Share via

How would I properly configure NTFS permissions for Azure Files with MEDS Authentication?

Jake F 0 Reputation points
2025-02-19T15:48:36.0033333+00:00

Hi and thank you in advance for helping with this question,

I'm having trouble configuring NTFS permissions with my Azure Files SMB share.

I'm trying to create the following scenario:

My root SMB share folder should be inaccessible, but one of the subfolders and its contents should have read access to files and subfolders, users should not be able to delete files/folders, and they cannot rename files and folders. I find that when I use the following permission scheme, I am only getting read access as a standard user and no ability to modify.

Am I missing something?

  • Create Files / Write Data
  • Create Folders / Append Data: create new subfolders within a folder.
  • Write Data
  • Append Data
  • Write Attributes
  • Write Extended Attributes
  • Modify

Thank you again in advance, Im stumped

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,366 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,319 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hari Babu Vattepally 1,720 Reputation points Microsoft Vendor
    2025-02-19T16:18:51.8566667+00:00

    Hi @Jake F,

    To resolve the issue as mentioned above and to correctly configure NTFS permissions for your Azure Files SMB share according to your requirements, ensure that the permissions are accurately set at both the share and file/directory levels.

    Based on the permissions provided, it looks like you're on the right track. However, to ensure users have the appropriate access and restrictions, you might need to adjust the permissions slightly. Here is a suggested NTFS permission scheme for the scenario you described-

    Root SMB Share Folder:

    • Revoke all permissions for standard users to make the root folder inaccessible.

    Specific Subfolder (with read access and restrictions):

    Please grant the following permissions to the specific subfolder and its contents.

    • List Folder Contents: Allows users to see the files and subfolders within the folder.
    • Read: Allows users to read the files.
    • Create Files / Write Data: Allows users to create new files.
    • Create Folders / Append Data: Allows users to create new subfolders.
    • Write Attributes: Allows users to change file attributes.
    • Write Extended Attributes: Allows users to change extended attributes.

    To prevent users from deleting or renaming files and folders, you should avoid granting the following permissions:

    • Delete Subfolders and Files
    • Delete
    • Modify (as this permission includes delete capabilities)

    By setting these permissions, users should have read access to the specific subfolder and its contents without the ability to delete files/folders or rename them. Make sure to apply these permissions at the subfolder level to achieve the desired access control.

    Please make sure that the permissions are correctly applied and verify that there are no conflicting permissions set at the share level, as these could override your NTFS settings. Keep in mind that the most restrictive permission will take precedence if there are conflicts between share and NTFS permissions.

    Please refer the below documents for additional information:

    I hope this helps! Please let us know if you have any further quires in the comment section. We will glad to assist you further.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.