When working with Azure Files the following items must be in place for NTFS permissions and NTFS replication to work.
- Azure Active Directory Domain Services authentication must be enabled on Azure Files
- Azure Active Directory Domain Services must be enabled on the Azure tenant.
- Make sure that you have assigned the "Storage File Data SMB Share Elevated Contributor" role to the Resilio Connect Agent Service account in order to be able to enable/change NTFS permissions for Azure File Share.
Share-level permissions are the high-level gatekeeper that determines whether a user can access the share. Whereas NTFS permissions act at a more granular level to determine what operations the user can do at the directory or file level. Without the correct share-level permissions that are required before you modify the NTFS permissions.
- Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Full administrative control isn't supported with identity-based authentication.
How To Validate the Correct Share Level Permissions
- In Azure navigate to your Azure Files Storage account. Select Check Access.
- On the flyout type the name of your service account and select it from the list.
- Once Selected you will see a window similar to the screenshot below.or
- You can see in the example that the service account Powershell does not have any roles or the correct role.
- On the IAM screen select Add Role Assignment
- Search for "Storage File Data SMB Share Elevated Contributor" and click next at the bottom of the page.
- Click Select Member and type your service account in the fly-out, and click Select.
- The last thing is to navigate to Review + Assign and approve the changes.
- NOTE: This change can take 30 minutes to replicate. It may not apply instantly.
Mounting Azure Files with Storage Account Key
- Create a Scheduled Task As System
- Click Triggers and set the task to run once a day at a time you prefer. Have task stop if it runs longer than 30 minutes.
- Click on the Actions Tab and Add
- Program = cmd.exe
- Add an Argument = replace the bold sections with your values and past into field.
- /C "cmdkey /add:`"STORAGEACCOUNT-NAME.file.core.windows.net`" /user:`"localhost\STORAGEACCOUNT-NAME`" /pass:`"STORAGEACCOUNT-KEY`""
- Once saved, go to the Task Scheduler and run the task manually for the first time.