What is an AzureAD-joined user, really? And how do I give file permissions or anything else to one of them? RRS feed

  • Question

  • On Win10 you can join a workstation to AzureAD and users can log in using their AzureAD credentials. Like this. But this doesn't seem to work the same way as if they'd joined a real domain, and support for this construct appears quite limited. For example, how can I grant file permissions to an AzureAD user? When I try to use the File Properties > Security > Edit > Add dialog I can't find/select any users on the AzureAD domain, including the currently logged in user. Entering `AzureAD\FirstLast` and clicking Check Names gives this:

    In general this sort of thing seems to be a problem with AzureAD-joined accounts: windows appears to not know about them, e.g. when adding them to SQL Server. Or perhaps I just don't know the right way to refer to these users.

    Can anyone point me to a good explanation of how these accounts are different from normal workgroup or domain accounts, and how to refer to them from places like File Permissions? 



    Similar (unanswered) questions here and here.

    Monday, January 25, 2016 2:30 PM

All replies

  • Hi Rory,

    Yes, based on my test, so far, we can't grant direct access of on-prem resources to Windows 10 Azure AD joined devices. Member servers on your domain can't translate a request to grant permissions to an Azure AD user account.

    Please submit this feedback via the Built-in Feedback App. Please be assured that any improvements in the product are based on users' requirements. Our developers strive to capture Microsoft users' ideas and are working hard to create a more powerful product.

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact

    Wednesday, January 27, 2016 7:23 AM
  • Thanks Karen, but more generally what's the problem with an AzureAD user - do they not really exist as a user in the same way a local user or a domain user does? Are they a separate type of user and various parts of windows need to be updated to know about these types of users? 
    Monday, February 1, 2016 5:41 PM
  • And just to clarify your answer: windows file security for local files on a workstation does not work for AzureAD-joined users? Or is it just the GUI that doesn't let me do it and I could use a command-line to set permissions correctly?

    It seems like an impossibly gaping hole for an OS not to implement file security, hence my surprise.

    Monday, February 1, 2016 5:43 PM
  • Indeed, we experience the same issues here.

    For SQL Server Express we could just add the AzureAD\username to the security list and it worked. But in Windows for File permissions, the domain is checked inside in the location field.

    it's all very nice when it works

    Friday, April 15, 2016 11:26 AM
  • Some input from JairoCadena at - 

    In general terms the following are some limitations of Azure AD joined devices using the November 2015 update when you compare them to what a typical domain joined device can do:

    1. Remote communication to an Azure AD joined device using a work account (AAD account) including remote desktop, WinRM (e.g. remote PowerShell), file sharing, print sharing, etc.
    2. Sign-in to Windows (WinLogon) using certificates (smart card or virtual smart card) not supported.
    3. Printer discovery based on site location.
    4. Granting permissions to resources on an Azure AD joined device including files, folders or services.

    Some of these gaps we will be solving in future updates of Windows.

    If you have other examples that you see important please share them. I’ll work with the writer (TechNet/MSDN type) to have a doc/section where we can document these known gaps and can give the opportunity to users to report others. Thanks for the feedback!

    Tuesday, May 24, 2016 11:07 AM
    Tuesday, March 14, 2017 2:33 PM
  • for anyone reading who, like me, found this question via Google: it turns out you _can_ set file permissions for Azure AD users with icacls, even though it doesn't work in the UI.

    C:\> icacls D:\file.txt /grant "AzureAD\JohnSmith:(F)"
    C:\> icacls D:\somedir /t /setowner "AzureAD\JohnSmith"

    why this still doesn't work in the UI two years after this question was first asked, i don't know. 

    Monday, April 13, 2020 5:25 AM