You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-ad-ds-assign-permissions.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,17 +1,17 @@
1
1
---
2
-
title: Control access to Azure file shares by assigning share-level permissions to a hybrid user identity
2
+
title: Control access to Azure file shares by assigning share-level permissions
3
3
description: Learn how to assign share-level permissions to an Azure Active Directory (Azure AD) identity that represents a hybrid user to control user access to Azure file shares with identity-based authentication.
Once you've enabled an Active Directory (AD) source for your storage account, you must configure share-level permissions in order to get access to your file share. There are two ways you can assign share-level permissions. You can assign them to [specific Azure AD users/groups](#share-level-permissions-for-specific-azure-ad-users-or-groups), and you can assign them to all authenticated identities as a [default share-level permission](#share-level-permissions-for-all-authenticated-identities).
You've now successfully enabled AD DS on your storage account. To use the feature, you must [assign share-level permissions to an identity](storage-files-identity-ad-ds-assign-permissions.md).
254
+
You've now successfully enabled AD DS on your storage account. To use the feature, you must [assign share-level permissions](storage-files-identity-ad-ds-assign-permissions.md).
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-auth-active-directory-domain-service-enable.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,10 @@
1
1
---
2
2
title: Use Azure Active Directory Domain Services (Azure AD DS) to authorize user access to Azure Files over SMB
3
-
description: Learn how to enable identity-based authentication over Server Message Block (SMB) for Azure Files through Azure Active Directory Domain Services (Azure AD DS). Your domain-joined Windows virtual machines (VMs) can then access Azure file shares by using Azure AD credentials.
3
+
description: Learn how to enable identity-based authentication over Server Message Block (SMB) for Azure Files through Azure Active Directory Domain Services (Azure AD DS). Your domain-joined Windows VMs can then access Azure file shares by using Azure AD credentials.
This article focuses on enabling and configuring Azure AD DS for authentication with Azure file shares.
16
+
This article focuses on enabling and configuring Azure AD DS for identity-based authentication with Azure file shares.
17
17
18
18
We strongly recommend that you review the [How it works section](./storage-files-active-directory-overview.md#how-it-works) to select the right AD source for authentication. The setup is different depending on the AD source you choose.
19
19
@@ -22,7 +22,7 @@ If you're new to Azure Files, we recommend reading our [planning guide](storage-
22
22
> [!NOTE]
23
23
> Azure Files supports Kerberos authentication with Azure AD DS with RC4-HMAC and AES-256 encryption. We recommend using AES-256.
24
24
>
25
-
> Azure Files supports authentication for Azure AD DS with full synchronization with Azure AD. If you have enabled scoped synchronization in Azure AD DS which only sync a limited set of identities from Azure AD, authentication and authorization is not supported.
25
+
> Azure Files supports authentication for Azure AD DS with full synchronization with Azure AD. If you have enabled scoped synchronization in Azure AD DS which only sync a limited set of identities from Azure AD, authentication and authorization isn't supported.
To grant additional users access to your file share, follow the instructions in [Assign share-level permissions to an Azure AD identity](#assign-share-level-permissions-to-an-azure-ad-identity) and [Configure Windows ACLs](#configure-windows-acls).
186
+
To grant additional users access to your file share, follow the instructions in [Assign share-level permissions](#assign-share-level-permissions) and [Configure Windows ACLs](#configure-windows-acls).
187
187
188
188
For more information about identity-based authentication for Azure Files, see these resources:
Copy file name to clipboardExpand all lines: articles/storage/files/storage-troubleshoot-windows-file-connection-problems.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -57,10 +57,10 @@ If end users are accessing the Azure file share using Active Directory (AD) or A
57
57
58
58
Validate that permissions are configured correctly:
59
59
60
-
-**Active Directory Domain Services (AD DS)** see [Assign share-level permissions to an identity](./storage-files-identity-ad-ds-assign-permissions.md).
60
+
-**Active Directory Domain Services (AD DS)** see [Assign share-level permissions](./storage-files-identity-ad-ds-assign-permissions.md).
61
61
62
62
Share-level permission assignments are supported for groups and users that have been synced from AD DS to Azure Active Directory (Azure AD) using Azure AD Connect sync or Azure AD Connect cloud sync. Confirm that groups and users being assigned share-level permissions are not unsupported "cloud-only" groups.
63
-
-**Azure Active Directory Domain Services (Azure AD DS)** see [Assign share-level permissions to an Azure AD identity](./storage-files-identity-auth-active-directory-domain-service-enable.md?tabs=azure-portal#assign-share-level-permissions-to-an-azure-ad-identity).
63
+
-**Azure Active Directory Domain Services (Azure AD DS)** see [Assign share-level permissions](./storage-files-identity-auth-active-directory-domain-service-enable.md?tabs=azure-portal#assign-share-level-permissions).
64
64
65
65
<aid="error53-67-87"></a>
66
66
## Error 53, Error 67, or Error 87 when you mount or unmount an Azure file share
Copy file name to clipboardExpand all lines: includes/storage-files-aad-permissions-and-mounting.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,20 +5,22 @@
5
5
author: khdownie
6
6
ms.service: storage
7
7
ms.topic: include
8
-
ms.date: 11/29/2022
8
+
ms.date: 12/07/2022
9
9
ms.author: kendownie
10
10
ms.custom: include file, devx-track-azurecli, devx-track-azurepowershell
11
11
---
12
12
13
-
## Assign share-level permissions to an Azure AD identity
13
+
## Assign share-level permissions
14
14
15
15
To access Azure Files resources with identity-based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. The guidance in this section demonstrates how to assign read, write, or delete permissions for a file share to an identity. **We highly recommend assigning permissions by declaring actions and data actions explicitly as opposed to using the wildcard (\*) character.**
16
16
17
-
We have introduced three Azure built-in roles for granting share-level permissions to users:
17
+
Most users should assign share-level permissions to specific Azure AD users or groups, and then [configure Windows ACLs](#configure-windows-acls) for granular access control at the directory and file level. However, alternatively you can set a [default share-level permission](../articles/storage/files/storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities) to allow contributor, elevated contributor, or reader access to **all authenticated identities**.
18
+
19
+
We have introduced three Azure built-in roles for granting share-level permissions to users and groups:
18
20
19
21
-**Storage File Data SMB Share Reader** allows read access in Azure Storage file shares over SMB.
20
22
-**Storage File Data SMB Share Contributor** allows read, write, and delete access in Azure Storage file shares over SMB.
21
-
-**Storage File Data SMB Share Elevated Contributor** allows read, write, delete and modify Windows access control lists (ACLs) in Azure file shares over SMB.
23
+
-**Storage File Data SMB Share Elevated Contributor** allows read, write, delete, and modify Windows ACLs in Azure file shares over SMB.
22
24
23
25
> [!IMPORTANT]
24
26
> Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Administrative control isn't supported with Azure AD credentials.
0 commit comments