Share via

Azure Files - Read Only Access

Philip Preece 41 Reputation points
2025-02-20T09:35:16.5766667+00:00

We have a M365/Entra ID environment. All users are setup in M365 (ie: fully cloud, we have no on-prem ADDS or Entra DS). We would like to give some users full access and other users read only access to an Azure File share? If we use the 'Access Keys' method to map a network drive, all users then have full access to the Azure File share. We have also tried mapping a drive (through Powershell), using a Shared Access Token, but this failed. When we look at enabling Identity Source on the Azure Storage Account, it suggests Entra ID isn't supported. Surely that cannot be right?

User's image

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,370 questions
0 comments
Accepted answer
  1. Venkatesan S 420 Reputation points Microsoft Vendor
    2025-02-25T10:13:32.1133333+00:00

    Hi @Philip Preece

    Azure File Shares using cloud-only Microsoft Entra ID (Azure AD) identities over SMB is not supported without integrating with either:

    • Active Directory Domain Services (AD DS) — via Azure AD Connect or Cloud Sync to sync on-premises AD identities with Entra ID.
    • Microsoft Entra Domain Services (Entra DS) — a managed domain service that allows Entra ID authentication over SMB.

    Supported Scenarios for SMB Access:

    • On-Prem AD DS → Entra ID (Hybrid): Sync AD identities to Entra ID and access Azure File Shares over SMB.
    • Entra Domain Services (Entra DS): Use Entra DS-joined VMs to access Azure File Shares.
    • Entra Kerberos for Hybrid Identities: Allows hybrid identities to use Kerberos for SMB access—cloud-only identities are not supported.
    • Linux Clients via AD Kerberos: Linux clients can authenticate over SMB using AD DS or Entra DS.

    As a workaround for cloud-only Entra ID users, consider using the Azure Files REST API with OAuth tokens or SAS tokens.

    You can assign the appropriate built-in role to your user to grant access the Azure file share.

    Command:

    $User = "xxxxx"
$PWord = ConvertTo-SecureString -String "password" -AsPlainText -Force
$tenant = "xxx"
$subscription = "xxxx"
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User,$PWord
Connect-AzAccount -Credential $Credential -Tenant $tenant -Subscription $subscription
$ctxkey = (Get-AzStorageAccount -ResourceGroupName "venkatesan-rg" -Name "venkat9012").Context

    Note:
    The above command connects your Entra ID with the Azure file share. However, while these alternatives allow access to Azure file shares, they do not support SMB protocol access for cloud-only Entra ID identities.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. User's image

    If you have any other questions or are still running into more issues, let me know in the “comments” and I would be happy to help you.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hari Babu Vattepally 1,725 Reputation points Microsoft Vendor
    2025-02-20T13:48:21.24+00:00

    Hi @Philip Preece,

    Greetings!

    As mentioned above that, you would like to give some users full access and other users read only access to an Azure File share.

    In order to achieve that, I would request you to follow the below steps:

    Please Enable Microsoft Entra Domain Services authentication for your account.

    Please keep in mind that you can enable Microsoft Entra Domain Services authentication over SMB only after you've successfully deployed Microsoft Entra Domain Services to your Microsoft Entra tenant. For more information, see the prerequisites.

    Then by giving the share-level permission to the users this can resolved. You can use the Azure portal, Azure PowerShell, or Azure CLI to assign the built-in roles to the Microsoft Entra identity of a user for granting share-level permissions.

    • Navigate to Portal and locate your Azure File share account
    • On left panel Select Access Control (IAM) >> Click ADD to Add role assignment to the users.
    • In the Add role assignment blade, select the appropriate built-in role from the Role list.
    • To give full access to the Users assign Storage File Data SMB Share Elevated Contributor
    • To give read-only access to Users, assign Storage File Data SMB Share Reader
    • Leave Assign access to at the default setting: Microsoft Entra user, group, or service principal. Select the target Microsoft Entra identity by name or email address. The selected Microsoft Entra identity must be a hybrid identity and cannot be a cloud only identity**.** This means that the same identity is also represented in AD DS.
    • Select Save to complete the role assignment operation.

    User's image

    For more information, please refer the below documents related to share-level permissions:

    Share-level permissions for specific Microsoft Entra users or groups.

    Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST

    Enable access to Azure file shares using OAuth over REST

    However, as mentioned that you have even tried setting up by mapping network Drive. Here, you can use OAuth token to map the network drive instead of using access keys.

    So, this will ensure that users authenticate with their Entra ID credentials and get the appropriate access level.

    I hope by following the above steps, you should be able to assign different access level to users for your Azure File Share.

    Please let us know if you have any further queries in comments sections. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.