Configure NTFS Permissions (Home windows ACLs) on Azure File Share Folders – CyberSecurity Memo

We will configure Home windows entry management lists (ACLs), also called NTFS permissions, on the root, listing, or file degree on listing and file degree over mounted file share(s). Whereas share-level permissions act as a high-level gatekeeper that determines whether or not a person can entry the share, Home windows ACLs function at a extra granular degree to regulate what operations the person can do on the listing or file degree.

Each share-level and file/directory-level permissions are enforced when a person makes an attempt to entry a file/listing, so if there’s a distinction between both of them, solely the most restrictive one can be utilized. For instance, if a person has learn/write entry on the file degree, however solely learn at a share degree, then they’ll solely learn that file. The identical can be true if it was reversed: if a person had learn/write entry on the share-level, however solely learn on the file-level, they’ll nonetheless solely learn the file.

There are a number of methods we are able to apply NTFS permission throughout your information migration through the use of different instruments reminiscent of azcopy or robocopy. Listed below are some associated posts from this weblog:

On this put up, I’m going to point out you one other manner, Mount the file share utilizing storage account key.

Azure Share-Stage Permission Mapping to NTFS Permission 

Share-level permission = RBAC permissions.

The next desk incorporates the Azure RBAC permissions associated to this configuration. For those who’re utilizing Azure Storage Explorer, you’ll additionally want the Reader and Knowledge Entry position with a view to learn/entry the file share.

Desk for NTFS Permission (RBAC) + SMB Roles:

Share-level permission (built-in position) NTFS permission Ensuing entry
Storage File Knowledge SMB Share Reader Full management, Modify, Learn, Write, Execute Learn & execute
Learn Learn
Storage File Knowledge SMB Share Contributor Full management Modify, Learn, Write, Execute
Modify Modify
Learn & execute Learn & execute
Learn Learn
Write Write
Storage File Knowledge SMB Share Elevated Contributor Full management Modify, Learn, Write, Edit (Change permissions), Execute
Modify Modify
Learn & execute Learn & execute
Learn Learn
Write Write

Permission Mtrix for RBAC with SMB Roles (Reader, Contributor, Elevated Contributor):

Supported Home windows ACLS (NTFS)

Azure Recordsdata helps the complete set of fundamental and superior Home windows ACLs.

Customers Definition
BUILTINAdministrators Constructed-in safety group representing directors of the file server. This group is empty, and nobody may be added to it.
BUILTINUsers Constructed-in safety group representing customers of the file server. It consists of NT AUTHORITYAuthenticated Customers by default. For a standard file server, you may configure the membership definition per server. For Azure Recordsdata, there isn’t a internet hosting server, therefore BUILTINUsers consists of the identical set of customers as NT AUTHORITYAuthenticated Customers.
NT AUTHORITYSYSTEM The service account of the working system of the file server. Such service account doesn’t apply in Azure Recordsdata context. It’s included within the root listing to be in step with Home windows Recordsdata Server expertise for hybrid eventualities.
NT AUTHORITYAuthenticated Customers All customers in AD that may get a sound Kerberos token.
CREATOR OWNER Every object both listing or file has an proprietor for that object. If there are ACLs assigned to CREATOR OWNER on that object, then the person that’s the proprietor of this object has the permissions to the article outlined by the ACL.

The next permissions are included on the foundation listing of a file share:

  • BUILTINAdministrators:(OI)(CI)(F)
  • BUILTINUsers:(RX)
  • BUILTINUsers:(OI)(CI)(IO)(GR,GE)
  • NT AUTHORITYAuthenticated Customers:(OI)(CI)(M)

Mount the file share utilizing storage account key

Earlier than you configure Home windows ACLs, you should first mount the file share through the use of your storage account key. To do that, log right into a domain-joined gadget, open a Home windows command immediate, and run the next command. Keep in mind to switch <YourStorageAccountName><FileShareName>, and <YourStorageAccountKey> with your individual values. If Z: is already in use, substitute it with an out there drive letter. You’ll find your storage account key within the Azure portal by navigating to the storage account and deciding on Safety + networking > Entry keys, or you should use the Get-AzStorageAccountKey PowerShell cmdlet.

It’s necessary that you simply use the web use Home windows command to mount the share at this stage and never PowerShell. For those who use PowerShell to mount the share, then the share gained’t be seen to Home windows File Explorer or cmd.exe, and also you’ll have problem configuring Home windows ACLs.

web use Z: <YourStorageAccountName>.file.core.home windows.web<FileShareName> /person:localhost<YourStorageAccountName> <YourStorageAccountKey>

To get your entry key, you will see that the Entry keys menu from left panel of your storage account web page:

web use Z: <YourStorageAccountName>.file.core.home windows.web<FileShareName> /person:localhost<YourStorageAccountName> <YourStorageAccountKey>


web use R: fileshare4test.file.core.home windows.netfstest /person:localhostfileshare4test h1GUuy3YasaG1LLNjQLQ8wD9PpYtyeVY1MY6s4s11BJLJQTzyUaX69LzYsDVyYOKm3cXgrsvYOpX+AStkQD+zW==

Different Command:

Robocopy Command with permission to repeat

Robocopy "F:testshare" "R:take a look at" /COPY:DAT /SEC /MIR /R:10 /W:5 /V /ETA

azcopy Command with permission to repeat

./azcopy.exe copy "F:testshare" "https://fileshare4test.file.core.home windows.web/fstest/testfolder/?sv=2021-06-08&ss=bfqt&srt=sco&sp=rwdlacupiytfx&se=2022-09-13T05:11:14Z&st=2022-09-12T21:11:14Z&spr=https&sig=85MdmVMpercent2FGwPmAQSay0sDC1mCboxZZP62UdFnYmW1HHRpercent3D" --preserve-smb-info=true --preserve-smb-permissions=true --disable-auto-decoding=false --recursive --log-level=INFO

Assign correct NTFS permission to mounted file shares drive which you probably did that utilizing storage account identify and entry key

Monunt File Shares

For file shares created in Azure storage account, the customers who will management NTFS ACL permission might want to have a task “Storage File Knowledge SMB Share Elevated Contributor” which can provide / delete / modify person’s NTFS permission.

After you might have accomplished above steps:

1. mounted Azure File Shares utilizing storage account and key, and assigned a person to have full management NTFS permission. 

2. For that person you give full management NTFS ACL permission, you might have assigned that person a “Storage File Knowledge SMB Share Elevated Contributor” position

you need to be capable of sync all NTFS ACL from on-prem recordsdata to Azure File shares utilizing the instruments like Robocopy or Azcopy. 

The hot button is to present a person full management first utilizing storage account identify and key to mount file shares. 


Leave a Reply

Your email address will not be published.