With Azure AD support, applications can access Azure file shares securely, without storing or managing any credentials. Applications can now leverage managed identities to secure access to customer-owned file shares. Application users can grant permissions to managed identities and provide identity-based access to application file shares.
For existing SMB access options, please refer Azure Files identity-based authentication options for SMB access.
also now supports using Azure AD to authenticate requests to Azure Files. Users can choose Azure AD identity-based authentication method for the actions they take through portal such as browsing their file share contents. Find out more about authorizing access to file data in Azure Portal.
Example use case
A customer application using managed identities wants to access file share data for periodic backup purposes. is application only requires read access to the source file share A, with no regard to file-specific permission, and write access to the destination file share B. With Azure AD authentication with Azure Files REST API, the customer can now use Azure's role-based access control framework to grant specific permissions to the application. The users of the application can assign the following roles to the MI:
With the above-mentioned role assignments, the users have more granular access per share. In addition, all identity and access management are enforced through Azure AD, removing any need to store or manage secrets.
To enable privileged access that would read all or write all by bypassing any file/directory level ACLs, the applications will need to explicitly declare such intent when leveraging the REST API. Please refer Azure AD Authentication for Azure Files to learn more on how to implement this.
authentication is available to all customers of
For any questions, comments, feedback or to learn what’s new, please reach out to FilesADAuth@microsoft.com.