![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 90%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
Azure Files
An Azure service that offers file shares in the cloud.
1,366 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 2%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Hi @Philip Preece,
Greetings!
As mentioned above that, you would like to give some users full access and other users read only access to an Azure File share.
In order to achieve that, I would request you to follow the below steps:
Please Enable Microsoft Entra Domain Services authentication for your account.
Please keep in mind that you can enable Microsoft Entra Domain Services authentication over SMB only after you've successfully deployed Microsoft Entra Domain Services to your Microsoft Entra tenant. For more information, see the prerequisites.
Then by giving the share-level permission to the users this can resolved. You can use the Azure portal, Azure PowerShell, or Azure CLI to assign the built-in roles to the Microsoft Entra identity of a user for granting share-level permissions.
- Navigate to Portal and locate your Azure File share account
- On left panel Select Access Control (IAM) >> Click ADD to Add role assignment to the users.
- In the Add role assignment blade, select the appropriate built-in role from the Role list.
- To give full access to the Users assign
Storage File Data SMB Share Elevated Contributor - To give read-only access to Users, assign
Storage File Data SMB Share Reader - Leave Assign access to at the default setting: Microsoft Entra user, group, or service principal. Select the target Microsoft Entra identity by name or email address. The selected Microsoft Entra identity must be a hybrid identity and cannot be a cloud only identity**.** This means that the same identity is also represented in AD DS.
- Select Save to complete the role assignment operation.
For more information, please refer the below documents related to share-level permissions:
Share-level permissions for specific Microsoft Entra users or groups.
Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST
Enable access to Azure file shares using OAuth over REST
However, as mentioned that you have even tried setting up by mapping network Drive. Here, you can use OAuth token to map the network drive instead of using access keys.
So, this will ensure that users authenticate with their Entra ID credentials and get the appropriate access level.
I hope by following the above steps, you should be able to assign different access level to users for your Azure File Share.
Please let us know if you have any further queries in comments sections. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.