Merge pull request #312519 from sandys29/patch-1

Document SFTP limitations regarding ACLs

Author: prmerger-automator[bot]

articles/storage/blobs/secure-file-transfer-protocol-known-issues.md

@@ -55,14 +55,24 @@ To transfer files to or from Azure Blob Storage via SFTP clients, see the follow
 | Cross Container Operations | Traversing between containers or performing operations on multiple containers from the same connection are unsupported.
 | Undelete | There is no way to restore a soft-deleted blob with SFTP. The `Undelete` REST API must be used.|
 
-## Authentication and authorization
+## Authentication and Authorization
 
 - _Local users_ are the only form of identity management that is currently supported for the SFTP endpoint.
 
 - Microsoft Entra ID isn't supported for the SFTP endpoint.
 
 To learn more, see [SFTP permission model](secure-file-transfer-protocol-support.md#sftp-permission-model) and see [Access control model in Azure Data Lake Storage](data-lake-storage-access-control-model.md).
 
+### Access ACLs and Default ACLs
+
+- SFTP doesn't currently support **Default ACLs** or additional **Access ACLs** (ACL entries beyond the POSIX `user::`, `group::`, and `other::` entries, such as named users or named groups).
+
+- If any directory in the access path (including the user's home directory) has Default ACLs or additional Access ACLs set, SFTP operations will fail with `Permission denied`, even when the connecting user has required permissions.
+
+**Workaround:** Remove Default ACLs and additional Access ACLs from all directories in the SFTP access path (including the user's home directory) so that only POSIX `user::`, `group::`, and `other::` entries remain.
+
+For more details about ACLs and how you can edit them, see [Access control lists (ACLs)](data-lake-storage-access-control.md).
+
 ## Networking
 
 - To access the storage account using SFTP, your network must allow traffic on port 22.