ACL's for AzureFiles
I've started experimenting with Azure Files. One of the features I'm lacking is the fact that you cannot give access to Folders/Files on AzureFiles based on Active Directory credentials. If you setup a typical fileshare one would like to be able to grant/revoke access to folders and files based on information of users in AD.
We announced earlier today the public preview of Active Directory authentication and authorization support for Azure Files. With this feature, just like a traditional on-premises file server, you can domain join your storage account to your regular Active Directory domain and set file/folder ACLs on your file shares just like you expect! This preview release makes it seamless for Azure Files to work with existing Active Directory with no change in the client environment.
To learn more, please see our blog post here: https://azure.microsoft.com/blog/preview-of-active-directory-for-authentication-on-azure-file
Our public preview for Azure Files and AD DS is distinct from our existing support for Azure AD DS, which we will continue to support as generally available feature.
Please don’t hesitate to reach out to us if you have further questions about how to setup and deploy this feature or about other features. You can reach us at AzureFiles@microsoft.com.
Senior Program Manager, Azure Files
please please do.
^ This. Please do it. With 'previous versions' as a cherry on top. It's pretty much useless without it.
This is an important feature that is still needed. It's been at least a year. Can you give an update on any progress or where this is on priority? The status there is still "Planned" and not working on it, so it seems like other items are crowding it out. Any guidance?
need this feature asap
I know that connections to Azure AD for Azure File Storage is in the works but while that is happening, I would love the ability to choose (individually) what domain users can see certain shares.
We are looking for the same as everyone else. Would love to use Azure File Share/SMB but we can't have our data sitting out on the internet where anyone with the correct key can access/download it and where we need to distribute said key to anyone who needs to interact with these files (disgruntled employees ripping off data anyone?). Either we need access restricted by ACLs and AD users or be able to restrict access to only our vnet.
Please add support for source IP restrictions - SMB is still exposed to zero-day vulnerabilities
Ken Yu commented
Can you add IP Restrictions to Azure File Storage to prevent all connections except a white list of addresses?
I'm aware of SAS Tokens, but this does not meet the requirement, as we want to use Azure File Storage as a generic File Share and not have to code anything to use it.
One of the changes we are evaluating for our app is how to get off of the IaaS fileshare model we currently use, and move to a PaaS model. In a perfect world, we would like to use Azure File Services, however, they do not support ACLs at this time, and we need to be able to leverage this.
Any update on when you might get this implemented? I have 50+ shares I would love to move, but need ACLs enabled.
Chris Hubbell commented
I to would like to see this
This is desperately required in order to allow us to remain cloud-based only. I don't really want to use on-prem AD when Azure AD does such a good job.
+1, please get this in if you want us to migrate entirely to the cloud...
Justin Mirsky commented
Is there an ETA on being able to integrate Azure AD into the authentication for Azure File Shares? This is the last component we need to be able to fully move customers from on premise to 100% cloud based services. We cannot allow all users to have the same access level to file shares, we need to be able to apply permissions at share/directory levels.
Ankush Chouhan commented
We would like to have User authentication with Azure file share. this will help us to minimize lot of workload.
Gerald Wiltse commented
Can you share any information about the target use cases? For example, is there any chance of bringing azure files into the user space with a sync client?
David Ludwig commented
There appears to be a similar, vote-able request for this, at https://feedback.azure.com/forums/217298-storage/suggestions/6078420-acl-s-for-azurefiles . It does not reference ACLs with filtering based source-IP-address, but rather with Active Directory accounts, so perhaps it is insufficient, however it is marked as "Under Review".
This is needed very much!
We are building File Share on a client and need this feature to restrict access on the different File Shares. Otherwise for each access group a dedicated Storage Account needs to be created. Due to security standards, we cannot have two business critical applications sharing the same access keys and the only way to mitigate that is to create individual Storage Accounts.
+1 for this