Securing Storage and Microsoft AZ-104 Certification Exams Configuring access to Azure files,Exams of Microsoft AZ-104,Further reading,Microsoft AZ-104 Exams Configuring access to Azure files – Securing Storage

Configuring access to Azure files – Securing Storage

2023-05-102023-05-10| Veronica HernandezVeronica Hernandez| 0 Comment| 3:02 AM
Categories:

Configuring access to Azure files

In the following section, we will explore assigning share and file permissions on the AD-joined storage from the previous exercise, as well as mounting the share and exploring how to validate the security.

Assigning share-level permissions

In this section, we will look at the steps involved to assign share-level permissions:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. Go to the storage account from the previous exercise.
  3. Click on File shares on the left menu under theData storage context.
  4. Create a file share and name it shared.
  5. Click the new share you just created, and then on the left menu, clickAccess Control (IAM). Click + Add and then Add role assignment.

Figure 7.21 – Adding SMB permissions

  1. Select Storage File Data SMB Share Contributor for Role and search for the appropriate user account you created on AD, then click Save.

You have just added contributor permissions for a user to your SMB share on Azure. This same process can be applied to the other SMB roles if desired. We will look at assigning file-level permission in the next section.

Mounting the file share

In this section, we will look at the steps involved to mount an Azure file share on the test VM with AD credentials. It should be noted that port 445 will need to be open on the Windows server and SMB 3.x enabled (these should be open by default):

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. Go to the storage account from the previous exercise.
  3. Click on File shares on the left menu under theData storage context.
  4. Click the share you used in the previous exercise, and on the left menu, click
    Overview, then click Connect on the top menu of the overview blade.
  5. Select a drive letter and set Authentication method to Active Directory. Copy the generated script at the bottom of the page.
  6. Navigate to your test VM and log in with the user account you added to the SMB share (this must be an on-premises account). Open PowerShell, then paste your script into the PowerShell window and hit Enter. This will map the share as a PSDrive.
  7. To have this mapped in Windows File Explorer, you could also map the network path you have from the share as \storagename.file.core.windows.net\ shared.
  8. Log on to your Active Directory server and attempt the same connection under your administrator account. Note that you get an Access is denied message. This is because you haven’t assigned SMB permissions to this user.

You have now successfully mounted the SMB share for your Azure files storage and also seen the effect placed on the share using permissions. In the next section, we will explore the effects of file-level permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post