locked
How to add file permissions (or anything else) for AzureAD users on AzureAD-joined Win10 machine? RRS feed

  • Question

  • I'm on a Win10 workstation that's joined to AzureAD like this. How can I grant file permissions to an AzureAD user?

    When I try to use the File Properties > Security > Edit > Add dialog I can't find/select any users on the AzureAD domain, including the currently logged in user. Entering `AzureAD\FirstLast` and clicking Check Names gives this (where AzureAD\JohnSmith happens to be the currently logged-in user):


    There's no option to use AzureAD as the location for the Search either. 

    In general this sort of thing seems to be a problem with AzureAD-joined accounts: windows appears to not know about them, e.g. when adding them to SQL Server. Or perhaps I just don't know the right way to refer to these users? 

    thanks for any help!

    Rory

    Also posted on SuperUser

    Monday, December 21, 2015 11:42 PM

Answers

  • Thanks to Arni on this thread for this solution/workaround: 

    You can try the following command line. After adding an ACL entry, the Security dialog will display the user and you can change the permissions there.

    CACLS "C:\YourPath" /T /E /G AzureAD\FirstLast:C

    • Marked as answer by Rory__K Monday, November 28, 2016 9:08 PM
    Monday, November 28, 2016 8:52 PM

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this.
    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,
    Neelesh

    Tuesday, December 22, 2015 10:56 AM
  • Hi Neelesh, how's that going? 
    Sunday, January 3, 2016 9:20 PM
  • Hi Neelesh, any ideas? 
    Monday, January 25, 2016 2:20 PM
  • As I understand it (and I assure you this will change as more features are added) but currently, you can't grant direct access of on-prem resources to Windows 10 Azure AD joined devices.  Member servers on your domain don't "know" about Azure AD, so can't translate a request to grant permissions to an Azure AD user. 


    Jennelle Crothers - Microsoft Technical Evangelist @jkc137 | www.techbunny.com (If my reply has been helpful to you, please give it a vote!)

    Monday, January 25, 2016 7:03 PM
  • Thanks Jennelle, but in my case I'm not talking about resources on other devices or domains, I'm just talking about local resources on the single workstation that's AzureAD-joined. Before it was AzureAD-joined it was not on a domain, and there's still no interaction with any other domain. I just want to change file permissions on that workstation. 

    On the workstation itself that's AzureAD-joined, I can look at the folder properties of my c:\Users\MynameMysurname folder and see the security permissions includes AzureAD\MynameMysurname. So clearly windows knows about that identity. But if I go to a different folder on the same computer there's no way to grant permissions to that identity. Similarly I can't add myself, or any other AzureAD users of the workstation, to a local security group through Computer Management UI.

    Monday, January 25, 2016 8:42 PM
  • This is ridiculous. I'm at the tail end of a massive laptop rebuild and only now do I learn that I can't access critical folders that I have setup; the only way I can get it done is to move all the folders under my user home.

    I hope the update next month takes care of this.


    Kevin Dean - Dolphin Data Development Ltd.

    Tuesday, July 19, 2016 3:31 PM
  • Thanks to Arni on this thread for this solution/workaround: 

    You can try the following command line. After adding an ACL entry, the Security dialog will display the user and you can change the permissions there.

    CACLS "C:\YourPath" /T /E /G AzureAD\FirstLast:C

    • Marked as answer by Rory__K Monday, November 28, 2016 9:08 PM
    Monday, November 28, 2016 8:52 PM
  • cacls is now deprecated in Windows 10 - use icacls instead.

    The equivalent icacls command:

    icacls "C:\yourpath" /t /grant azuread\FirstLast:M

    Sunday, August 11, 2019 3:31 AM