A "drop box" folder lets users upload files but prevents them from seeing or modifying other users' uploads. Useful for expense submissions, document collection, or secure file intake.
The Requirements
- Users can create new files
- Users cannot list folder contents
- Users cannot read other files
- Users can modify their own files (optional)
- Admins have full access
The Permission Model
NTFS permissions to achieve this:
| Permission | Admin | Submitters |
|---|---|---|
| Traverse Folder / Execute File | ✓ | ✓ |
| List Folder / Read Data | ✓ | ✗ |
| Read Attributes | ✓ | ✓ |
| Read Extended Attributes | ✓ | ✗ |
| Create Files / Write Data | ✓ | ✓ |
| Create Folders / Append Data | ✓ | ✓ |
| Write Attributes | ✓ | ✓ |
| Write Extended Attributes | ✓ | ✗ |
| Delete | ✓ | ✗ |
| Delete Subfolders and Files | ✓ | ✗ |
| Read Permissions | ✓ | ✓ |
Setting Up with icacls
# Map the share with storage key (need admin access)
$key = (Get-AzStorageAccountKey -ResourceGroupName "rg-storage" -AccountName "stfiles")[0].Value
net use Z: "\\stfiles.file.core.windows.net\share" /user:Azure\stfiles $key
# Create the drop box folder
New-Item -Path "Z:\DropBox" -ItemType Directory
# Remove inherited permissions
icacls "Z:\DropBox" /inheritance:r
# Full control for admins
icacls "Z:\DropBox" /grant "CORP\FileAdmins:(OI)(CI)(F)"
# Write-only for submitters (the tricky part)
# This grants: traverse, create files, write attributes
icacls "Z:\DropBox" /grant "CORP\Submitters:(AD)(WD)(X)"
# Creator Owner gets full control of their files only
icacls "Z:\DropBox" /grant "Creator Owner:(OI)(CI)(IO)(F)"
Detailed Permission Breakdown
For more granular control, use the advanced syntax:
# Define permissions explicitly
$permissions = @(
"CORP\Submitters:(X)", # Traverse folder
"CORP\Submitters:(AD)", # Create files/write data
"CORP\Submitters:(WD)", # Create folders/append data
"CORP\Submitters:(RA)", # Read attributes
"CORP\Submitters:(WA)", # Write attributes
"CORP\Submitters:(RC)" # Read permissions
)
foreach ($perm in $permissions) {
icacls "Z:\DropBox" /grant $perm
}
Azure RBAC Complement
The NTFS permissions work alongside Azure RBAC. Users still need at least Contributor role:
resource "azurerm_role_assignment" "dropbox_access" {
scope = "${azurerm_storage_account.this.id}/fileServices/default/shares/share/directories/DropBox"
role_definition_name = "Storage File Data SMB Share Contributor"
principal_id = data.azuread_group.submitters.object_id
}
Testing the Configuration
# As a submitter (map without storage key, using AD auth)
net use Y: "\\stfiles.file.core.windows.net\share"
# This should work - create a file
"Test content" | Out-File "Y:\DropBox\myfile.txt"
# This should fail - list contents
Get-ChildItem "Y:\DropBox"
# Expected: Access Denied
# This should fail - read another user's file
Get-Content "Y:\DropBox\otheruser.txt"
# Expected: Access Denied
# This should work - modify own file (if Creator Owner granted modify)
"Updated content" | Out-File "Y:\DropBox\myfile.txt"
Alternative: Subfolder Per User
For better organisation, create subfolders per user:
# Script to create user drop boxes
$users = Get-ADGroupMember -Identity "Submitters"
foreach ($user in $users) {
$path = "Z:\DropBox\$($user.SamAccountName)"
New-Item -Path $path -ItemType Directory -Force
# Remove inheritance
icacls $path /inheritance:r
# Grant full control to user
icacls $path /grant "$($user.SamAccountName):(OI)(CI)(F)"
# Grant full control to admins
icacls $path /grant "CORP\FileAdmins:(OI)(CI)(F)"
}
Automating with Azure Automation
Create user folders automatically when they join the group:
# Azure Automation Runbook
param([string]$UserPrincipalName)
Connect-AzAccount -Identity
$key = (Get-AzStorageAccountKey -ResourceGroupName "rg-storage" -AccountName "stfiles")[0].Value
$ctx = New-AzStorageContext -StorageAccountName "stfiles" -StorageAccountKey $key
# Create directory via Azure Storage API
$share = Get-AzStorageShare -Name "share" -Context $ctx
New-AzStorageDirectory -Share $share -Path "DropBox/$UserPrincipalName"
Security Considerations
- Audit logging - Enable Storage Analytics to track uploads
- AV scanning - Consider Azure Defender for Storage
- Size limits - Set quotas to prevent abuse
- Retention - Move files to archive after processing
Need help implementing secure file workflows? Get in touch - we help organisations build compliant document management solutions.