You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-assign-share-level-permissions.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -61,7 +61,7 @@ For example, say you have a user in your AD that's [email protected] and
61
61
62
62
For share-level permissions to work, you must take the following actions:
63
63
64
-
- If your identity source is AD DS or Microsoft Entra Kerberos, sync the users **and** the groups from your local Active Directory to Entra ID by using either [Microsoft Entra Connect Sync](/entra/identity/hybrid/connect/how-to-connect-sync-whatis) or [Microsoft Entra Cloud Sync](/entra/identity/hybrid/cloud-sync/what-is-cloud-sync), a lightweight agent that you can install from the Entra Admin Center.
64
+
- If your identity source is AD DS or Microsoft Entra Kerberos, sync the users **and** the groups from your local Active Directory to Entra ID by using either [Microsoft Entra Connect Sync](/entra/identity/hybrid/connect/how-to-connect-sync-whatis) or [Microsoft Entra Cloud Sync](/entra/identity/hybrid/cloud-sync/what-is-cloud-sync), a lightweight agent that you can install from the Microsoft Entra admin center.
65
65
- Add AD synced groups to RBAC role so they can access your storage account.
66
66
67
67
> [!TIP]
@@ -169,7 +169,7 @@ You can assign permissions to all authenticated Entra users and to specific Entr
169
169
170
170
## Understanding group-based access for non-synced users
171
171
172
-
Users who aren't synced to Entra ID can still access Azure file shares through group membership. If a user belongs to an on-premises AD DS group that's synced to Entra ID and has an Azure RBAC role assignment, the user gets the group's permissions, even though they don't appear as a group member in the Entra portal.
172
+
Users who aren't synced to Entra ID can still access Azure file shares through group membership. If a user belongs to an on-premises AD DS group that's synced to Entra ID and has an Azure RBAC role assignment, the user gets the group's permissions, even though they don't appear as a group member in the Microsoft Entra admin center.
173
173
174
174
Here's how it works:
175
175
@@ -178,7 +178,7 @@ Here's how it works:
178
178
- Azure Files reads the group security identifiers (SIDs) from the Kerberos ticket.
179
179
- If any of those groups are synced to Entra ID, Azure Files applies the matching RBAC role assignments.
180
180
181
-
Because of this process, authorization is based on the groups listed in the Kerberos ticket, not on what appears in the Entra portal. Non-synced users can access file shares through their synced AD DS group memberships without needing individual sync to Entra ID.
181
+
Because of this process, authorization is based on the groups listed in the Kerberos ticket, not on what appears in the Microsoft Entra admin center. Non-synced users can access file shares through their synced AD DS group memberships without needing individual sync to Entra ID.
0 commit comments