You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-configure-file-level-permissions.md
+9-6Lines changed: 9 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to configure Windows ACLs for directory-level and file-le
4
4
author: khdownie
5
5
ms.service: azure-file-storage
6
6
ms.topic: how-to
7
-
ms.date: 04/07/2026
7
+
ms.date: 04/14/2026
8
8
ms.author: kendownie
9
9
# Customer intent: "As a system administrator, I want to configure directory-level and file-level permissions for SMB Azure file shares by using Windows ACLs, so that I can ensure granular access control and enhance security for users accessing shared files."
10
10
---
@@ -46,7 +46,7 @@ The following table shows how share-level permissions and Windows ACLs work toge
> Taking ownership of folders or files for ACL configuration requires an additional RBAC permission. By using the [Windows permission model for SMB admin](#use-the-windows-permission-model-for-smb-admin), you can grant this permission by assigning the built-in RBAC role [Storage File Data SMB Admin](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-smb-admin). This role includes the `takeOwnership` permission.
49
+
> To configure ACLs by using identity-based authentication instead of a storage account key, assign the built-in RBAC role [Storage File Data SMB Admin](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-smb-admin) to users. This role grants the `takeOwnership` permission, which allows users to take ownership of files or directories by using the Windows `takeown` command and then modify ACLs. For details, see [Use the Windows permission model for SMB admin](#use-the-windows-permission-model-for-smb-admin).
50
50
51
51
## Supported Windows ACLs
52
52
@@ -76,17 +76,20 @@ For more information on these permissions, see the [command-line reference for i
76
76
77
77
Before you configure Windows ACLs, mount the file share with admin-level access. You can take two approaches:
78
78
79
-
-**Use the Windows permission model for SMB admin (recommended)**: Assign the built-in RBAC role [Storage File Data SMB Admin](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-smb-admin). This role includes the required permissions for users who configure ACLs. Then mount the file share by using [identity-based authentication](storage-files-active-directory-overview.md) and configure ACLs. This approach is more secure because it doesn't require your storage account key to mount the file share.
79
+
-**Use the Windows permission model for SMB admin (recommended)**: Assign the built-in RBAC role [Storage File Data SMB Admin](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-smb-admin). This role includes the required permissions for users who configure ACLs. Then mount the file share by using [identity-based authentication](storage-files-active-directory-overview.md) and configure ACLs. If the existing ACL on a file or directory denies the admin access, the admin can use the Windows `takeown` command to take ownership and then modify the ACL. This approach is more secure because it doesn't require your storage account key to mount the file share.
80
80
81
-
-**Use the storage account key (less secure)**: Use your storage account key to mount the file share and then configure ACLs. The storage account key is a sensitive credential. For security reasons, use this option only if you can't use identity-based authentication.
81
+
-**Use the storage account key (less secure)**: Use your storage account key to mount the file share and then configure ACLs. Mounting with a storage account key gives you immediate full access without needing to take ownership. The storage account key is a sensitive credential. For security reasons, use this option only if you can't use identity-based authentication.
82
82
83
83
If a user has the Full Control ACL and the [Storage File Data SMB Share Elevated Contributor](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-smb-share-elevated-contributor) role (or a custom role with the required permissions), they can configure ACLs without using the Windows permission model for SMB admin or the storage account key.
84
84
85
85
### Use the Windows permission model for SMB admin
86
86
87
-
Use the Windows permission model for SMB admin instead of the storage account key. This feature enables you to assign the built-in RBAC role [Storage File Data SMB Admin](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-smb-admin) to users, so they can take ownership of a file or directory to configure ACLs.
87
+
Use the Windows permission model for SMB admin instead of the storage account key. This feature enables you to assign the built-in RBAC role [Storage File Data SMB Admin](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-smb-admin) to users, so they can mount the share using identity-based authentication and configure ACLs.
88
88
89
-
The Storage File Data SMB Admin RBAC role doesn't grant the identity direct access to a file or directory if the identity isn't granted the proper permission (such as Modify or Full Control) in the target file's or directory's ACL. However, the identity with the Storage File Data SMB Admin RBAC role can take ownership of the target file or directory by using the Windows [`takeown`](/windows-server/administration/windows-commands/takeown) command, and then modify the ACL to grant proper access permissions.
89
+
If the existing ACL on a file or directory grants the admin sufficient permissions (such as Modify or Full Control), the admin can configure ACLs directly. If the existing ACL denies access, the admin can use the Windows [`takeown`](/windows-server/administration/windows-commands/takeown) command to take ownership of the target file or directory, and then modify the ACL to grant the appropriate access permissions.
90
+
91
+
> [!NOTE]
92
+
> The Storage File Data SMB Admin role doesn't work the same way as a storage account key. When you mount a share with a storage account key, you get immediate full access to all files and directories without needing to change ownership. With the Storage File Data SMB Admin role, the existing NTFS ACLs still apply for normal file access. The role grants the special privilege to take ownership by using the `takeown` command, which is only needed when the existing ACL doesn't grant the admin sufficient permissions to modify ACLs.
90
93
91
94
The Storage File Data SMB Admin RBAC role includes the following three data actions:
0 commit comments