ACL's for AzureFiles

I've started experimenting with Azure Files. One of the features I'm lacking is the fact that you cannot give access to Folders/Files on AzureFiles based on Active Directory credentials. If you setup a typical fileshare one would like to be able to grant/revoke access to folders and files based on information of users in AD.

3,225 votes

Vote

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

You have left! (?) (thinking…)

Anonymous shared this idea · June 20, 2014 · Flag idea as inappropriate… · Admin →

completed ·

AdminMicrosoft Azure Storage Team (Product Manager, Microsoft Azure) responded · February 24, 2020

Hi folks,

We announced earlier today the public preview of Active Directory authentication and authorization support for Azure Files. With this feature, just like a traditional on-premises file server, you can domain join your storage account to your regular Active Directory domain and set file/folder ACLs on your file shares just like you expect! This preview release makes it seamless for Azure Files to work with existing Active Directory with no change in the client environment.

To learn more, please see our blog post here: https://azure.microsoft.com/blog/preview-of-active-directory-for-authentication-on-azure-file

Our public preview for Azure Files and AD DS is distinct from our existing support for Azure AD DS, which we will continue to support as generally available feature.

Please don’t hesitate to reach out to us if you have further questions about how to setup and deploy this feature or about other features. You can reach us at AzureFiles@microsoft.com.

Thanks,

Will Gries
Senior Program Manager, Azure Files

Show previous admin responses (5)

started ·

AdminMicrosoft Azure Storage Team (Product Manager, Microsoft Azure) responded · August 15, 2019

Hi everyone,

We recently announce the General Availability of Azure Active Directory Domain Services (Azure AD DS) authentication for Azure Files! By enabling integration with Azure AD DS, you can mount your Azure file share over SMB using Azure AD credentials from Azure AD DS domain joined Windows VMs with NTFS ACLs enforced. For more details, please refer to our blog post:http://aka.ms/azure-file-aadds-authentication-ga-blog.

A part of the GA announcement, we shared the upcoming plan to extend the authentication support to Active Directory (AD) either hosted on-premises or in cloud. If you need an Azure Files solution with AD authentication today, you can consider installing Azure File Sync (AFS) on your Windows File Servers where AD integration is fully supported.

If you are interested to hear future updates on Azure Files Active Directory Authentication, please complete this sign-up survey:https://aka.ms/AzureFilesADAuthPreviewSurvey.

Thanks,
Azure Files Team

started ·

AdminMicrosoft Azure Storage Team (Product Manager, Microsoft Azure) responded · November 28, 2018

Hi folks,

We have shipped a public preview of integration with AAD DS: https://azure.microsoft.com/blog/azure-active-directory-integration-for-smb-access-now-in-public-preview/

What we have in preview is a first step along a much larger roadmap for integration with AAD/AD for authentication and authorization. As the blog post says, this initial preview is really about Windows cloud VM access to the Azure file share with an AAD identity. Future refreshes to this feature will add non-Windows (Linux, macOS, etc) support, and the ability to mount the Azure file shares on-premises with your AAD identity. You can learn more about this in our Ignite session as well (at around 22:00): https://www.youtube.com/watch?v=GMzh2M66E9o

We’ll keep you updated on our progress. In the meantime, don’t hesitate to continue posting feedback on this feature below.

Thanks,

Will Gries
Program Manager, Azure Files

planned ·

AdminMicrosoft Azure Storage Team (Product Manager, Microsoft Azure) responded · February 11, 2018

Thank you all for the feedback! This is something we are actively developing, and hope to rolling out in a preview in the first half of this year! Stay tuned for more information!

Thanks,

Will Gries
Program Manager, Azure Files

planned ·

AdminMicrosoft Azure Storage Team (Product Manager, Microsoft Azure) responded · December 13, 2016

Azure Active Directory integration is in plans but we do not have a timeline to share yet.

under review ·

Microsoft Azure Storage Team responded · February 09, 2015

128 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Juanjo commented · March 12, 2020 14:48 · Flag as inappropriate

I am also interested in what the colleague testing-sgjapan has commented:

see:

- Ability to create an Azure File Share, and assign permissions to folders based on Azure AD Accounts
- Ability to have Azure AD joined devices to have access to file shares without using the storage "key".

Is there any update of these? Do you intend for it to be supported in the near future?

Submitting...
Testing sGJapan commented · January 01, 2020 18:46 · Flag as inappropriate

I am not sure about everyone else, but this is what we would like to see:

- Ability to create an Azure File Share, and assign permissions to folders based on Azure AD Accounts
- Ability to have Azure AD joined devices to have access to file shares without using the storage "key"
- Ability to access to map the file share in a similar method to the Windows OneDrive software (in the event that port 445 cannot be utilized)
- Proper file locking and/or versioning
- File Access Auditing would be a bonus

It would be great if collaboration/access to files via web browser was also available, but for us, it's not a priority.

I personally like the functionality of Sharepoint/OneDrive, and I see the benefits when using it, but the file and folder count limitations are a no go for us and for many of our clients.

Many companies just want a file server in the cloud without the hassle of having to build/run a VM, or using VPNs, or using some 3rd party syncing software. I am surprised that Microsoft hasn't done this as of yet.

Submitting...
Anonymous commented · December 31, 2019 07:16 · Flag as inappropriate

I do not think this was the intended outcome of this request. Azure ADDS is large undertaking and involves domain joining devices. Not everyone is is doing this. Some are Azure AD joined only. It would be nice to simply have NTFS/ACL function in Azure Files directly so when mapped drive are mounted for a specific user they can see everything but would be denied access to files/folders that they are not privy to. Kind of like the legacy file server shares of years past.

Submitting...
Anonymous commented · December 18, 2019 02:35 · Flag as inappropriate

Can we just have security groups in Azure AD applied to files/folders in Azure File? Azure AD DS seems a bit overkill?

Submitting...
Brett commented · September 16, 2019 06:38 · Flag as inappropriate

Standard AD Authentication is sorely needed for many use cases.

As an example, looking to implement Windows Virtual Desktop, with FSLogix Profiles containers. I want to store these containers in Azure Files, but it is not possible at current, unless I create a PaaS Virtual Machine with File Sync installed to "Proxy" the File Share.

This wouldn't be an issue, except that the profile VHDX will always be in use, and never Tier off, so will need to duplicate the storage between file server, and azure files. (Costly)

Submitting...
Paul L commented · September 09, 2019 07:23 · Flag as inappropriate

This really needs added for this service to be a realistic migration alternative to on site file shares.

Submitting...
Anonymous commented · August 15, 2019 00:57 · Flag as inappropriate

Adding Azure AD (native) support would also be great

Submitting...
Tim Nagels commented · July 23, 2019 03:52 · Flag as inappropriate

Also very interested in an update on when this will be possible from On Premise joined AD devices.

Also wondering: is RBAC role based access possible without Azure AD DS AD Join?

Submitting...
MikeN commented · July 09, 2019 06:27 · Flag as inappropriate

Is there any rough estimate for a roadmap goal of when you'll be able to mount a drive from user endpoints running Windows and MacOS that are not Virtual Machines running in Azure? This is a requirement to seriously consider using Azure Files to replace on-premises SMB/CIFS shares.

Submitting...
Simon Harris commented · July 08, 2019 04:10 · Flag as inappropriate

Any update to this as the comments stretch back a number of months now and into last year?

Submitting...
Sascha Goeke commented · June 12, 2019 02:18 · Flag as inappropriate

Is this solution supposed to work together with Azure file sync (local caching servers)?

Submitting...
Oleg commented · June 07, 2019 09:06 · Flag as inappropriate

waiting for a solution to mount Azure file shares ON-PREMISES with our AAD identity. This is a key feature that's preventing us from migrating more workloads to Azure. An update would be appreciated.

Submitting...
Chad commented · May 30, 2019 08:44 · Flag as inappropriate

Any plan to integrate manage service identity (MSI / User Assigned Managed Identities) support into this feature to control access via a cloud managed identity?

Submitting...
Anonymous commented · May 20, 2019 00:05 · Flag as inappropriate

Why are there no details on the product roadmap for this thing?

We already have a functional AAD synching with on-prem AD. Why should we have to set up AADDS on top of that? Is there any plan to leverage AAD without the other overhead?

Submitting...
Bryan Brinegar commented · April 14, 2019 15:11 · Flag as inappropriate

We've been waiting for a solution to mount Azure file shares on-premises with our AAD identity. This is a key feature that's preventing us from migrating more workloads to Azure. An update would be appreciated.

Submitting...
Wim Didden commented · April 02, 2019 01:15 · Flag as inappropriate

Hi,

I am also very interested in a solution to mount the Azure file shares on-premises with your AAD identity.

At the moment, the only way to use SMB shares is to create a mapping with a Storage account name and key. This solution isn't very fit for an enterprise.

I asked around on an Ignite The Tour event but still no information about this feature.
Is there anything you can share on this matter?

Submitting...
Luke commented · March 04, 2019 04:29 · Flag as inappropriate

Hi

Still intereste in this. Most recent user-update seems to be around Nov time.
I think this should be a priroty for MS as it would allow easy movement of current SMB-based solution for LOB apps and user file repository on-premise into the cloud. Right?

(user Nam said: contacted to Microsoft Azure Files Team yesterday, and got some the details about the Private Preview of Azure Files that support integration with Azure AD DS. Unfortunately, the preview version needs Azure VM to provide AADS ACL, the external share still uses Storage account name and key for accessing, and does not fit our needs currently.)

Submitting...
Anonymous commented · March 03, 2019 12:36 · Flag as inappropriate

enable deploy file share with GPO

Submitting...
Ed Williams commented · January 10, 2019 14:33 · Flag as inappropriate

How will this apply to Guest accounts who are in the Active Directory?

Submitting...
Anonymous commented · October 25, 2018 04:30 · Flag as inappropriate

Hi,

I wanted to hop into this conversation to get an update if this feature is ready or if it's still in development

Quote :

One of the features I'm lacking is the fact that you cannot give access to Folders/Files on AzureFiles based on Active Directory credentials

Submitting...