You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -108,35 +108,6 @@ The following diagram represents the workflow for Microsoft Entra Domain Service
108
108
109
109
To enable Microsoft Entra Domain Services authentication, see [Enable Microsoft Entra Domain Services authentication on Azure Files](storage-files-identity-auth-domain-services-enable.md).
110
110
111
-
## Authorization and access control
112
-
113
-
Regardless of which identity source you choose, once you enable it, you'll need to configure authorization. Azure Files enforces authorization on user access at both the share level and the directory/file levels.
114
-
115
-
You can assign share-level permissions to Microsoft Entra users or groups that are managed through Azure RBAC. With Azure RBAC, the credentials you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like **Storage File Data SMB Share Reader** to users or groups in Microsoft Entra ID to grant access to a file share.
116
-
117
-
At the directory/file level, Azure Files supports preserving, inheriting, and enforcing [Windows ACLs](/windows/win32/secauthz/access-control-lists). You can choose to keep Windows ACLs when copying data over SMB between your existing file share and your Azure file shares. Whether you plan to enforce authorization or not, you can use Azure file shares to back up ACLs along with your data.
118
-
119
-
### Configure share-level permissions
120
-
121
-
Once you've enabled an identity source on your storage account, you must do one of the following to access the file share:
122
-
123
-
- Set a default share-level permission that applies to all authenticated users and groups
124
-
- Assign built-in Azure RBAC roles to users and groups, or
125
-
- Configure custom roles for Microsoft Entra identities and assign access rights to file shares in your storage account.
126
-
127
-
The assigned share-level permission allows the granted identity to get access to the share only, nothing else, not even the root directory. You still need to separately configure directory and file-level permissions.
128
-
129
-
> [!NOTE]
130
-
> You can't assign share-level permissions to computer accounts (machine accounts) using Azure RBAC, because computer accounts can't be synced to an identity in Microsoft Entra ID. If you want to allow a computer account to access Azure file shares using identity-based authentication, [use a default share-level permission](storage-files-identity-assign-share-level-permissions.md#share-level-permissions-for-all-authenticated-identities) or consider using a service logon account instead.
131
-
132
-
### Configure directory or file-level permissions
133
-
134
-
Azure file shares enforce standard Windows ACLs at both the directory and file level, including the root directory. Configuration of directory or file-level permissions is supported over both SMB and REST. Mount the target file share from your VM and configure permissions using Windows File Explorer, Windows [icacls](/windows-server/administration/windows-commands/icacls), or the [Set-ACL](/powershell/module/microsoft.powershell.security/get-acl) command.
135
-
136
-
### Preserve directory and file ACLs when importing data to Azure Files
137
-
138
-
Azure Files supports preserving directory or file-level ACLs when copying data to Azure file shares. You can copy ACLs on a directory or file to Azure file shares using either Azure File Sync or common file movement toolsets. For example, you can use [robocopy](/windows-server/administration/windows-commands/robocopy) with the `/copy:s` flag to copy data as well as ACLs to an Azure file share. ACLs are preserved by default, so you don't need to enable identity-based authentication on your storage account to preserve ACLs.
139
-
140
111
## Glossary
141
112
142
113
It's helpful to understand some key terms relating to identity-based authentication for Azure file shares:
@@ -161,16 +132,10 @@ It's helpful to understand some key terms relating to identity-based authenticat
161
132
162
133
AD DS is commonly adopted by enterprises in on-premises environments or on cloud-hosted VMs, and AD DS credentials are used for access control. For more information, see [Active Directory Domain Services Overview](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview).
163
134
164
-
-**Azure role-based access control (Azure RBAC)**
165
-
166
-
Azure RBAC enables fine-grained access management for Azure. Using Azure RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. For more information, see [What is Azure role-based access control?](../../role-based-access-control/overview.md)
167
-
168
135
-**Hybrid identities**
169
136
170
137
[Hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) are identities in AD DS that are synced to Microsoft Entra ID using either the on-premises [Microsoft Entra Connect Sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application or [Microsoft Entra Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md), a lightweight agent that can be installed from the Microsoft Entra Admin Center.
171
138
172
139
## Next step
173
140
174
-
For more information, see:
175
-
176
-
-[Identity-based authentication FAQ for Azure Files](storage-files-faq.md#identity-based-authentication)
141
+
-[Overview of Azure Files authorization and access control](storage-files-authorization-overview.md)
title: Overview - Azure Files authorization and access control
3
+
description: Azure Files enforces authorization on user access at both the share level and the directory/file level. You can assign share-level permissions through Azure RBAC.
4
+
author: khdownie
5
+
ms.service: azure-file-storage
6
+
ms.topic: overview
7
+
ms.date: 01/24/2025
8
+
ms.author: kendownie
9
+
---
10
+
11
+
# Overview of Azure Files authorization and access control
12
+
13
+
Regardless of which identity source you choose for [identity-based authentication](storage-files-active-directory-overview.md) on your storage account, you'll need to configure authorization and access control. Azure Files enforces authorization on user access at both the share level and the directory/file levels.
14
+
15
+
You can assign share-level permissions to Microsoft Entra users or groups that are managed through [Azure RBAC](/azure/role-based-access-control/overview). With Azure RBAC, the credentials you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like **Storage File Data SMB Share Reader** to users or groups in Microsoft Entra ID to grant access to a file share.
16
+
17
+
At the directory/file level, Azure Files supports preserving, inheriting, and enforcing [Windows ACLs](/windows/win32/secauthz/access-control-lists). You can choose to keep Windows ACLs when copying data over SMB between your existing file share and your Azure file shares. Whether you plan to enforce authorization or not, you can use Azure file shares to back up ACLs along with your data.
18
+
19
+
## Configure share-level permissions
20
+
21
+
Once you've enabled an identity source on your storage account, you must do one of the following to access the file share:
22
+
23
+
- Set a default share-level permission that applies to all authenticated users and groups
24
+
- Assign built-in Azure RBAC roles to users and groups, or
25
+
- Configure custom roles for Microsoft Entra identities and assign access rights to file shares in your storage account.
26
+
27
+
The assigned share-level permission allows the granted identity to get access to the share only, nothing else, not even the root directory. You still need to separately configure directory and file-level permissions.
28
+
29
+
> [!NOTE]
30
+
> You can't assign share-level permissions to computer accounts (machine accounts) using Azure RBAC, because computer accounts can't be synced to an identity in Microsoft Entra ID. If you want to allow a computer account to access Azure file shares using identity-based authentication, [use a default share-level permission](storage-files-identity-assign-share-level-permissions.md#share-level-permissions-for-all-authenticated-identities) or consider using a service logon account instead.
31
+
32
+
## Configure directory and file-level permissions
33
+
34
+
Azure file shares enforce standard Windows ACLs at both the directory and file level, including the root directory. Configuration of directory or file-level permissions is supported over both SMB and REST. Mount the target file share from your VM and configure permissions using Windows File Explorer, Windows [icacls](/windows-server/administration/windows-commands/icacls), or the [Set-ACL](/powershell/module/microsoft.powershell.security/get-acl) command.
35
+
36
+
### Preserve directory and file ACLs when importing data to Azure Files
37
+
38
+
Azure Files supports preserving directory or file-level ACLs when copying data to Azure file shares. You can copy ACLs on a directory or file to Azure file shares using either Azure File Sync or common file movement toolsets. For example, you can use [robocopy](/windows-server/administration/windows-commands/robocopy) with the `/copy:s` flag to copy data as well as ACLs to an Azure file share. ACLs are preserved by default, so you don't need to enable identity-based authentication on your storage account to preserve ACLs.
39
+
40
+
## Next step
41
+
42
+
For more information, see:
43
+
44
+
-[Assign share-level permissions for Azure file shares](storage-files-identity-assign-share-level-permissions.md)
45
+
-[Configure directory and file-level permissions for Azure file shares](storage-files-identity-configure-file-level-permissions.md)
0 commit comments