ACL's for AzureFiles
I've started experimenting with Azure Files. One of the features I'm lacking is the fact that you cannot give access to Folders/Files on AzureFiles based on Active Directory credentials. If you setup a typical fileshare one would like to be able to grant/revoke access to folders and files based on information of users in AD.
We recently announce the General Availability of Azure Active Directory Domain Services (Azure AD DS) authentication for Azure Files! By enabling integration with Azure AD DS, you can mount your Azure file share over SMB using Azure AD credentials from Azure AD DS domain joined Windows VMs with NTFS ACLs enforced. For more details, please refer to our blog post:http://aka.ms/azure-file-aadds-authentication-ga-blog.
A part of the GA announcement, we shared the upcoming plan to extend the authentication support to Active Directory (AD) either hosted on-premises or in cloud. If you need an Azure Files solution with AD authentication today, you can consider installing Azure File Sync (AFS) on your Windows File Servers where AD integration is fully supported.
If you are interested to hear future updates on Azure Files Active Directory Authentication, please complete this sign-up survey:https://aka.ms/AzureFilesADAuthPreviewSurvey.
Azure Files Team
Gerald Wiltse commented
Yes, this is the single biggest thing I have been waiting for with Azure Files. It's awesome to be able to mount azure files shares over the internet with SMB 3.0 now, and the security keys are a reasonable security mechanism for server-side mounting, but it's time to add a layer for user-based security, integrated with Azure AD.
Brian “B” Laws commented
Being able to access Azure Files via a UNC would make the service vastly more useful. We could at that point use it like a traditional NAS for accessing common files and for automated processes. Like Eric said, non-interactive services are unable to access the Azure Files shares since they are unable to map the drive (that is, without a lot of complicated configuration). This would enable us to use it as a backup target for SQL Server, SharePoint, etc. Yes, SQL Server backups can write to an Azure Storage account, but this option is not available in Maintenance Plans (at least as of SQL 2012). We could abandon Maintenance Plans but that would require a higher level of complexity and management.
Yes please! I want to remove file servers on-prem and move to a file server as a service where I do not have to manage the server, the storage capacity and the patches.
Or if it is not feasible to utilize Azure AD, at least have the ability to generate unique keys per share.
I have seen a lot of customers ask if Azure Files could be integrated with Azure AD authentication vs the standard Storage Account name/key. With the current model of Azure Files, it would be a security risk to create more than 2 File Shares as we don't have enough unique storage keys for each share.
Jeff Evans commented
+1 - I believe this is mostly because Azure Files is not yet supporting security descriptors. MSFT, please make this happen!
Eric Irestone commented
Azure File Services provide a great opportunity to allow durability and de-duplication for multiple VMs when accessing common files, vs. copying them on each VHD for each VM.
I would like to see that File Services allow for authentication against AD, hosted on a VM in Azure for example, so that my Window Services can access these common files via a UNC path.
This would require the Window Service to run as a specified user in AD allowed to Run as a Service, and if the the Windows Service needed to access a UNC file resource it would not need to provide secondary credentials to access the file. This alleviates the issue of having to use "net use" which has a requirement of needing an Interactive Login for normal use in Windows, or needing to write a custom impersonation wrapper in your Windows Service.