Document Details

Storage Files Identity Assign Share Level Permissions
Home / Scan #41 / Storage Files Identity Assign Share Level Permissions
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
windows_first
windows_tools
powershell_heavy
missing_linux_example
Summary
The documentation demonstrates a Windows bias by focusing on Windows-centric concepts (Active Directory, Windows ACLs), referencing Windows tools (PowerShell cmdlets), and using Windows terminology (SMB, ACLs) throughout. Linux/NFS scenarios are explicitly marked as unsupported, and there are no Linux-specific examples or guidance for managing permissions from Linux clients or with Linux-native tools.
Recommendations
  • Include explicit guidance and examples for Linux/NFS scenarios where supported, or provide clear alternatives or workarounds for Linux users.
  • When referencing ACLs and permissions, clarify the applicability to both Windows and Linux clients, or state limitations more prominently.
  • Provide parity in examples by including Bash/shell scripts and Linux CLI usage alongside PowerShell, especially for cross-platform tools like Azure CLI.
  • If certain features are Windows-only (e.g., SMB/ACLs), add a section summarizing Linux/NFS support status and recommended approaches for Linux environments.
  • Avoid using Windows terminology (e.g., 'Windows ACLs') as the default; instead, use more generic terms (e.g., 'file system ACLs') and specify when something is Windows-specific.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2026-01-14 00:00 #250 in_progress Biased Biased
2026-01-13 00:00 #246 completed Biased Biased
2026-01-11 00:00 #240 completed Biased Biased
2026-01-10 00:00 #237 completed Biased Biased
2026-01-09 00:34 #234 completed Biased Biased
2026-01-08 00:53 #231 completed Biased Biased
2025-08-19 00:01 #85 completed Clean Clean
2025-07-13 21:37 #48 completed Biased Biased
2025-07-12 23:44 #41 cancelled Biased Biased

Flagged Code Snippets

#Get the name of the custom role
$FileShareContributorRole = Get-AzRoleDefinition "<role-name>" #Use one of the built-in roles: Storage File Data SMB Share Reader, Storage File Data SMB Share Contributor, Storage File Data SMB Share Elevated Contributor
#Constrain the scope to the target file share
$scope = "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/fileServices/default/fileshares/<share-name>"
#Assign the custom role to the target identity with the specified scope.
New-AzRoleAssignment -SignInName <user-principal-name> -RoleDefinitionName $FileShareContributorRole.Name -Scope $scope

---

## Share-level permissions for all authenticated identities

You can add a default share-level permission on your storage account, instead of configuring share-level permissions for Microsoft Entra users or groups. A default share-level permission assigned to your storage account applies to all file shares contained in the storage account.

When you set a default share-level permission, all authenticated users and groups will have the same permission. Authenticated users or groups are identified as the identity can be authenticated against the on-premises AD DS the storage account is associated with. The default share-level permission is set to **None** at initialization, implying that no access is allowed to files or directories in the Azure file share.

# [Portal](#tab/azure-portal)

To configure default share-level permissions on your storage account using the [Azure portal](https://portal.azure.com), follow these steps.

1. In the Azure portal, go to the storage account that contains your file share(s) and select **Data storage > File shares**.
1. You must enable an AD source on your storage account before assigning default share-level permissions. If you've already done this, select **Active Directory** and proceed to the next step. Otherwise, select **Active Directory: Not configured**, select **Set up** under the desired AD source, and enable the AD source.
1. After you've enabled an AD source, **Step 2: Set share-level permissions** will be available for configuration. Select **Enable permissions for all authenticated users and groups**.

   :::image type="content" source="media/storage-files-identity-assign-share-level-permissions/set-default-share-level-permission.png" alt-text="Screenshot showing how to set a default share-level permission using the Azure portal." lightbox="media/storage-files-identity-assign-share-level-permissions/set-default-share-level-permission.png" border="true":::

1. Select the appropriate role to be enabled as the default [share permission](#azure-rbac-roles-for-azure-files) from the dropdown list.
1. Select **Save**.

# [Azure PowerShell](#tab/azure-powershell)

You can use the following script to configure default share-level permissions on your storage account. You can enable default share-level permission only on storage accounts associated with a directory service for Azure Files authentication. 

Before running the following script, make sure your Az.Storage module is version 3.7.0 or newer. We suggest updating to the latest version.