Last month, Microsoft announced general availability for a new premium tier of its Azure Files service. Today, the tech giant has unveiled new security features that are being brought to enhance the access control experience, as well as what is in store for the service in the future.
To start off, there's the introduction of Azure Active Directory Domain Service (Azure AD DS) authentication support for Server Message Block (SMB) access. This essentially means that your domain-joined Windows virtual machines can mount and access your Azure file shares over SMB using AD DS credentials with enforced NTFS access control lists.
Furthermore, share-level access can be restricted to certain files and folders using role-based access control (RBAC). The permission assignment functionality is quite similar to that of NTFS, and thus makes the process of 'lifting and shifting' an application much easier. Additionally, support for the enforcing of NTFS discretionary access control lists (DACLs) with Azure Files means that DACLs can be maintained across copying and data recovery processes.
Moving on, permission modification through the File Explorer has been highlighted. The feature was first showcased at Ignite 2018; at that time, viewing and changing permission required a Windows command line tool named 'icacls'. However, this tool was found not to be easily discoverable or consistent with user behavior. Therefore, the ability is now offered with File Explorer, making permission assignments for Azure Files possible with ease.
Finally, three new in-built access controls have been brought to general availability to simplify share-level access management. These include Storage File Data SMB Share Elevated Contributor, Contributor, and Reader. The introduction of these in-built roles help alleviate the need to create custom roles for specifying permissions, making it a much more simpler and efficient task.
Following these changes, the Azure Files team is aiming to extend authentication support as part of the access control experience to Windows Server Active Directory hosted on-premises or in the cloud. You can learn more about the new features here.