![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 34%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Azure Files
An Azure service that offers file shares in the cloud.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 15%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Hello **Naija R C
**I understand that you're experiencing some missing requester details in the Azure File Share SMB events.
Under what conditions would Azure Files SMB events omit the requester details?
There are several reasons why requester details might be missing from the event logs. In some cases, Azure may choose not to record specific information to safeguard sensitive data.
Kerberos-based authentication is the only method that can provide requester object details, such as objectId and smbPrimarySID. When connecting with storage keys, SAS tokens, or NTLM, the identity block will only show "type": "Kerberos" and will not include a requester sub-object.
Currently, Azure Files supports identity-based access only via SMB with Kerberos. Other access methods, including access keys, SAS, NTLM, and NFS, do not populate the requester fields.
Is this expected behavior in any scenarios?
Yes, this is expected if the connection isn’t using Azure AD–issued or on-prem Kerberos tickets. When requester details are missing, it means Azure Files couldn’t identify the user because a non-Kerberos or unsupported authentication method was used.
Are there any known issues or prerequisites needed for the requester information to appear?
To ensure requester information is logged, make sure:
You have appropriate permissions set up for the identity accessing the Azure File Share.
The relevant logging settings are correctly configured in Azure. You might also want to check if there are any specific diagnostic settings that need to be applied.
How can we ensure requester attributes like objectId and smbPrimarySID are included in the SMB event logs?
To display requester attributes such as objectId and smbPrimarySID in your logs:
- Verify that identity-based authentication is correctly set up in your Azure Files configuration.
- Make sure file share access is properly authenticated using Kerberos. If the client does not provide valid credentials or identity, requester details may not appear.
Please check the reference documents for more understanding:
https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/security/files-troubleshoot-smb-authentication?tabs=azure-portal
https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/connectivity/files-troubleshoot?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider&tabs=powershell
https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/data-sources
Hope the above answer helps! Please let us know do you have any further queries.
Please do consider to "accepting the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.