So I have a client with a Windows Server in Azure and it is Entra ID joined only. I needed to grant permissions to a share on the server using Entra ID accounts. There doesn’t seem to be a way to do this through the GUI, but this powershell command works fine to assign individual user accounts:
Grant-SmbShareAccess -Name MyShare -AccountName “AzureAD\myaccount@mydomain.com” -AccessRight Full
And you can use this to check the assignment: Get-SmbShareAccess -Name MyShare
To take this a step further I needed to assign the share permissions to an Entra ID group. Even though there are examples showing the above command used to assign a group, I just got this error:
Microsoft’s stance in the past has been to assign a local group that contains a domain group and in this case that strategy does work, but I had to use the Entra ID SID:
Add-LocalGroupMember “LocalGroupName” -Member S-1-12-1-3660688888-1123426609-847069585-X1234567
I tried using the SID in the Grant-SmbShareAccess command but it was a no go.
I’d be really interested in knowing if anyone has found a way to assign share permissions directly to an Entra ID group.
EDIT: 10/11/24 – I ran into a snag with this setup. I could not get write permissions to a share using an Azure AD Group like this. In the end I had to use the Grant-SmbShareAccess with an Azure AD User account to get Write permissions.
Leave a Comment