Securing Storage and Microsoft AZ-104 Certification Exams Configuring access to Azure files,Exams of Microsoft AZ-104,Microsoft AZ-104 Exams,Working with SAS tokens Configuring file-level permissions – Securing Storage

Configuring file-level permissions – Securing Storage

2023-03-152023-03-15| Veronica HernandezVeronica Hernandez| 0 Comment| 3:03 AM
Categories:

Configuring file-level permissions

In this section, we will look at the steps involved to assign share-level permissions:

  1. Create a new user on AD and assign this user Storage File Data SMB Share Contributor permissions for the share from the previous exercise. The synchronization can take some time to replicate to Azure.
  2. Navigate to your test VM and paste some files in there. Notice that you have permission to do so. Right-click one of the files and click Properties. On the window that pops up, click Security.
  3. Click edit. Notice that your user has full permission. Click Add…, type in the new username, click the Check Names button, and then click OK. Click Apply. You get an error stating that you don’t have permission. This is because you need to assign the Storage File Data SMB Share Elevated Contributor role to this user account to modify ACL permissions. Repeat the operation after assigning this to the new user account and you will now complete the operation.
  4. Navigate to the AD server and mount the SMB share using the new user credentials. Note that you may need to wait for synchronization to complete before this works as expected.
  5. You can play around with changing settings and completely removing read permissions on the files and confirming the other users indeed cannot read this.

You have now learned how to configure file-level ACLs for Azure Storage shares. This concludes the section for Azure AD authentication and integration for access to Azure file shares. In the next section, we provide additional reading material should you wish to learn more.

Further reading

We encourage you to read up on this topic further by using the following links:

• Enabling AADDS authentication: https://docs.microsoft.com/en-us/ azure/storage/files/storage-files-identity-auth-active-directory-enable

• Automation of storage access key rotation: https://docs.microsoft. com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azure-cli

• How to mount an SMB file share on Windows: https://docs.microsoft. com/en-us/azure/storage/files/storage-how-to-use-files-windows

• Configuring file-level permissions: https://docs.microsoft.com/ en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions

Copying data by using AzCopy

AzCopy is a utility that can be used for copying files to and from Azure Storage accounts. Authentication can be conducted using either an Active Directory account or a SAS token from storage. AzCopy provides many different functions, but the primary function is for file copying and is structured as azcopy copy [source] [destination] [flags].

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post