michaelsendpoint.com

Appearance

👋 Introduction

Microsoft added the ability to set directory- and file-level permissions for Azure files directly in the Azure portal, which is a great improvement for admins, especially when using cloud-only identities. You can grant file share access to Microsoft Entra users or groups using Azure RBAC built-in roles (like Storage File Data SMB Share Reader).

Azure Files supports preserving, inheriting, and enforcing Windows ACLs (Windows access control lists) at the directory and file levels. You can migrate on‑premises files with Windows ACLs to Azure Files using tools like Robocopy or the latest AzCopy, which preserve ACLs during transfer. If you use Azure File Sync to tier files, the ACLs are automatically retained in their native format.

Prerequisites

Before you can configure directory- and file-level permissions, you must configure identity based access. You can either assign share-level default permissions to all authenticated users and groups directly via the share or assign specific access permissions via RBAC.

If you configure both, the user always gets the higher level permissions.

Example

If you grant a user the Storage File Data SMB Reader role, but also activate Storage File Data SMB Share Elevated Contributor permissions for all authenticated users, the user will get the Elevated Contributor access. Higher-level permissions always take precedence.

To use identity-based authentication for ACLs (recommended), assign the admin at least the Storage File Data SMB Admin role, which grants share access and takeOwnership permission, allowing users to take ownership and modify ACLs even without existing entries.

After that, you can start configuring ACLs for your azure file shares (also known as NTFS permissions).

To set ACLs you can use different methods like shown in the table below:

ToolAD DS (Hybrid)Entra Domain Services (Hybrid)Entra Kerberos (Hybrid)Entra Kerberos (Cloud-only)
Windows File Explorer✔️✔️✔️
icacls✔️✔️✔️
Azure portal✔️✔️
PowerShell (RestSetAcls module)✔️✔️

In this article I focus on the configuration for cloud-only identities, without the need to mount a file share.

How Azure RBAC and Windows ACLs work together

Share-level permissions (RBAC roles) control access to the share itself, while Windows ACLs manage detailed file and directory permissions. When accessing a file or directory, all permissions are enforces (share, file, directory), with the most restrictive one taking priority in the case of conflicts.

The table below shows how share permissions and Windows ACLs combine to determine access to files and directories in Azure Files:

-No RBAC roleRBAC - SMB Share ReaderRBAC - SMB Share ContributorRBAC - SMB Share Elevated Contributor
ACL - NoneAccess deniedAccess deniedAccess deniedAccess denied
ACL - ReadAccess deniedReadReadRead
ACL - Read & ExecuteAccess deniedReadReadRead
ACL - List FolderAccess deniedReadReadRead
ACL - WriteAccess deniedReadRead, WriteRead, Write
ACL - ModifyAccess deniedReadRead, Write, DeleteRead, Write, Delete, Apply permissions to your own folders/files
ACL - FullAccess deniedReadRead, Write, DeleteRead, Write, Delete, Apply permissions to anyone's folders/files

Supported Windows ACLs

Azure Files supports all basic and advanced Windows ACLs. Following you find what the default ACLs included in the root file share directory do in the Azure Files context:

UsersRoot Directory PermissionsDefinitionAzure Files context
BUILTIN\Administrators(OI),(CI),(F)Local admins with full controlNot used; no local groups in Azure Files
BUILTIN\Users(RX),(OI),(CI),(IO),(GR,GE)Standard local users groupSame as Authenticated Users
NT AUTHORITY\SYSTEM(OI),(CI),(F),(F)OS service accountNot applicable
NT AUTHORITY\Authenticated Users(OI),(CI),(M)All authenticated AD usersMain access group in Azure Files
CREATOR OWNER(OI),(CI),(IO),(F)Owner of created objects and child objectsFully supported in Azure Files
icacls permissions
  • Basic permissions without the need to use parenthesis:
    • N - No access
    • F - Full access
    • M - Modify access
    • RX - Read and execute access
    • R - Read-only access
    • W - Write-only access
    • D - Delete access
  • Advanced permissions which must use parenthesis:
    • DE - Delete
    • RC - Read control (read permissions)
    • WDAC - Write DAC (change permissions)
    • WO - Write owner (take ownership)
    • S - Synchronize
    • AS - Access system security
    • MA - Maximum allowed
    • GR - Generic read
    • GW - Generic write
    • GE - Generic execute
    • GA - Generic all
    • RD - Read data/list directory
    • WD - Write data/add file
    • AD - Append data/add subdirectory
    • REA - Read extended attributes
    • WEA - Write extended attributes
    • X - Execute/traverse
    • DC - Delete child
    • RA - Read attributes
    • WA - Write attributes
  • Inheritance rights which must use parenthesis:
    • I - Inherit. ACE inherited from the parent container.
    • OI - Object inherit. Objects in this container inherits this ACE. Applies only to directories.
    • CI - Container inherit. Containers in this parent container inherits this ACE. Applies only to directories.
    • IO - Inherit only. ACE inherited from the parent container, but doesn't apply to the object itself. Applies only to directories.
    • NP - Don't propagate inherit. ACE inherited by containers and objects from the parent container, but doesn't propagate to nested containers. Applies only to directories.

For more information on these permissions, see the command-line reference for icacls.

⚙️ Configuration

Configure Identity-based Access

  1. Open the Azure portal -> Storage Accounts and select your storage account.
  2. Now select Classic File Shares and open Identity-based Access.
  1. In the now opening pop-up window you click Set up under Step 1 -> Microsoft Entra Kerberos to enable Kerberos authentication from cloud-only devices.
  1. In the next pop-up window, you check the box next to Microsoft Entra Kerberos and click Save.

WARNING

If you have configured Enterprise Application Policies in Microsoft Entra ID (Security recommendation) and enabled the Block password addition policy, you must add the Storage Resource Provider (53c5681c-bc37-427e-bf2e-b2ab72df0dd5) to the policy's Excluded callers list. Otherwise the enabling of Microsoft Entra Kerberos identity-based access will fail.

You can find this policy in the Microsoft Entra admin center -> Enterprise applicationsApplication policies.

  1. Now back in the previous pop-up window, you can additionally set default user permissions for any file share you create.
    • Storage File Data SMB Share Contributor - Grants read, write, and delete access on files and directories in Azure Files.
    • Storage File Data SMB Share Elevated Contributor - Grants read, write, delete, and modify-ACLs access on files and directories in Azure Files. This role is similar to a file share ACL of change on Windows file servers.
    • Storage File Data SMB Share Reader - Grants read access to files and directories in Azure Files. This role is similar to a file share ACL of read on Windows file servers.
  1. Click Save to save the identity-based access settings.

Create a file share

  1. Open the Azure portal -> Storage Accounts and select your storage account.
  2. Now select Classic File Shares and click ➕ Classic file share.
  3. In the now opening pop-up window you enter the file share Name, select an Access tier and click Next: Backups.
    • Transaction optimized - Best for high-transaction workloads. Highest storage cost, lowest transaction cost.
    • Hot - Best for active workloads with fewer transactions. Balanced storage and transaction costs.
    • Cold - Best for low-activity workloads. Lowest storage cost, highest transaction cost.
  1. On the Backup page you can choose to enable Azure Backup for your file share. If you want to disable it for now, uncheck the box next to Enable backup and click Review + create to create the file share.

Configure Windows ACLs by using the Azure portal

If you use Microsoft Entra Kerberos as your storage account’s identity source, you can easily set up Windows ACLs for your Entra users or groups (hybrid and cloud-only) through the Azure portal.

  1. Open the Azure portal -> Storage Accounts and select your storage account.

  2. Now open Classic File Shares and select your file share of choice.

  3. Select Browse from the menu, navigate to the file or folder you want to set permissions for and click Manage access from the top menu or right-click the file or directory, and then click Manage access.

  4. The panel displays the permissions for users and groups. Click the pencil icon on the far right of any user or group to add or change their access permissions.

    INFO

    Deny always overrides Allow when both are set. If neither is specified, the permissions are inherited from the default settings.

  1. You got the following options to add users or groups to the ACL:

    • Add Entra user/group to add a Microsoft Entra / hybrid user or group as an entry in the ACL.
    • Add Security ID to add an SID as entry in the ACL.
    • Manage inheritance to configure how permissions are inherited to child files and directories (Currently only via PowerShell).
    Manage Inheritance

    This example script applies the directory’s permissions to new and existing files and directories.

    powershell
    Install-Module RestSetAcls
$context = New-AzStorageContext -StorageAccountName "michaelsendpointacltest" -StorageAccountKey "[StorageAccountKey]"
Restore-AzFileAclInheritance -Context $context -FileShareName "acltestshare" -Path "/Test" -Recursive

    Re-run this script to keep permissions updated any time you make one of these changes:

    • Add a user/group
    • Delete a user/group
    • Edit the access of a user/group

  2. Lastly click Save to set the ACLs.

Configure Windows ACLs by using PowerShell

If you want to assign ACLs in bulk to cloud-only users, you can use the RestSetAcls PowerShell module to automate the process with the Azure Files REST API.

For example, if you want to give the cloud-only user testUser@testdomain.com read access to the root ACL:

PowerShell
$AccountName = "<storage-account-name>" # replace with the storage account name 
$AccountKey = "<storage-account-key>" # replace with the storage account key 
$context = New-AzStorageContext -StorageAccountName $AccountName -StorageAccountKey $AccountKey 
Add-AzFileAce -Context $context -FileShareName test -FilePath "/" -Type Allow -Principal "testUser@testdomain.com" -AccessRights Read,Synchronize -InheritanceFlags ObjectInherit,ContainerInherit

💡 Conclusion

Setting up file and folder permissions in Azure Files just got a lot easier. With Microsoft Entra Kerberos authentication, you can manage access rights from the Azure portal using cloud‑only identities, no hybrid setup needed anymore. Whether you manage through the Azure portal or deploying with PowerShell, Azure Files finally has the needed features without the need to mount the share first.

References