Azure Storage File Access Control

Securing your data is paramount when using Azure Storage. Azure Files offers robust access control mechanisms to ensure that only authorized users and applications can access your file shares and the data within them. This document outlines the primary methods for controlling access to Azure Files.

Tip: Implement a "least privilege" principle to grant only the necessary permissions to users and applications.

Shared Key Authorization

Shared key authorization is the most basic form of authentication for Azure Storage. Each storage account has two storage account access keys. These keys provide full access to your storage account data. While simple, it's generally recommended to use more granular authentication methods like Azure AD for production workloads.

Example: Using Shared Key with Azure CLI
                    
az storage share list --account-name  --account-key

Shared Access Signatures (SAS)

Shared Access Signatures (SAS) provide a way to delegate access to specific resources in your storage account, such as a file share, directory, or file, for a limited period and with specific permissions. SAS tokens are generated using your storage account access keys, but they don't expose those keys.

There are two types of SAS:

Service SAS: Generated from the storage account itself. It grants access to a specific service (e.g., File service).
Account SAS: Generated from the storage account access key. It grants access to all services within the storage account and can delegate permissions that are not available through a service SAS.

Important: Carefully define the start time, expiry time, and permissions for your SAS tokens to minimize the security risk.

Creating a SAS Token

SAS tokens can be created using the Azure portal, Azure CLI, Azure PowerShell, or programmatically using Azure Storage SDKs.

Example: Creating a Service SAS for a File Share (Azure CLI)
                    
az storage share generate-sas \
    --account-name  \
    --name  \
    --permissions rwd \
    --expiry 2024-12-31T23:59:59Z \
    --connection-string 
                    
                

Azure Active Directory (Azure AD) Integration

For robust security and simplified identity management, Azure Files supports integration with Azure Active Directory (Azure AD). This allows you to leverage Azure AD identities to authenticate and authorize access to your file shares.

Azure Files supports Azure AD authentication in two primary ways:

Azure AD Domain Services (Azure AD DS): For traditional on-premises Active Directory-like identity management in the cloud.
Azure AD Kerberos authentication for Azure Files: Allows domain-joined or hybrid domain-joined Windows machines to mount Azure file shares using Kerberos tickets obtained from Azure AD.

Tip: Azure AD integration offers a more secure and scalable approach compared to shared keys and SAS tokens for managing access for users and applications.

Roles and Permissions

When using Azure AD, you assign Azure roles to users, groups, or service principals to grant them access to storage accounts and their resources. Azure role-based access control (RBAC) provides fine-grained control over who can do what on which resources.

Commonly used roles for Azure Files include:

Storage File Data SMB Share Reader: Read access to Azure File shares via SMB.
Storage File Data SMB Share Contributor: Read, write, and delete access to Azure File shares via SMB.
Storage File Data REST Share Reader: Read access to Azure File shares via REST API.
Storage File Data REST Share Contributor: Read, write, and delete access to Azure File shares via REST API.

Example: Assigning a Role via Azure CLI
                    
az role assignment create \
    --role "Storage File Data SMB Share Contributor" \
    --assignee  \
    --scope "/subscriptions//resourceGroups//storageAccounts//fileServices/default/shares/"
                    
                

Network Security

In addition to identity-based access control, you can enhance security by restricting network access to your Azure File shares.

Firewall and Virtual Networks: Configure storage account firewalls to allow access only from trusted IP addresses or virtual network subnets.
Private Endpoints: Use private endpoints to ensure that traffic to your Azure File shares travels over a private IP address within your virtual network, isolating it from the public internet.

Best Practices for Access Control

To ensure the security and integrity of your data in Azure Files:

Prefer Azure AD authentication over shared keys and SAS tokens for user and application access.
Use SAS tokens for delegated, time-bound access with specific permissions.
Implement the principle of least privilege when assigning roles and permissions.
Regularly audit access logs to monitor for suspicious activity.
Securely store and manage your storage account access keys.
Configure network firewalls and private endpoints to limit network exposure.

Note: For detailed guidance on implementing Azure AD authentication with Azure Files, refer to the official Azure documentation on "Authentication and authorization for Azure Files".

Azure Storage Docs

Azure Storage File Access Control

Shared Key Authorization

Example: Using Shared Key with Azure CLI

Shared Access Signatures (SAS)

Creating a SAS Token

Example: Creating a Service SAS for a File Share (Azure CLI)

Azure Active Directory (Azure AD) Integration

Roles and Permissions

Example: Assigning a Role via Azure CLI

Network Security

Best Practices for Access Control