I'm new to Azure and am testing a storage account file share using file sync to pull some test data. I'm using AAD Kerberos authentication and am playing with the interaction between share-level permissions and NTFS ACLs. I'm getting results that don't seem to follow expectations.

I have a test group of users I've assigned 'Storage File Data SMB Share Contributor' roles to. I'm on a domain-joined machine as admin with the file share mapped using the storage account name and access key. I'm attempting to add ACLs for test user accounts, but the object search of the storage account won't return users or groups, it is only able to locate Built-in security principals. But I have discovered if I add test account ACLs on a domain machine, they do show up on the storage account share, and I can then edit the ACLs. Is this expected behavior?

I've also found permissions aren't following the most restrictive ones as I expect. Test accounts are read-write (from share-level 'Contributor' role), and I've just set ACLs of List for the account at the root of the share, yet in testing I'm able to read, write, and delete files. Any thoughts where I'm going wrong?