Share via

Azure File Sync to an external Tenant

Matt Hyden 0 Reputation points
2025-03-12T16:34:58.9833333+00:00

We have an external supplier who are suggesting we use Azure File Sync installed on our local on prem network server in order to Sync Files into their Tenant's Azure File Share area.

I'm concerned with security risks associated with this and would appreciate if you think these concerns are valid or indeed legitimate risks?

A.) We have no oversight on how the external tenant is securing the permission of their Azure File Shares OR if the they are also using Azure File Sync themselves to then off load data from their Azure File shares to their own local server.

B.) Am I correct in thinking that the path to be sync'd can be changed? For example they may be able to enumerate the drive/s of our on premise server by choosing to sync a different path to what we are intending them to sync? If this is the case what's to stop them enumerating scheduled tasks and then editing a scheduled task on their side to sync back to ourselves? IF this was possible in theory that could lead to a full domain compromise if they were able to edit a scheduled task to run a script they created and sync'd back into our local server. Perhaps a reverse shell or other malicious script?

C.) From a non repudiation perspective am I correct in thinking that we wouldn't necessarily have a good audit trail of the activity they may be conducting associated with the sync of files?

D.) Am I correct in thinking Microsoft do not recommend Azure File Sync to be used to external tenants for the reasons above?

Any information in regard to the above would be most welcome.

Thanks.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,382 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Keshavulu Dasari 4,110 Reputation points Microsoft External Staff
    2025-03-12T17:24:06.7833333+00:00

    Hi Matt Hyden ,

    Using Azure File Sync to sync files with an external tenant does raise several valid security concerns,

    You are correct that without oversight on how the external tenant secures their Azure File Shares, there is a risk. If they are also using Azure File Sync, it could lead to potential data exposure or unauthorized access to your files.

    Regarding the ability to change the sync path, Azure File Sync does not inherently allow external tenants to enumerate drives or change sync paths on your local server. However, if there are misconfigurations or vulnerabilities, there could be risks associated with unauthorized access. The concern about a reverse shell or malicious scripts is valid in scenarios where proper security measures are not enforced.
    Azure security baseline for Azure File Sync

    From a non-repudiation perspective, there might be challenges in maintaining a comprehensive audit trail of activities conducted by the external tenant during the sync process. This could make it difficult to trace actions taken during the file sync.

    Microsoft does not explicitly recommend using Azure File Sync for external tenants due to the security implications and the need for proper conditional access policies to be in place. Ensuring that these policies are compatible with external access is crucial to maintaining security.

    External data sharing in Microsoft Fabric

    It's essential to evaluate these risks and implement appropriate security measures before proceeding with such a setup.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
    User's image

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be glad to assist you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.