How can we improve Azure Storage?

ACL's for AzureFiles

I've started experimenting with Azure Files. One of the features I'm lacking is the fact that you cannot give access to Folders/Files on AzureFiles based on Active Directory credentials. If you setup a typical fileshare one would like to be able to grant/revoke access to folders and files based on information of users in AD.

1,917 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    79 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Shuhei Uda commented  ·   ·  Flag as inappropriate

        We need you to permit ACL feature for Azure Storage (Blob, Table, Queue, Files).
        Since Azure Storage does not have source IP filtering now, it is unusable to save confidential data. (ex. personal information, payment data, security data, etc.)

        - Japanese
        Azure Storage (Blob, Table, Queue, Files) でアクセス制限を可能にしてほしい。
        現時点ではIP アドレスなどでアクセス制限ができないので、個人情報や金銭にかかわる情報などを保存する用途では使用できない。

      • Teppei Ishii commented  ·   ·  Flag as inappropriate

        +1
        without ACL and quota, Azure Files is only for someone who owns & administors Azure Storage account. This cannot be truely the enterprise capable solution.

      • Jeremy commented  ·   ·  Flag as inappropriate

        Allow AzureAD User access and file permission control with the Storager > File Service > File Shares.

        I want to map the file shares directly to end point systems but need to be able to set access permissions.

      • Peter Selch Dahl commented  ·   ·  Flag as inappropriate

        Please see Advisors forum for feedback in regards to this feedback request. I PING Lavanya from the Azure Storage team. We really need this function now. Let's get up the votes!

      • Gerald Wiltse commented  ·   ·  Flag as inappropriate

        The market has proven that a good multi-platform sync client like Dropbox is imperative for any modern storage solution. While mapping drives is useful, and works for some use cases, I believe a sync client a logical step in the near future for Azure Files.

        Background:
        Sharepoint online has been the Microsoft cloud file sharing solution for a few years now. However, countless articles and bloggers made it very clear: Sharepoint is a big web front end, which runs on IIS and SQL and WebDAV for file hosting, and will never be the best file sharing platform for this reason.

        Azure Files is a platform that has the potential to fill in the gaps left by Sharepoint (and every other cloud-file storage provider for that matter). Because of the proximity to Azure AD and Sharepoint Online, it is uniquely positioned to become a one-of-a-kind file sharing service with fully integrated ACL's based on Azure AD Users and Groups. While that is another feature request entirely, that type of security combined with a sync client would enable Office 365 organizations everywhere (like my clients) to stop fighting with Sharepoint storage on a daily basis for some types of data, and still leverage their very robust pre-existing security group and permission strategy.

      • Gerald Wiltse commented  ·   ·  Flag as inappropriate

        Yes, this is the single biggest thing I have been waiting for with Azure Files. It's awesome to be able to mount azure files shares over the internet with SMB 3.0 now, and the security keys are a reasonable security mechanism for server-side mounting, but it's time to add a layer for user-based security, integrated with Azure AD.

      • Brian “B” Laws commented  ·   ·  Flag as inappropriate

        Being able to access Azure Files via a UNC would make the service vastly more useful. We could at that point use it like a traditional NAS for accessing common files and for automated processes. Like Eric said, non-interactive services are unable to access the Azure Files shares since they are unable to map the drive (that is, without a lot of complicated configuration). This would enable us to use it as a backup target for SQL Server, SharePoint, etc. Yes, SQL Server backups can write to an Azure Storage account, but this option is not available in Maintenance Plans (at least as of SQL 2012). We could abandon Maintenance Plans but that would require a higher level of complexity and management.

      • Laurent commented  ·   ·  Flag as inappropriate

        Yes please! I want to remove file servers on-prem and move to a file server as a service where I do not have to manage the server, the storage capacity and the patches.

      • Jack commented  ·   ·  Flag as inappropriate

        Or if it is not feasible to utilize Azure AD, at least have the ability to generate unique keys per share.

      • Jack commented  ·   ·  Flag as inappropriate

        I have seen a lot of customers ask if Azure Files could be integrated with Azure AD authentication vs the standard Storage Account name/key. With the current model of Azure Files, it would be a security risk to create more than 2 File Shares as we don't have enough unique storage keys for each share.

      • Jeff Evans commented  ·   ·  Flag as inappropriate

        +1 - I believe this is mostly because Azure Files is not yet supporting security descriptors. MSFT, please make this happen!

      • Eric Irestone commented  ·   ·  Flag as inappropriate

        Azure File Services provide a great opportunity to allow durability and de-duplication for multiple VMs when accessing common files, vs. copying them on each VHD for each VM.

        I would like to see that File Services allow for authentication against AD, hosted on a VM in Azure for example, so that my Window Services can access these common files via a UNC path.

        This would require the Window Service to run as a specified user in AD allowed to Run as a Service, and if the the Windows Service needed to access a UNC file resource it would not need to provide secondary credentials to access the file. This alleviates the issue of having to use "net use" which has a requirement of needing an Interactive Login for normal use in Windows, or needing to write a custom impersonation wrapper in your Windows Service.

      1 2 4 Next →

      Feedback and Knowledge Base