ACL's for AzureFiles
I've started experimenting with Azure Files. One of the features I'm lacking is the fact that you cannot give access to Folders/Files on AzureFiles based on Active Directory credentials. If you setup a typical fileshare one would like to be able to grant/revoke access to folders and files based on information of users in AD.
We recently announce the General Availability of Azure Active Directory Domain Services (Azure AD DS) authentication for Azure Files! By enabling integration with Azure AD DS, you can mount your Azure file share over SMB using Azure AD credentials from Azure AD DS domain joined Windows VMs with NTFS ACLs enforced. For more details, please refer to our blog post:http://aka.ms/azure-file-aadds-authentication-ga-blog.
A part of the GA announcement, we shared the upcoming plan to extend the authentication support to Active Directory (AD) either hosted on-premises or in cloud. If you need an Azure Files solution with AD authentication today, you can consider installing Azure File Sync (AFS) on your Windows File Servers where AD integration is fully supported.
If you are interested to hear future updates on Azure Files Active Directory Authentication, please complete this sign-up survey:https://aka.ms/AzureFilesADAuthPreviewSurvey.
Azure Files Team
Standard AD Authentication is sorely needed for many use cases.
As an example, looking to implement Windows Virtual Desktop, with FSLogix Profiles containers. I want to store these containers in Azure Files, but it is not possible at current, unless I create a PaaS Virtual Machine with File Sync installed to "Proxy" the File Share.
This wouldn't be an issue, except that the profile VHDX will always be in use, and never Tier off, so will need to duplicate the storage between file server, and azure files. (Costly)
Paul L commented
This really needs added for this service to be a realistic migration alternative to on site file shares.
Adding Azure AD (native) support would also be great
Tim Nagels commented
Also very interested in an update on when this will be possible from On Premise joined AD devices.
Also wondering: is RBAC role based access possible without Azure AD DS AD Join?
Is there any rough estimate for a roadmap goal of when you'll be able to mount a drive from user endpoints running Windows and MacOS that are not Virtual Machines running in Azure? This is a requirement to seriously consider using Azure Files to replace on-premises SMB/CIFS shares.
Simon Harris commented
Any update to this as the comments stretch back a number of months now and into last year?
Sascha Goeke commented
Is this solution supposed to work together with Azure file sync (local caching servers)?
waiting for a solution to mount Azure file shares ON-PREMISES with our AAD identity. This is a key feature that's preventing us from migrating more workloads to Azure. An update would be appreciated.
Any plan to integrate manage service identity (MSI / User Assigned Managed Identities) support into this feature to control access via a cloud managed identity?
Why are there no details on the product roadmap for this thing?
We already have a functional AAD synching with on-prem AD. Why should we have to set up AADDS on top of that? Is there any plan to leverage AAD without the other overhead?
Bryan Brinegar commented
We've been waiting for a solution to mount Azure file shares on-premises with our AAD identity. This is a key feature that's preventing us from migrating more workloads to Azure. An update would be appreciated.
Wim Didden commented
I am also very interested in a solution to mount the Azure file shares on-premises with your AAD identity.
At the moment, the only way to use SMB shares is to create a mapping with a Storage account name and key. This solution isn't very fit for an enterprise.
I asked around on an Ignite The Tour event but still no information about this feature.
Is there anything you can share on this matter?
Still intereste in this. Most recent user-update seems to be around Nov time.
I think this should be a priroty for MS as it would allow easy movement of current SMB-based solution for LOB apps and user file repository on-premise into the cloud. Right?
(user Nam said: contacted to Microsoft Azure Files Team yesterday, and got some the details about the Private Preview of Azure Files that support integration with Azure AD DS. Unfortunately, the preview version needs Azure VM to provide AADS ACL, the external share still uses Storage account name and key for accessing, and does not fit our needs currently.)
enable deploy file share with GPO
Ed Williams commented
How will this apply to Guest accounts who are in the Active Directory?
I wanted to hop into this conversation to get an update if this feature is ready or if it's still in development
One of the features I'm lacking is the fact that you cannot give access to Folders/Files on AzureFiles based on Active Directory credentials
Andreas Pedersen commented
Hatem Mussad Al Sum commented
is there any update regards how to mount azure files with readonly scenario
Has anyone gotten this preview feature to work? We've been testing it out and are able to access the share with the storage account, but when we attempt to add an other credential (via Azure CLI with the custom role followed by ICACLS within Windows) we see the credential being added at the root level of the share yet the user is still unable to access.
Liam O'Brien commented
I am a Microsoft partner, how an I access to the team for Azure Files ACL Private preview so that I can test the features?