When working with Azure Files the following items must be in place for NTFS permissions and NTFS replication to work.
- Azure Active Directory Domain Services authentication MUST be enabled on Azure Files.
- Azure Active Directory Domain Services MUST be enabled on the Azure tenant.
- You Must assign the "Storage File Data SMB Share Elevated Contributor" role to the Resilio Connect Agent Service account to be able to enable/change NTFS permissions for Azure File Share.
Share-level permissions are the high-level gatekeeper that determines whether a user can access the share. Whereas NTFS permissions act at a more granular level to determine what operations the user can do at the directory or file level. Without the correct share-level permissions required before you modify the NTFS permissions.
-
REQUIRED
- Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Full administrative control isn't supported with identity-based authentication.
To replicate Owner Permissions you MUST follow the steps provided in the section,
How To Validate the Correct Share Level Permissions
- In Azure navigate to your Azure Files Storage account. Select Check Access.
- On the flyout type the name of your service account and select it from the list.
- Once Selected you will see a window similar to the screenshot below.or
- You can see in the example that the service account Powershell does not have any roles or the correct role.
- On the IAM screen select Add Role Assignment
- Search for "Storage File Data SMB Share Elevated Contributor" and click next at the bottom of the page.
- Click Select Member and type your service account in the fly-out, and click Select.
- The last thing is to navigate to Review + Assign and approve the changes.
- NOTE: This change can take 30 minutes to replicate. It may not apply instantly.
How to find my Mount command
- On your Azure files management page locate data storage and file shares.
- Select your File share on the right side you will see 3 dots. Click Connect
- Pick Windows and Storage Account Key
- Click Show Script
- Copy the section between
- # Save the password so the drive will persist on reboot
and - # Mount the drive
- # Save the password so the drive will persist on reboot
- Use these lines to fill in the next steps.
Mounting Azure Files with Storage Account Key - Scheduled Task
Mounting Azure Files with Storage Account Key - Script Job
Mounting Azure Files with Storage Account Key - Scheduled Task
-
Create a Scheduled Task As your service account.
-
Click Triggers and set the task to run once a day at a time you prefer. Have the task stop if it runs longer than 30 minutes.
-
Click on the Actions Tab and Add
- Program = powershell.exe
- Add an Argument = replace the bold sections with your values and paste into the field.
-
-Command "& { Start-Process cmd.exe -ArgumentList '/C cmdkey /add:`"demoazurefiles.file.core.windows.net`" /user:`"localhost\demoazurefiles`" /pass:`"password`"' -NoNewWindow -Wait }"
-
- Once saved, go to the Task Scheduler and run the task manually for the first time.
Mounting Azure Files with Storage Account Key - Script job
- Create a New Script Job
-
Under the Script section, select Run AS Powershell
-
Replace line 3 with your script from the Azure storage account
- Copy the section between
# Save the password so the drive will persist on reboot
and
# Mount the drive
- Set your Job Schedule for when and how often the job should run.
- When at the Summery Tab Save and run your job manually for the first time.