Folder Level permissions on an Azure File Storage (SMB Share) via Azure Function or CLI

Jan 25

We have a custom solution that hosts a bunch of files, that are supposed to be handled in an Azure Storage account. The majority of their lifecycle they sit in Blob storage and access is handled via SAS Token created for Users after authentication and Authorization validation (no problems here).

Now those files need to be copied to an Azure File Share, that is mounted to the client system (to allow Adobe Acrobat interactions). But the files need to reside in specific folders in the File Share with very specific Folder permissions, so that each user can only access their Folder of the global share (similar to any on-premises File Share before the age of cloud).

I was able to activate Identity-based access via AD DS. I can now mount the drive with the Storage File Data SMB Share Elevated Contributor RBAC Role assigned. It allows me to can change Folder permissions on my local machine (so far so good).

Now the question, is there any way how this can be done from within Azure as it will be an on-demand action handled by our Web App and a an existing set of Azure Functions ?

I did try to validate it with an Azure CLI console and run the simplest command "az storage fs access show" but this already fails with permission issues. I also tried multiple Azure Functions with C# to set those permissions. In one of my attempts I used FileSystemAccessRule on a DirectoryInfo Object.

So what is the correct way to set Folder level permissions on a SMB File Share in Azure in an automated way, so that I do NOT have to run any on-premises code ?

Keshavulu Dasari 3,790 Reputation points Microsoft Vendor

2025-02-21T19:55:12.6333333+00:00
Hi Jan ,

To set folder-level permissions on an Azure File Share in an automated way, you can use Azure CLI or Azure Functions with the appropriate permissions.

Make sure the identity running the Azure CLI or Azure Functions has the necessary roles assigned. The Storage File Data SMB Share Elevated Contributor role is required for setting NTFS permissions.

You can use Azure CLI to manage access control lists on your Azure File Share. example of how to set ACLs using Azure CLI,

az storage fs access set --account-name <storage-account-name> --file-system <file-system-name> --path <path> --acl <acl-spec>

Replace <storage-account-name>, <file-system-name>, <path>, and <acl-spec> with your specific values.

After assigning share-level permissions, configure Windows ACLs (NTFS permissions) at the directory or file level. This can be done using the Azure CLI or programmatically via Azure Functions, if you encounter permission issues, ensure that the identity used has the necessary permissions and that the network connectivity to the domain controller is unimpeded

For more information:

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-assign-share-level-permissions?tabs=azure-portal

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-configure-file-level-permissions

I hope this information helps. Please do let us know if you have any further queries.
Jan 25 Reputation points

2025-02-21T20:10:35.7733333+00:00
The account used has the RBAC roles,

Storage File Data SMB Share Elevated Contributor,

Owner

Reader,

,according to the Check access function on the File Share.

The CLI command you posted seems to be missing the authentication setting (--auth-mode login, --account-key or --sas-token.)

Server failed to authenticate the request. Please refer to the information in the www-authenticate header.

Using --auth-mode while logged into the azure portal, I get the message:

You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following roles: "Storage Blob Data Owner" "Storage Blob Data Contributor" "Storage Blob Data Reader" "Storage Queue Data Contributor" "Storage Queue Data Reader" "Storage Table Data Contributor" "Storage Table Data Reader"

Since this is a File Share and not a Blob, Queue or Table this message is a bit misleading.

I think the C# Code example you posted was the exact code I tried and failed, let me test that example again.
Keshavulu Dasari 3,790 Reputation points Microsoft Vendor

2025-02-21T23:09:34.44+00:00
Hi Jan ,

I understand you are encountering some issues with permissions and authentication settings

The roles you mentioned (Storage File Data SMB Share Elevated Contributor, Owner, Reader) should generally be sufficient. However, for setting ACLs, you might need to ensure that the specific roles for Azure Files are correctly assigned. Double-check that the roles are applied to the correct scope (e.g., the specific file share or storage account).

When using Azure CLI, you need to ensure that the authentication mode is correctly set. Here’s an example of how to use --auth-mode with --account-key:

az storage fs access show --account-name <your-storage-account> --account-key <your-account-key> --auth-mode key

If you prefer using --auth-mode login, make sure you are logged in with an account that has the necessary permissions:

az login az storage fs access show --account-name <your-storage-account> --auth-mode login

If you still encounter permission issues, Use the Azure portal to check the effective permissions for the user or service principal. Ensure that role assignments have propagated correctly. Sometimes, it might take a few minutes for changes to take effect. Ensure that the Azure Function has network connectivity to the storage account and any necessary domain controllers if using AD DS.

I hope this information helps. Please do let us know if you have any further queries
Keshavulu Dasari 3,790 Reputation points Microsoft Vendor

2025-02-24T17:03:43.14+00:00

Hi Jan ,

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
Jan 25 Reputation points

2025-02-24T17:49:41.0233333+00:00

Hi Keshavulu,

I appreciate your AI generated code snippets, but I already went down that road to no success.

If you could kindly take those examples and run them in your environment and let me know how they work (maybe include some screenshots), that would be very helpful.

I did already fully extend CoPilot and received tons of suggestions that all fail, as soon as you point out deprecated or non existing namespaces and packages in the example provided. (Here one example of a few dozen one-way streets that CoPilot retracted after pointing out that the example does not work)

In your latest example you provided, you have a using for Microsoft.Azure.Storage which is a deprecated Namespace :( https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.storage.file?view=azure-dotnet-legacy
Keshavulu Dasari 3,790 Reputation points Microsoft Vendor

2025-02-25T18:35:16.75+00:00

Hi Jan

I understand your frustration with the deprecated namespaces. Using the latest Azure SDKs and ensure we have the correct permissions and settings.

Verify that your account has the storage File Data SMB Share Contributor role, in addition to the roles you mentioned.

Instead of using deprecated namespaces, let's use the Azure.Storage.Files.Shares namespace from the latest Azure SDK.
Ensure you have the latest Azure SDK installed. You can install it via NuGet, Execute the code in your environment. Make sure your Azure Function or application has the necessary permissions and is authenticated correctly.

If you encounter any issues, double-check the permissions and ensure the storage account is configured for identity-based access.

For more information, please review the detailed documentation on configuring directory and file-level permissions for Azure Files

I hope this information helps! Let us know if you have any further questions. We will be glad to assist you further.
Keshavulu Dasari 3,790 Reputation points Microsoft Vendor

2025-02-25T18:38:25.0033333+00:00

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be glad to assist you

1 answer

Jan 25 Reputation points

2025-02-26T18:22:49.7633333+00:00
After spending a lot of additional hours, I finally found a solution to the issue.

First, you have to use the Azure.Storage.Files.Shares Namespace.

using Azure.Storage; using Azure.Storage.Files.Shares; using Azure.Storage.Files.Shares.Models;

var shareClient = new ShareClient(new Uri($"https://{storageAccountName}.file.core.windows.net/{shareName}"), new StorageSharedKeyCredential(storageAccountName, storageAccountKey)); var directoryClient = shareClient.GetDirectoryClient(folderPath); foreach (var item in directoryClient.GetFilesAndDirectories()) { var fileClient = directoryClient.GetFileClient(item.Name); // ShareFileProperties properties = fileClient.GetProperties(); // var permissions = properties.SmbProperties.FilePermissionKey; //to read the existing permissions var smbProperties = new FileSmbProperties { FilePermissionKey = "1234567890123456789*1234567890123456789" }; var httpHeadersOptions = new ShareFileSetHttpHeadersOptions { SmbProperties = smbProperties }; await fileClient.SetHttpHeadersAsync(httpHeadersOptions);

I still do not know exactly how to "create" a new FilePermissionKey, as this seems to be 19 digit number * 19 digit number.

But If I read the existing permissions form a different file / folder

var permissions = properties.SmbProperties.FilePermissionKey;

And apply the same value to another File or Folder, it does apply the same permissions.

So only thing left is to explore how I can create those required FilePermissionKey values on demand.
Please sign in to rate this answer.
Keshavulu Dasari 3,790 Reputation points Microsoft Vendor

2025-02-26T21:35:45.4866667+00:00

Hi Jan

Good to see that you found a solution, you are right with using the Azure.Storage.Files.Shares namespace and setting the Filepermissionkey .

Creating a new Filepermissionkey can be a bit tricky since it involves generating a unique identifier that represents the permissions. Unfortunately, the Azure SDK does not provide a direct method to create a new Filepermissionkey programmatically. However, you can manage permissions by copying existing keys, as you are discovered.

You can read the existing Filepermissionkey from another file or folder and apply it to the new one,Use the SetHttpHeaderAsync method to apply the permissions to the desired file or folder.

If you need to create new Filepermissionkey values, consider using a combination of existing permissions and modifying them as needed. You might need to manually create these keys based on your specific requirements. Please Let us know if you have any further questions. We will be glad to assist you further.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Folder Level permissions on an Azure File Storage (SMB Share) via Azure Function or CLI

1 answer

Your answer