Share via

Azure Files NTFS Permissions

BRADLEY MILLER 5 Reputation points
2025-03-27T16:03:02.19+00:00

I have been testing a lot of options for Azure Files with the purpose of replacing on prem file storage devices and also some items that do not work well in sharepoint/onedrive.

I have tested entra domain services (works fine for AVD scenarios) but is unable to work remotely which is a requirement.

I currently have an AD DS setup with Entra connect for hybrid identities. This works fine for mounting the drive while on the Azure VPN client with DNS pointed to the domain controller living in Azure. The issue I am seeing is due specifically to NTFS permissions. The only way I have been able to 'see' NTFS permissions is if the computer in question is joined to the domain and then has line of sight to the domain. My tests are successful when using Azure VPN and also with a Site to Site VPN to the domain controller in Azure.

Kerberos Auth does not seem to work with NTFS permissions remotely in my testing. I can mount the drive fine but I cannot 'see' NTFS unless on a domain joined machine.

Am I missing anything or is this indeed the requirement to have Azure Files working remotely? Domain joined machine + hybrid identity + Azure VPN Client / S2S VPN for Line of Sight. I understand that Kerb auth was to allow access without line of sight but I have yet to get that working with NTFS permissions 'seen'.

From my testing it seems there is no way to have Azure Files w/ NTFS permissions working without line of sight and the pc being domain joined. Only having hybrid identity will allow you to map but not 'see' NTFS.

Thanks!

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,406 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hari Babu Vattepally 2,715 Reputation points Microsoft External Staff Moderator
    2025-03-27T18:44:09.7+00:00

    Hi @BRADLEY MILLER,

    To access Azure Files with NTFS permissions remotely, your machine needs to be domain-joined and have line of sight to the domain controller. Kerberos authentication can help without direct line of sight, but it needs proper setup and connectivity to work well with NTFS permissions.

    In your case, you can mount the drive using Azure VPN or Site-to-Site VPN, but seeing NTFS permissions depends on being on a domain-joined machine that can talk to the domain controller. This is pretty standard when using Azure Files with Active Directory Domain Services (AD DS) and hybrid identities.

    To make sure NTFS permissions are visible and manageable, keeping a connection to the domain controller is key. Double-check your Kerberos setup and ensure all necessary ports and protocols are open in your network settings.

    For additional information, please refer the below:

    I hope by following the above helps resolving the issue.

    Please let us know in the comments below, if the issue is resolved or still persists. We will be glad to assist you closely.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. chrischin 915 Reputation points Microsoft Employee
    2025-03-28T02:20:58.8833333+00:00

    It is limited. For use cases where you need to allow folks to read the file share and prevent them from accessing files and folders, they lack NTFS permissions for, this will work. The moment those folks need to set/change NTFS permissions, they will need line of sight. to the DC. This is documented here:

    User's image

    From: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.