none
Migrate NTFS permissions to Azure File Share RRS feed

  • Question

  • Hi all !

    I have the following :

    2 file servers using and one NAS.

    All of them contains many folders/subfolders and of course with differents permissions on them (ACL NTFS).

    AzureFileSync is deployed on both 2 files servers running on Windows Server 2016 and so files are copied to an Azure File Share.

    As we are migrating to Azure, we would like to have the same permissions applied to the folders/subfolders and it seems that to enable SMB authentication, the machine should be aAD joined.

    So, i was thinking about the following scenario :

    - Domain joined the file servers to aAD

    - Export ACL on the 2 on prem file servers, e.g to a CSV file...

    - Launch a last Azure File Synchronization

    - Reconstruct the ACLs (i believe that a powershell script should be used)

    - GPO or logon script to automount the share with the synchronized identities on azure AD

    I don't know if that scenario is the working/the best one but if anybody could help me or provide me some best practives to do it, i'm open :)

    Many thanks at all for your help !

    Friday, March 6, 2020 11:05 AM

Answers

  • Correct - however, keep in mind that there are additional licensing requirements in order to run Windows 10 in Azure

    hth
    Marcin

    • Marked as answer by exp0zd Friday, March 6, 2020 3:06 PM
    Friday, March 6, 2020 12:56 PM

All replies

  • It's not entirely clear what exactly is your objective.

    Is your target computer supposed to be joined to an Azure AD DS domain? If so, is there a reason you wouldn't use Azure File Sync to copy the files/permissions to it?

    More at https://docs.microsoft.com/en-us/azure/storage/files/storage-files-faq

    hth
    Marcin

    Friday, March 6, 2020 11:35 AM
  • Dear Marcin,

    Thanks for your interest.

    The target is to remove the on-premise file servers content and so move to Azure File Share only by maintaining ACL/NTFS permissions.

    In that case, at the end of the move or migration, key users will only use the file shares on Azure and not the on-prem file shares.

    ==>So AzureFileSyncAgent should be useless?

    The following question is appearing:

    In that case on which only Azure File Share is used, AzureFileSync agent will become useless ?

    Or, in order to conserve the NTFS permissions, AzureFileSync is needed to copy them to AzureFileShare (and so after all perms setted, i can remove it)?As i understand (https://docs.microsoft.com/fr-fr/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable#configure-ntfs-permissions-over-smb), it's mandatory to mount the share on a SMB client, by example a windows machine and assign NTFS perms.

    Friday, March 6, 2020 12:17 PM
  • Currently, in order to provide NTFS permissions-based access, Azure File shares must be accessed from Azure AD DS joined computers.

    The equivalent functionality for AD-joined computers is currently in preview (which you should obviously keep in mind if you intend to use it in production scenarios).

    Note that this is distinct from (although to some extend dependent on) the ability to preserve NTFS permissions.

    hth
    Marcin

    Friday, March 6, 2020 12:28 PM
  • That's it, so:

    - all of the client computers (Win 10) have to be AAD DS joined 

    - The AD joined is not the target as we want to be full cloud and remove on-prem workloads.

    And in my case, if i understan i will have to reconfigure the NTFS permissions directly as a similar way that script do it for migrating NTFS permissions from one domain to another one :

    https://github.com/WillyMoselhy/ActiveDirectory-PowerShell-Scripts/tree/master/Replace-NTFSDomainACLs

    Friday, March 6, 2020 12:37 PM
  • Correct - however, keep in mind that there are additional licensing requirements in order to run Windows 10 in Azure

    hth
    Marcin

    • Marked as answer by exp0zd Friday, March 6, 2020 3:06 PM
    Friday, March 6, 2020 12:56 PM
  • For sure, 

    Many thanks for your lights :)

    Friday, March 6, 2020 3:06 PM