Microsoft announced that they are doubling down on Azure security at their recent Black Hat conference in Las Vegas.
Today, Microsoft announced the new security features which will enhance the access control experience; including the introduction of Azure Active Directory Domain Service (Azure AD DS) authentication support for Server Message Block (SMB) access.
Now, domain-joined Windows virtual machines can mount and access your Azure file shares over SMB, using AD DS credentials with enforced NTFS access control lists.
Additionally, you can restrict share-level access to certain files and folders using role-based access control (RBAC). The permission assignment functionality is similar to NTFS’s, therefore the process of “lifting and shifting” an application is easier.
Azure AD DS authentication for Azure Files allows users to specify granular permissions on shares, files, and folders. It unblocks common use cases like single writer and multi-reader scenario for your line of business applications. As the file permission assignment and enforcement experience matches that of NTFS, lifting and shifting your application into Azure is as easy as moving it to a new SMB file server. This also makes Azure Files an ideal shared storage solution for cloud-based services. For example, Windows Virtual Desktop recommends using Azure Files to host different user profiles and leverage Azure AD DS authentication for access control.
Furthermore, support for the enforcing of NTFS discretionary access control lists (DACLs) with Azure Files allows DACLs to be maintained across copying and data recovery processes.
Since Azure Files strictly enforces NTFS discretionary access control lists (DACLs), you can use familiar tools like Robocopy to move data into an Azure file share persisting all of your important security control. Azure Files access control lists are also captured in Azure file share snapshots for backup and disaster recovery scenarios. This ensures that file access control lists are preserved on data recovery using services like Azure Backup that leverages file snapshots.
Moreover, you can now reassign permissions through File Explorer.
Moving on, permission modification through the File Explorer has been highlighted. The feature was first showcased at Ignite 2018; at that time, viewing and changing permission required a Windows command line tool named ‘icacls’. However, this tool was found not to be easily discoverable or consistent with user behavior. Therefore, the ability is now offered with File Explorer, making permission assignments for Azure Files possible with ease.
Microsoft introduced three new built-in role-based access controls, to make share level access management easier- Storage File Data SMB Share Elevated Contributor, Contributor and Reader.
To simplify share-level access management, we have introduced three new built-in role-based access controls—Storage File Data SMB Share Elevated Contributor, Contributor, and Reader. Instead of creating custom roles, you can use the built-in roles for granting share-level permissions for SMB access to Azure Files.
The Azure Files team aims to extend authentication support as part of the access control experience, to Windows Server Active Directory, hosted on-premises or the cloud.
Supporting authentication with Azure Active Directory Domain Services is most useful for application lift and shift scenarios, but Azure Files can help with moving all on-premises file shares, regardless of whether they are providing storage for an application or for end users. Our team is working to extend authentication support to Windows Server Active Directory hosted on-premises or in the cloud.
You can opt into updates about Azure Files Active Directory Authentication from this link.