Azure Files not honoring ACLs/NTFS

Question

Azure Files not honoring ACLs/NTFS

Jim J 0

Hello!

I have setup Azure Files with Entra Kerberos Authentication. For some reason the Azure Files is not honoring the Entra Identity on the NTFS side. I have outline three scenarios below, one of which is not working.

My Summary Configuration

-Entra Kerberos Authentication enabled per this article. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune
-Identities are synchronized to Entra from on-premise (No cloud only identities)
-Single Tenant/Domain/Forest in play
-Endpoints are AAD Joined
-Default Share-level Permissions DISABLED
-Manually added IAM Permissions to the Share (Storage File Data SMB Share Contributor)
-Manually added NTFS permissions via
-Not using Azure Sync
-Explicitly using https://aka.ms/portal/fileperms URL to add NTFS permissions (Not explorer or icalcs)

-NOT Using private access
-Running Debug-AzStorageAccountAuth with flags -FileShareName and -Username flags shows 100% green/success
-Running klist get cifs/XXX.file.core.windows.net shows successful Kerberos tickets

My Client system can do the following: (Windows 11 Enterprise 25H2)

For all scenarios below, my client can map a drive letter via windows and use UNC path to the storage account

Scenario #1 (WORKING)

-Created a single share with a single Subfolder under share. Added single identity to IAM Permissions with (Storage File Data SMB Share Contributor). Default NTFS permissions with this share allow me to create and delete files.

Scenario #2 (WORKING)

-Created a single share with a single Subfolder under share. Added single identity to IAM Permissions with (Storage File Data SMB Share Contributor). Added a single identity to NTFS permissions via https://aka.ms/portal/fileperms "Manage Access" that matches my logged on identity from my client system. My Identity and Default NTFS permissions with this share allow me to create and delete files.

Scenario #3 (NOT WORKING)

-Created a single share with a single Subfolder under share. Added single identity to IAM Permissions with (Storage File Data SMB Share Contributor). Added a single identity to NTFS permissions via https://aka.ms/portal/fileperms "Manage Access" that matches my logged on identity from my client system. Changed the "Authenticated Users" ACL from "Modify" to Read/List. With this ACL change on the "Authenticated User", I can no longer create/delete files. It appears that my identity is not being honor in this case as "Authenticated Users" was actually allowing the file access/changes instead of the identity that I applied via IAM/NTFS.

Please help me understand why scenario #3 is not working correctly.

Jim J 0 Reputation points

2025-12-02T15:48:21.7366667+00:00

Jeevan,

Thank you for the reply.

ACL Precedence. - I think you are referring to the restriction being between SHARE and NTFS permissions. IE, if I had full control on the SHARE side, but read only on the NTFS, then my effective permissions are still read only. The permissions would still be the same if the logic was reversed. If that's what you meant by this comment, then it's not applicable to scenario #3 at all as my IAM share permissions match my NTFS permissions 1-to-1 with modify permissions against my identity.

There is a scenario #4 that sort of answers some of your other questions

Scenario #4 (NOT WORKING)

-Created a single share with a single Subfolder under share. Added single identity to IAM Permissions with (Storage File Data SMB Share Contributor). Added a single identity to NTFS permissions via https://aka.ms/portal/fileperms "Manage Access" that matches my logged-on identity from my client system with modify ACL. Removed "Authenticated Users" ACL from the root folder. With removal of the ACL of "Authenticated Users", I can't even map the drive/UNC path. Even with my identity being present on the IAM and NTFS side, doesn't allow

Scenario #5 (NOT WORKING)

-Created a single share with a single Subfolder under share. REMOVED single identity from IAM Permissions with (Storage File Data SMB Share Contributor) and ENABLED the default share-level permissions with "Storage File Data SMB Share Contributor" option under the identity access configuration. Added a single identity to NTFS permissions via https://aka.ms/portal/fileperms "Manage Access" that matches my logged-on identity from my client system with modify ACL. Removed "Authenticated Users" ACL from the root folder NTFS side. With removal of the ACL of "Authenticated Users", I can map the drive/UNC path. Even with my identity being present on the NTFS side at the root, it still doesn't allow to modify files (Root or subfolders)

Scenario #6 (NOT WORKING)

-Created a single share with a single Subfolder under share. REMOVED single identity from IAM Permissions with (Storage File Data SMB Share Contributor) and ENABLED the default share-level permissions with "Storage File Data SMB Share Contributor" option under the identity access configuration. Changed Authenticated users to READ permissions on the NTFS side at the root. On a subfolder, I added my identity from my client system with modify ACL and removed the Authenticated users ACL. With the removal of the ACL of "Authenticated Users" and the presence of my identity on this subfolder, it still allows me to traverse inside this subfolder from the root, but not create/delete files even though I have NTFS permissions. Oddly, I discovered the group SID of "BUILDIN\USERS" present on this subfolder with Read/Execute and subsequently the removal of that SID doesn't even allow me to traverse back inside this subfolder even though my I have NTFS permissions on this subfolder.

*Also to note, the problem is the same if ACLs are applied at the root or even a single subfolder only. The net results are still the same

From your further questions

If the issue occurs still, please share the below asked details for further troubleshoot.

Q: Can you confirm if "Authenticated Users" permission is being inherited from a parent folder?

A: Yes, Authenticated users was inherited from the parent folder. However, the behavior is the same if its present (or not) per all scenarios

Q:Have you checked the effective permissions for your identity in the specific folder where you're facing issues?

A: Yes, all configurations appear to be correct. Even verifying with icalcs just to "see" if there is anything suspicious compared to the portal NTFS permissions blade

Q:Are there any conflicting permissions set at a higher level that might be affecting access?

A: Not that I aware of. Share level permissions are appropriate with corresponding NTFS permissions for equal ACL permissions.

FWIW, I would love to show you this issue live on a support session. Based on my observations so far, the issue appears to exist outside the realm of share/NTFS ACLs. There's something getting in the way BEFORE we even access the storage account itself.

Jim
Jeevan Shanigarapu 3,275 Reputation points Microsoft External Staff Moderator

2025-12-02T20:39:39.6166667+00:00
Hello Jim,

Thanks for providing such detailed test cases and your observations. Your careful checks are valuable to diagnose the issue.

From what you described, the behavior you see in Scenarios #3 through #6 is expected because of how Azure Files manages access control. Here’s a straightforward explanation:

Why Some Scenarios Fail

ACL Priority and How It’s Checked: Azure Files looks at NTFS ACLs and the share’s permissions. When you remove or limit "Authenticated Users," you’re removing the baseline access that lets anyone even enter ("traverse") the folder structure. So, even if your user has explicit permissions on a subfolder, the lack of inherited permissions like "Authenticated Users" or "BUILTIN\Users" on parent folders can stop access completely.

Kerberos Checks Identity, Not Folder Paths: Kerberos authentication proves who you are, but Azure Files still requires that the permissions chain allows you to move through each folder from the root down to where your files live. If any folder along the way blocks or lacks permission, access fails.

IAM vs NTFS Are Both Required: Share-level permissions via IAM don’t override NTFS file system ACLs. Both need to be set correctly for successful access.

What to Do

Keep a Baseline Permission Set: Keep "Authenticated Users" or a similar group with Read/List permission on the root folder so traversal works. Then, give your user more specific permissions only where needed deeper down.

Check Your Effective Permissions: Use tools like Effective Access or the command line (icacls) to confirm that your user can traverse folders and open files from root to target.

Don’t Remove BUILTIN\Users: This group is essential for folder traversal. Removing it can block access even if later permissions look correct.

References:

Troubleshoot 403 Errors (Azure Blob Storage) - Azure | Microsoft Learn

Access control lists in Azure Data Lake Storage - Azure Storage | Microsoft Learn

Kindly let us know if the above helps or you need further assistance on this issue.

2 answers

Your answer

Answer 1

In your scenario #3, it appears that the issue arises from the way NTFS permissions are being evaluated in conjunction with the permissions assigned to "Authenticated Users." When you changed the ACL for "Authenticated Users" from "Modify" to "Read/List," it restricted access for any users that fall under that category, including your identity if it is part of the "Authenticated Users" group.

Here are some key points to consider:

NTFS Permissions Hierarchy: NTFS permissions are cumulative, meaning that if a user belongs to multiple groups, they inherit permissions from all those groups. If "Authenticated Users" had previously granted modify permissions, changing it to read/list could restrict access for users who are part of that group, even if they have explicit permissions assigned through IAM or NTFS.
Explicit vs. Inherited Permissions: If your identity is explicitly granted permissions but is also part of a group that has restricted permissions (like "Authenticated Users"), the most restrictive permission will apply. In this case, since "Authenticated Users" is set to read/list, it overrides the explicit permissions you assigned.
Testing with Different User Accounts: To isolate the issue, you could test with a user account that is not part of the "Authenticated Users" group to see if the explicit NTFS permissions work as expected. This will help determine if the group membership is affecting access.
Consider Using More Granular Permissions: If you need to maintain the ability for specific users to modify files while restricting general access, consider creating a dedicated group for those users and assigning permissions accordingly, rather than relying on "Authenticated Users."
Debugging Tools: Utilize the Debug-AzStorageAccountAuth command to verify that the permissions are being applied as expected and that there are no underlying issues with the authentication or authorization process.

In summary, the behavior you're experiencing in scenario #3 is likely due to the interaction between the NTFS permissions and the group memberships. Adjusting the permissions for "Authenticated Users" or using more granular permissions for specific users may resolve the issue.

References:

Answer 2

Hello @Jim J,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand your question. It looks like you’re navigating a tricky issue with Azure Files not honoring NTFS permissions under your Entra Kerberos setup. Based on what you described, here are some thoughts and troubleshooting steps for your scenario:

Understanding Scenario #3

From your configuration, it sounds like your IAM permissions are correctly set up, as has been verified by the success of your Debug-AzStorageAccountAuth command. However, since modifying the "Authenticated Users" ACL from "Modify" to "Read/List" leads to access issues, it seems like the ACL inheritance or precedence rules might be coming into play here.

Key Points to Consider

ACL Precedence**: The rule in place here is that if multiple permissions are applied, the most restrictive one takes effect. When you change "Authenticated Users" to have "Read/List," it's possible that your specific identity still does not have sufficient NTFS permissions, thereby restricting create/delete operations.
Review Effective Permissions**: You might want to check the effective permissions for your identity on the affected folder. This can be done by examining both IAM permissions and NTFS permissions together, as conflicting permissions can cause unexpected behavior.
Non-Propagation of Permissions**: Ensure that permissions are applied correctly and recursively. Sometimes, files and folders inherit permissions from parent directories unless inheritance is explicitly disabled.

Suggested Steps

Check Effective Permissions: Use the Effective Permissions feature in Windows to see what your actual permissions are on the specific file or folder.

Reconfigure ACLs: Test changing back the "Authenticated Users" permission to "Modify" and observe if that resolves the issue. If it does, carefully reintroduce your intended permissions while monitoring the effective permissions.

Use Diagnostic Tools: Utilize tools and resources provided in the documentation to troubleshoot access issues and ACL configurations in Azure Files.

Additional Resources:

https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/blobs/authentication/storage-troubleshoot-403-errors

https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories

https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-directory-file-acl-dotnet?tabs=azure-ad

If the issue occurs still, please share the below asked details for further troubleshoot.

Can you confirm if "Authenticated Users" permission is being inherited from a parent folder?
Have you checked the effective permissions for your identity in the specific folder where you're facing issues?
Are there any conflicting permissions set at a higher level that might be affecting access?

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have any questions about this answer, please click "Comment".

Share via

Azure Files not honoring ACLs/NTFS

2 answers

Your answer