Secure Access to Azure Files

Azure Files offers a fully managed cloud file share accessible via the industry-standard Server Message Block (SMB) protocol or Network File System (NFS) protocol. This document details the various security mechanisms and best practices for accessing and securing your Azure Files shares.

Authentication Methods

Azure Files supports several authentication methods to ensure only authorized users and applications can access your data.

1. Azure Active Directory (Azure AD) Authentication

For SMB protocol, Azure Files integrates with Azure AD, allowing you to use familiar identity management solutions:

Azure AD Domain Services (Azure AD DS): Provides managed domain services like domain join, group policy, and Kerberos/NTLM authentication.
Active Directory Domain Services (AD DS): You can lift-and-shift your on-premises AD DS to Azure VMs and sync with Azure AD for hybrid environments.
Azure AD Kerberos: Enables cloud-only applications and services to authenticate to Azure Files shares using Azure AD credentials without requiring traditional domain controllers.

For NFS protocol, authentication is typically handled by NFSv4.1 ID mapping, which can be configured to map user and group IDs (UID/GID) to Azure AD identities.

2. Storage Account Key Authentication

This is the simplest method, using keys directly associated with your storage account. It's suitable for development and testing or for scenarios where strict identity management isn't the primary concern. However, it's recommended to use Azure AD or other more granular methods for production environments.


// Example using Azure CLI to list storage account keys
az storage account keys list --account-name mystorageaccount --resource-group myresourcegroup

3. Shared Access Signatures (SAS)

SAS tokens provide delegated access to specific Azure Files shares or individual files. You can grant limited permissions (read, write, delete) for a specific duration and to specific IP addresses or network ranges. This is ideal for granting temporary or limited access to clients without sharing storage account keys.

                Best Practice: Use SAS tokens for time-bound, restricted access to individual shares or files.
            

Authorization and Access Control

Once authenticated, authorization determines what actions an identity can perform on the file share.

1. Role-Based Access Control (RBAC)

Azure RBAC provides fine-grained access management for Azure resources. You can assign specific roles (e.g., Storage File Data SMB Share Reader, Storage File Data SMB Share Contributor) to Azure AD identities (users, groups, service principals, managed identities) to control access to file shares.

2. Access Control Lists (ACLs) for Files and Directories

For granular control at the file and directory level, Azure Files supports POSIX-like ACLs for both SMB and NFS shares. These ACLs define permissions for individual users and groups, complementing RBAC for comprehensive security.

SMB: Supports both NTFS ACLs (legacy) and POSIX-like ACLs.
NFS: Supports POSIX-like ACLs.

Note: When using Azure AD DS or AD DS with SMB, user permissions are managed via Active Directory group memberships and ACLs.

Network Security

Securing the network path to your Azure Files shares is crucial.

1. Private Endpoints

Use Azure Private Endpoints to establish a secure, private connection from your virtual network to your Azure Files share. This ensures that traffic between your VNet and the storage account travels over the Microsoft backbone network, not the public internet.

2. Service Endpoints

Service Endpoints allow you to secure your Azure Files endpoint by restricting access to only your virtual network. This can be an alternative to Private Endpoints if full private IP connectivity is not required.

3. Firewall and Virtual Networks

Configure your storage account's network firewall rules to allow or deny access from specific public IP addresses, IP ranges, or virtual networks.

Data Encryption

Azure Files encrypts data at rest and in transit by default.

1. Encryption at Rest

All data stored in Azure Files is encrypted using AES-256 encryption. You can choose to use Microsoft-managed keys or your own keys stored in Azure Key Vault (Customer-Managed Keys).

2. Encryption in Transit

For SMB, ensure that the RequireSecureTransport setting is enabled for your file share to enforce SMB 3.0 encryption. For NFS, data is encrypted in transit when using Kerberos encryption (AES256, Des3, or RpcK5pad).

Recommendations for Secure Access

Prefer Azure AD Authentication: Use Azure AD for SMB access whenever possible for centralized identity management and granular permissions.
Implement Least Privilege: Grant only the necessary permissions to users and applications using RBAC and ACLs.
Utilize Private Endpoints: Secure your network connection by using Private Endpoints for all production workloads.
Regularly Review Permissions: Periodically audit access permissions and remove any unnecessary access.
Use SAS for Delegated Access: Employ SAS tokens for granting temporary or limited access.
Enable Secure Transport: For SMB, enforce encrypted connections.

« Introduction to Azure Files Identity for Azure Files »

Azure Docs