Back to Blog
Azure
4 min read

Azure File Share Permissions with Active Directory

AzureStorageActive DirectoryFile SharesSecurity

Azure Files with AD authentication gives you cloud file shares that work like traditional Windows file servers. But the permission model combines Azure RBAC with NTFS permissions - and getting it right requires understanding both layers.

The Two Permission Layers

  1. RBAC (Azure) - Controls who can access the share
  2. NTFS (Windows) - Controls what they can do with files

Both must be configured correctly.

RBAC Roles for Azure Files

Three built-in roles for file share access:

RoleAccess Level
Storage File Data SMB Share ReaderRead files and folders
Storage File Data SMB Share ContributorRead, write, delete files and folders
Storage File Data SMB Share Elevated ContributorRead, write, delete, modify NTFS permissions

Assign at the file share scope:

resource "azurerm_role_assignment" "file_readers" {
  scope                = azurerm_storage_share.files.resource_manager_id
  role_definition_name = "Storage File Data SMB Share Reader"
  principal_id         = data.azuread_group.file_readers.object_id
}

resource "azurerm_role_assignment" "file_writers" {
  scope                = azurerm_storage_share.files.resource_manager_id
  role_definition_name = "Storage File Data SMB Share Contributor"
  principal_id         = data.azuread_group.file_writers.object_id
}

Mapping the Share

After RBAC assignment, users can map the share:

# Using Azure AD credentials (no storage key needed)
net use Z: \\storageaccount.file.core.windows.net\sharename

For first-time setup (to set NTFS permissions), use storage key:

$storageKey = (Get-AzStorageAccountKey -ResourceGroupName "rg-storage" -AccountName "storageaccount")[0].Value
net use Z: \\storageaccount.file.core.windows.net\sharename /user:Azure\storageaccount $storageKey

Setting NTFS Permissions

With the share mapped, set NTFS permissions:

# Remove default permissions
icacls Z: /remove "Authenticated Users"
icacls Z: /remove "Users"

# Grant group permissions
icacls Z: /grant "CORP\FileAdmins:(OI)(CI)(F)"
icacls Z: /grant "CORP\FileUsers:(OI)(CI)(M)"
icacls Z: /grant "CORP\FileReaders:(OI)(CI)(RX)"

# Creator Owner gets full control of their files
icacls Z: /grant "Creator Owner:(OI)(CI)(IO)(F)"

Permission flags:

  • (OI) - Object inherit
  • (CI) - Container inherit
  • (IO) - Inherit only
  • (F) - Full control
  • (M) - Modify
  • (RX) - Read & execute

Folder-Level Permissions

For different permissions per folder:

# Marketing folder - Marketing team only
icacls "Z:\Marketing" /grant "CORP\Marketing:(OI)(CI)(M)"
icacls "Z:\Marketing" /inheritance:r  # Remove inherited permissions
icacls "Z:\Marketing" /grant "CORP\FileAdmins:(OI)(CI)(F)"

# Finance folder - Finance team only
icacls "Z:\Finance" /grant "CORP\Finance:(OI)(CI)(M)"
icacls "Z:\Finance" /inheritance:r
icacls "Z:\Finance" /grant "CORP\FileAdmins:(OI)(CI)(F)"

Automating Permission Setup

PowerShell script for consistent setup:

param(
  [string]$StorageAccount,
  [string]$ShareName,
  [string]$ResourceGroup,
  [hashtable]$FolderPermissions
)

# Get storage key
$key = (Get-AzStorageAccountKey -ResourceGroupName $ResourceGroup -AccountName $StorageAccount)[0].Value

# Map drive
$drive = "Z:"
net use $drive "\\$StorageAccount.file.core.windows.net\$ShareName" /user:Azure\$StorageAccount $key

# Set root permissions
icacls "$drive\" /remove "Authenticated Users" /remove "Users"
icacls "$drive\" /grant "CORP\FileAdmins:(OI)(CI)(F)"

# Set folder-specific permissions
foreach ($folder in $FolderPermissions.Keys) {
  $path = "$drive\$folder"

  if (-not (Test-Path $path)) {
    New-Item -Path $path -ItemType Directory
  }

  icacls $path /inheritance:r
  icacls $path /grant "CORP\FileAdmins:(OI)(CI)(F)"

  foreach ($group in $FolderPermissions[$folder]) {
    icacls $path /grant "${group}:(OI)(CI)(M)"
  }
}

# Disconnect
net use $drive /delete

Common Issues

"Access Denied" after RBAC assignment:

  • RBAC can take up to 30 minutes to propagate
  • User may need to sign out and back in
  • Check Kerberos ticket with klist

Can't set NTFS permissions:

  • Need "Elevated Contributor" role for NTFS changes
  • Or map with storage key to bypass RBAC

Permissions not inherited:

  • Check inheritance flags on parent folder
  • Use icacls /reset to reset inheritance chain

Terraform for Share Structure

Create folders with permissions in Terraform:

resource "azurerm_storage_share_directory" "marketing" {
  name             = "Marketing"
  storage_share_id = azurerm_storage_share.files.id
}

resource "azurerm_storage_share_directory" "finance" {
  name             = "Finance"
  storage_share_id = azurerm_storage_share.files.id
}

Note: NTFS permissions still need to be set via PowerShell after creation.

Need help with Azure Files and identity integration? Get in touch - we help organisations migrate to cloud-based file storage.

Previous
Adding Azure AD Users to SQL via DevOps Pipeline
Next
Why Slough is Europe's Data Centre Capital

Need help with your Azure environment?

Get in touch for a free consultation.

Get in Touch