When working with Azure Files the following items must be in place for NTFS permissions and NTFS replication to work.
- Azure Active Directory Domain Services authentication must be enabled on Azure Files
- Azure Active Directory Domain Services must be enabled on the Azure tenant.
- Make sure that you have assigned the "Storage File Data SMB Share Elevated Contributor" role to the Resilio Connect Agent Service account in order to be able to enable/change NTFS permissions for Azure File Share.
Share-level permissions are the high-level gatekeeper that determines whether a user can access the share. Whereas NTFS permissions act at a more granular level to determine what operations the user can do at the directory or file level. Without the correct share-level permissions that are required before you modify the NTFS permissions.
How To Validate the Correct Share Level Permissions
- In Azure navigate to your Azure Files Storage account. Select Check Access.
- On the flyout type the name of your service account and select it from the list.
- Once Selected you will see a window similar to the screenshot below.
or
- You can see in the example that the service account Powershell does not have any roles or the correct role.
- On the IAM screen select Add Role Assignment
- Search for "Storage File Data SMB Share Elevated Contributor" and click next at the bottom of the page.
- Click Select Member and type your service account in the fly-out, and click Select.
- The last thing is to navigate to Review + Assign and approve the changes.
- NOTE: This change can take 30 minutes to replicate. It may not apply instantly.