|
10 | 10 | ms.custom: include file |
11 | 11 | --- |
12 | 12 |
|
13 | | -## Assign access permissions to an identity |
| 13 | +## 2. Assign access permissions to an identity |
14 | 14 |
|
15 | | -To access Azure Files resources with identity based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. The guidance in this section demonstrates how to assign read, write, or delete permissions for a file share to an identity. |
| 15 | +To access Azure Files resources with identity based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. The general recommendation is to use share level permission for high level access management to a team or group, then leverage NTFS permissions for granular access control on directory/file level. The guidance in this section demonstrates how to assign read, write, or delete permissions for a file share to an identity. |
16 | 16 |
|
17 | 17 | We have introduced three Azure built-in roles for granting share-level permissions to users: |
18 | 18 |
|
@@ -63,7 +63,7 @@ Before you run the following sample script, remember to replace placeholder valu |
63 | 63 | az role assignment create --role "<role-name>" --assignee <user-principal-name> --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/fileServices/default/fileshares/<share-name>" |
64 | 64 | ``` |
65 | 65 |
|
66 | | -## Configure NTFS permissions over SMB |
| 66 | +## 3. Configure NTFS permissions over SMB |
67 | 67 | After you assign share-level permissions with RBAC, you must assign proper NTFS permissions at the root, directory, or file level. Think of share-level permissions as the high-level gatekeeper that determines whether a user can access the share. Whereas NTFS permissions act at a more granular level to determine what operations the user can do at the directory or file level. |
68 | 68 |
|
69 | 69 | Azure Files supports the full set of NTFS basic and advanced permissions. You can view and configure NTFS permissions on directories and files in an Azure file share by mounting the share and then using Windows File Explorer or running the Windows [icacls](https://docs.microsoft.com/windows-server/administration/windows-commands/icacls) or [Set-ACL](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/get-acl) command. |
@@ -108,9 +108,9 @@ Use Windows File Explorer to grant full permission to all directories and files |
108 | 108 | 8. In the Security tab, select all permissions you want to grant to the newly add user |
109 | 109 | 9. Click on **Apply** |
110 | 110 |
|
111 | | -## Mount a file share from a domain-joined VM |
| 111 | +## 4. Mount a file share from a domain-joined VM |
112 | 112 |
|
113 | | -The following process verifies that your file share and access permissions were set up correctly and that you can access an Azure File share from a domain-joined VM: |
| 113 | +The following process verifies that your file share and access permissions were set up correctly and that you can access an Azure File share from a domain-joined VM. Be aware that the share level RBAC role assignment can take some time to be in effect. |
114 | 114 |
|
115 | 115 | Sign in to the VM by using the Azure AD identity to which you have granted permissions, as shown in the following image. If you have enabled AD authentication for Azure Files, use the AD credential. For Azure AD DS authentication, log in with Azure AD credential. |
116 | 116 |
|
|
0 commit comments