Skip to content

Commit 452af20

Browse files
Merge pull request #220770 from khdownie/kendownie120722
Default share level permissions edits
2 parents 5725bc9 + e75b526 commit 452af20

5 files changed

+17
-15
lines changed

articles/storage/files/storage-files-identity-ad-ds-assign-permissions.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,17 @@
11
---
2-
title: Control access to Azure file shares by assigning share-level permissions to a hybrid user identity
2+
title: Control access to Azure file shares by assigning share-level permissions
33
description: Learn how to assign share-level permissions to an Azure Active Directory (Azure AD) identity that represents a hybrid user to control user access to Azure file shares with identity-based authentication.
44
author: khdownie
55
ms.service: storage
66
ms.subservice: files
77
ms.topic: how-to
8-
ms.date: 11/29/2022
8+
ms.date: 12/07/2022
99
ms.author: kendownie
1010
ms.custom: devx-track-azurepowershell, subject-rbac-steps, devx-track-azurecli, engagement-fy23
1111
ms.devlang: azurecli
1212
---
1313

14-
# Assign share-level permissions to an identity
14+
# Assign share-level permissions
1515

1616
Once you've enabled an Active Directory (AD) source for your storage account, you must configure share-level permissions in order to get access to your file share. There are two ways you can assign share-level permissions. You can assign them to [specific Azure AD users/groups](#share-level-permissions-for-specific-azure-ad-users-or-groups), and you can assign them to all authenticated identities as a [default share-level permission](#share-level-permissions-for-all-authenticated-identities).
1717

articles/storage/files/storage-files-identity-ad-ds-enable.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -251,4 +251,4 @@ AzureStorageID:<yourStorageSIDHere>
251251

252252
## Next steps
253253

254-
You've now successfully enabled AD DS on your storage account. To use the feature, you must [assign share-level permissions to an identity](storage-files-identity-ad-ds-assign-permissions.md).
254+
You've now successfully enabled AD DS on your storage account. To use the feature, you must [assign share-level permissions](storage-files-identity-ad-ds-assign-permissions.md).

articles/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
---
22
title: Use Azure Active Directory Domain Services (Azure AD DS) to authorize user access to Azure Files over SMB
3-
description: Learn how to enable identity-based authentication over Server Message Block (SMB) for Azure Files through Azure Active Directory Domain Services (Azure AD DS). Your domain-joined Windows virtual machines (VMs) can then access Azure file shares by using Azure AD credentials.
3+
description: Learn how to enable identity-based authentication over Server Message Block (SMB) for Azure Files through Azure Active Directory Domain Services (Azure AD DS). Your domain-joined Windows VMs can then access Azure file shares by using Azure AD credentials.
44
author: khdownie
55
ms.service: storage
66
ms.topic: how-to
7-
ms.date: 11/28/2022
7+
ms.date: 12/07/2022
88
ms.author: kendownie
99
ms.subservice: files
1010
ms.custom: engagement-fy23, devx-track-azurecli, devx-track-azurepowershell
@@ -13,7 +13,7 @@ ms.custom: engagement-fy23, devx-track-azurecli, devx-track-azurepowershell
1313
# Enable Azure Active Directory Domain Services authentication on Azure Files
1414
[!INCLUDE [storage-files-aad-auth-include](../../../includes/storage-files-aad-auth-include.md)]
1515

16-
This article focuses on enabling and configuring Azure AD DS for authentication with Azure file shares.
16+
This article focuses on enabling and configuring Azure AD DS for identity-based authentication with Azure file shares.
1717

1818
We strongly recommend that you review the [How it works section](./storage-files-active-directory-overview.md#how-it-works) to select the right AD source for authentication. The setup is different depending on the AD source you choose.
1919

@@ -22,7 +22,7 @@ If you're new to Azure Files, we recommend reading our [planning guide](storage-
2222
> [!NOTE]
2323
> Azure Files supports Kerberos authentication with Azure AD DS with RC4-HMAC and AES-256 encryption. We recommend using AES-256.
2424
>
25-
> Azure Files supports authentication for Azure AD DS with full synchronization with Azure AD. If you have enabled scoped synchronization in Azure AD DS which only sync a limited set of identities from Azure AD, authentication and authorization is not supported.
25+
> Azure Files supports authentication for Azure AD DS with full synchronization with Azure AD. If you have enabled scoped synchronization in Azure AD DS which only sync a limited set of identities from Azure AD, authentication and authorization isn't supported.
2626
2727
## Applies to
2828
| File share type | SMB | NFS |
@@ -183,7 +183,7 @@ Get-ADUser $userObject -properties KerberosEncryptionType
183183

184184
## Next steps
185185

186-
To grant additional users access to your file share, follow the instructions in [Assign share-level permissions to an Azure AD identity](#assign-share-level-permissions-to-an-azure-ad-identity) and [Configure Windows ACLs](#configure-windows-acls).
186+
To grant additional users access to your file share, follow the instructions in [Assign share-level permissions](#assign-share-level-permissions) and [Configure Windows ACLs](#configure-windows-acls).
187187

188188
For more information about identity-based authentication for Azure Files, see these resources:
189189

articles/storage/files/storage-troubleshoot-windows-file-connection-problems.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -57,10 +57,10 @@ If end users are accessing the Azure file share using Active Directory (AD) or A
5757

5858
Validate that permissions are configured correctly:
5959

60-
- **Active Directory Domain Services (AD DS)** see [Assign share-level permissions to an identity](./storage-files-identity-ad-ds-assign-permissions.md).
60+
- **Active Directory Domain Services (AD DS)** see [Assign share-level permissions](./storage-files-identity-ad-ds-assign-permissions.md).
6161

6262
Share-level permission assignments are supported for groups and users that have been synced from AD DS to Azure Active Directory (Azure AD) using Azure AD Connect sync or Azure AD Connect cloud sync. Confirm that groups and users being assigned share-level permissions are not unsupported "cloud-only" groups.
63-
- **Azure Active Directory Domain Services (Azure AD DS)** see [Assign share-level permissions to an Azure AD identity](./storage-files-identity-auth-active-directory-domain-service-enable.md?tabs=azure-portal#assign-share-level-permissions-to-an-azure-ad-identity).
63+
- **Azure Active Directory Domain Services (Azure AD DS)** see [Assign share-level permissions](./storage-files-identity-auth-active-directory-domain-service-enable.md?tabs=azure-portal#assign-share-level-permissions).
6464

6565
<a id="error53-67-87"></a>
6666
## Error 53, Error 67, or Error 87 when you mount or unmount an Azure file share

includes/storage-files-aad-permissions-and-mounting.md

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,20 +5,22 @@
55
author: khdownie
66
ms.service: storage
77
ms.topic: include
8-
ms.date: 11/29/2022
8+
ms.date: 12/07/2022
99
ms.author: kendownie
1010
ms.custom: include file, devx-track-azurecli, devx-track-azurepowershell
1111
---
1212

13-
## Assign share-level permissions to an Azure AD identity
13+
## Assign share-level permissions
1414

1515
To access Azure Files resources with identity-based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. The guidance in this section demonstrates how to assign read, write, or delete permissions for a file share to an identity. **We highly recommend assigning permissions by declaring actions and data actions explicitly as opposed to using the wildcard (\*) character.**
1616

17-
We have introduced three Azure built-in roles for granting share-level permissions to users:
17+
Most users should assign share-level permissions to specific Azure AD users or groups, and then [configure Windows ACLs](#configure-windows-acls) for granular access control at the directory and file level. However, alternatively you can set a [default share-level permission](../articles/storage/files/storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities) to allow contributor, elevated contributor, or reader access to **all authenticated identities**.
18+
19+
We have introduced three Azure built-in roles for granting share-level permissions to users and groups:
1820

1921
- **Storage File Data SMB Share Reader** allows read access in Azure Storage file shares over SMB.
2022
- **Storage File Data SMB Share Contributor** allows read, write, and delete access in Azure Storage file shares over SMB.
21-
- **Storage File Data SMB Share Elevated Contributor** allows read, write, delete and modify Windows access control lists (ACLs) in Azure file shares over SMB.
23+
- **Storage File Data SMB Share Elevated Contributor** allows read, write, delete, and modify Windows ACLs in Azure file shares over SMB.
2224

2325
> [!IMPORTANT]
2426
> Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Administrative control isn't supported with Azure AD credentials.

0 commit comments

Comments
 (0)