You prefer to enforce authentication only using Windows ACLs at the file and directory level.īecause computer accounts don't have an identity in Azure AD, you can't configure Azure role-based access control (RBAC) for them.You can still use Windows ACLs on your files and directories for granular permission enforcement. Using a default share-level permission allows you to bypass the requirement for an Azure AD hybrid identity. This is typical when you're managing multi-tenant environments.The on-premises AD DS you're using is synched to a different Azure AD than the Azure AD the file share is deployed in.This could include standalone Managed Service Accounts (sMSA), group Managed Service Accounts (gMSA), and computer accounts. Identities that are tied to an AD but aren't synching to Azure AD can also leverage the default share-level permission.Then you can use Windows ACLs for granular permission enforcement on your files and directories. Assigning a default share-level permission allows you to work around the sync requirement because you don't need to specify the permission to identities in Azure AD. If you are unable to sync your on-premises AD DS to Azure AD, you can use a default share-level permission.There are three scenarios where we instead recommend using a default share-level permission assigned to all authenticated identities: This is the most stringent and secure configuration. Most users should assign share-level permissions to specific Azure AD users or groups, and then use Windows ACLs for granular access control at the directory and file level. Premium file shares (FileStorage), LRS/ZRS Full administrative control isn't supported with Active Directory Domain Services (AD DS) or Azure AD authentication. Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |