Share via

Azure Files identity-based authentication over SMB using Microsoft Entra Domain Services authentication for cloud-only identities

DavidO-0335 20 Reputation points
2024-11-23T20:04:30.8966667+00:00

Hello, I'm looking for some advice on this hypothetical scenario.

Suppose I have a cloud-only identity which is a security group in Microsoft Entra named Group1.

I have a Azure Files fileshare named share1.

I want to be able to grant Group1 Azure RBAC read-only permissions to share1.

And in this scenario, my authentication scenario is Microsoft Entra Domain Services authentication. With that method, the user/identity can be cloud-only or hybrid. In this scenario, the identity (Group1) is cloud-only.

After enabling my AD source, I then want to proceed to assign share-level permissions. But according to the documentation, I'm not allowed to assign share-level permissions to a specific Microsoft Entry group like Group1, because that identity must be a hybrid identity that exists in both on-premises AD DS and Microsoft Entra ID. In my scenario, Group1 is a cloud-only identity. So this option isn't allowed.

It seems that my only option might be to add a default share-level permissions for all authenticated identities on the storage account for share1, instead of configuring share-level permissions for a specific Microsoft Entra group (Group1). But if I do that, then it affects all authenticated identities, and I'm trying to make a change that affects Group1 only.

So how would you handle this requirement? What are my options? It's confusing to me that a cloud-based identity is not allowed to be used when you want to set share-level permissions for specific Microsoft Entra users or groups.

Thank you.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,312 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,318 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 12,976 Reputation points
    2024-11-25T20:25:08.0466667+00:00

    Hello DavidO-0335,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are having challenges with assigning share-level permissions to a cloud-only identity in Microsoft Entra Domain Services.

    Your scenarios:

    • You have a cloud-only security group in Microsoft Entra named Group1.
    • You want to grant Group1 Azure RBAC read-only permissions to share1.
    • You are using Microsoft Entra Domain Services authentication.
    • Documentation states that share-level permissions cannot be assigned to a cloud-only identity; it must be a hybrid identity.

    Given the constraints, by best practice solution to meet your requirement of assigning share-level permissions to Group1 (a cloud-only identity) is:

    1. Synchronize Group1 with on-premises AD to make it a hybrid identity. This allows you to assign share-level permissions specifically to Group1. This approach aligns with the documentation and provides the necessary granularity.
    2. If synchronizing with on-premises AD is not feasible, using SAS tokens is a practical alternative. Generate a SAS token with read-only permissions for share1 and distribute it to members of Group1. This method provides the required access control without changing the identity configuration.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.