locked
Azure files and NTFS ACL Permission RRS feed

  • Question

  • Hello Experts,'

     I am currently evaluating replacing an On-Premise File Server with Azure Files. The On-Premise Azure Files currently has NTFS ACL permissions for files and folder access.

    Let's assume, the on-premise file shares are migrated to Azure (using Robocopy/azcopy for instance), does Azure Files persist the On-premise NTFS ACL permission and can Windows Workstation access the Azure File directly (with the NTFS ACL permissisons) without the need to standup an Azure VM to act as a file server?

    Monday, June 24, 2019 9:56 PM

Answers

  • We will shortly be releasing a limited preview of a feature for Azure Files to allow an Azure file share to be domain joined to your on-premises Active Directory instance. You can email us at AzureFiles@microsoft.com for more information on how to be included in the preview - we may have some follow up questions as well.

    In the interim, there are a couple of alternatives here to do what you're asking for:

    1. Depending on your scenario, you may be able to use the AAD DS integration. AAD DS is a hosted Active Directory instance that is slaved to Azure Active Directory. This solution works best for the scenario that you're lifting and shifting an application to the cloud, rather than direct end-user scenarios, because the SIDs of the user objects in AAD DS don't match the SIDs of the user objects in your on-premises AD, where you are presumably managing your user's identities.
    2. You can use Azure File Sync, either with an on-premises Windows file server or with a Windows file server hosted in an IaaS VM. As you've already pointed out, Windows Server knows how to interact with AD already for Kerberos-based auth, and Azure File Sync preserves AD ACLs. This option sets you up for moving to using the native AD domain join feature I mentioned up front.


    Hope this helps - don't hesitate to reach out directly via email if you have any additional questions.

    Thanks,

    Will


    Tuesday, June 25, 2019 6:04 AM

All replies

  • Hi ghostme,

    To clarify, when you say the "on-premises Azure Files", do you mean that you are using Azure File Sync, or are you referring to your old on-premises file shares?

    Thanks,

    Will Gries
    Senior Program Manager, Azure Files

    Tuesday, June 25, 2019 3:51 AM
  • Hello Will,

    I'm referring to the "old on-premise" Windows Server file share on a Windows Server file server.

    Tuesday, June 25, 2019 4:09 AM
  • We will shortly be releasing a limited preview of a feature for Azure Files to allow an Azure file share to be domain joined to your on-premises Active Directory instance. You can email us at AzureFiles@microsoft.com for more information on how to be included in the preview - we may have some follow up questions as well.

    In the interim, there are a couple of alternatives here to do what you're asking for:

    1. Depending on your scenario, you may be able to use the AAD DS integration. AAD DS is a hosted Active Directory instance that is slaved to Azure Active Directory. This solution works best for the scenario that you're lifting and shifting an application to the cloud, rather than direct end-user scenarios, because the SIDs of the user objects in AAD DS don't match the SIDs of the user objects in your on-premises AD, where you are presumably managing your user's identities.
    2. You can use Azure File Sync, either with an on-premises Windows file server or with a Windows file server hosted in an IaaS VM. As you've already pointed out, Windows Server knows how to interact with AD already for Kerberos-based auth, and Azure File Sync preserves AD ACLs. This option sets you up for moving to using the native AD domain join feature I mentioned up front.


    Hope this helps - don't hesitate to reach out directly via email if you have any additional questions.

    Thanks,

    Will


    Tuesday, June 25, 2019 6:04 AM
  • Thanks Will you response is quite clear and addresses my concerns
    Tuesday, June 25, 2019 9:36 AM