/azure-portal)
111
115
112
-
You cannot currently assign permissions to the storage account with the Azure portal. Use either the Azure PowerShell module or the Azure CLI, instead.
116
+
You can't currently assign permissions to the storage account with the Azure portal. Use either the Azure PowerShell module or the Azure CLI, instead.
113
117
114
118
# [Azure PowerShell](#tab/azure-powershell)
115
119
@@ -150,4 +154,4 @@ You could also assign permissions to all authenticated Azure AD users and specif
150
154
151
155
Now that you've assigned share-level permissions, you must configure directory and file-level permissions. Continue to the next article.
152
156
153
-
[Part three: configure directory and filelevel permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md)
157
+
[Part three: configure directory and file-level permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md)
0 commit comments