We are excited to announce the preview of Azure Active Directory authentication for Azure Files SMB access leveraging Azure AD Domain Services (AAD DS). Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol. Integration with AAD enables SMB access to Azure file shares using AAD credentials from AAD DS domain joined Windows VMs. In addition Azure Files supports preserving, inheriting, and enforcing Microsoft file system NTFS ACLs on all folders and files in a file share.
With this capability, we can extend the traditional identity-based share access experience that you are most familiar with to Azure Files. For lift and shift scenarios, you can sync on-premises AD to AAD, migrate existing files with ACLs to Azure Files, and enable your organization to access file shares with the same credentials with no impact to the business.
In addition to this, we have enhanced our access control story by enforcing granular permission assignment on the share, folder, and file levels. You can use Azure Files as the storage solution for project collaboration, leveraging folder or file level ACLs to protect your organization’s sensitive data.
Previously, when you imported files to Azure file shares, only the data was preserved, not the ACLs. If you used Azure Files as a cloud backup, all access assignments would be lost when you restored your existing file shares from Azure Files. Now, Azure Files can preserve your ACLs along with your data, providing you a consistent storage experience.
Here are the key capabilities introduced in this preview:
Support share Level permission assignment using Role Based Access Control (RBAC).
Similar to the traditional Windows file sharing schema, you can give authorized users share level permissions to access your Azure File Share.
Enforce NTFS folder and file level permission.
Azure Files enforces standard NTFS file permission on the folder and file level, including the root directory. You can simply use the icacls or Powershell command tool to set or change permissions over mounted file shares.
Continue to support storage account key for Super User experience.