Configure Azure Files with AD DS Authentication: SMB RBAC & NTFS ACLs Guide
Azure Files with AD DS Authentication – Practice Questions
Question 1
You configure an Azure Files share for AD DS authentication. You assign User1 the “Storage File Data SMB Share Contributor” role. User1 can mount the share but cannot modify NTFS permissions on files. What should you do?
A) Assign User1 the “Storage File Data SMB Share Reader” role
B) Assign User1 the “Storage File Data SMB Share Elevated Contributor” role
C) Assign User1 the “Storage File Data SMB Admin” role
D) Add User1 to the local Administrators group on the domain-joined VM
Answer: B
The “Storage File Data SMB Share Elevated Contributor” role gives the user the ability to modify NTFS ACLs. The standard “Contributor” role only allows file operations, not ACL management.[learn.microsoft]โ
Question 2
A user reports they cannot mount an Azure Files share from their domain-joined Windows 11 device. They receive an error indicating the connection timed out. What is the most likely cause?
A) The user lacks RBAC permissions on the storage account
B) Outbound TCP port 445 is blocked
C) The storage account does not have a private endpoint
D) The user is not a domain administrator
Answer: B
SMB traffic requires outbound TCP port 445 from the client to Azure Files (*.file.core.windows.net:445). If this port is blocked (common by ISPs or corporate firewalls), the connection will fail.learn.microsoft+1
Question 3
Which two Azure RBAC roles allow a user to read files from an Azure Files share with AD DS authentication?
A) Storage File Data SMB Share Reader
B) Storage File Data SMB Share Contributor
C) Storage Blob Data Reader
D) Storage File Data SMB Share Elevated Contributor
E) Storage Account Contributor
Answer: A, B, D
The three SMB-specific roles for Azure Files are: Reader (read-only), Contributor (read/write), and Elevated Contributor (read/write + manage ACLs). The standard “Storage Account Contributor” role does not grant share-level SMB access. “Storage Blob Data Reader” is for blob storage, not files.[learn.microsoft]โ
Question 4
You have an Azure Files share enabled for AD DS authentication. User1 is assigned the “Storage File Data SMB Share Contributor” role. You log into a domain-joined VM as User1 and successfully mount the share. You copy files to the share, but when you try to modify NTFS permissions on a folder, it fails. What is the reason?
A) You must wait 15-30 minutes for RBAC propagation
B) You need the Storage File Data SMB Share Elevated Contributor role
C) The folder is encrypted with Azure Storage Service Encryption
D) You must use a storage account key to modify NTFS permissions
Answer: B
While the SMB Share Contributor role allows file operations, modifying NTFS ACLs requires share-level permissions from the Elevated Contributor role. This is separate from NTFS permissions themselves.[learn.microsoft]โ
Question 5
You need to enable a security admin to configure NTFS ACLs on Azure Files shares without using the storage account key. Which approach should you use?
A) Assign the Storage File Data SMB Admin RBAC role
B) Assign the Storage Account Key Operator role
C) Enable Azure AD Kerberos authentication
D) Use the storage account key to mount the share temporarily
Answer: A
The “Storage File Data SMB Admin” RBAC role (or “Elevated Contributor” in some contexts) allows administrators to configure ACLs using identity-based authentication without needing the storage account key. This is the recommended secure approach.[learn.microsoft]โ
Question 6
A user has mapped an Azure Files share successfully. After reviewing the requirements, you realize they should only have read access. You change their RBAC role from “SMB Share Contributor” to “SMB Share Reader.” How long might it take for this change to take effect?
A) Immediately
B) 1-2 minutes
C) 5-10 minutes
D) 15-30 minutes
Answer: D
RBAC role assignments can take 15-30 minutes to propagate. This is also true for changes from identity synchronization if you’re syncing from on-premises AD DS to Azure AD. Always wait before troubleshooting further.[learn.microsoft]โ
Question 7
Which port must be open for SMB 3.0 connectivity to Azure Files over the internet?
A) 443
B) 445
C) 993
D) 3389
Answer: B
SMB protocol uses TCP port 445. Azure Files supports SMB 3.0, which can work over the internet if port 445 is not blocked. Port 443 is for HTTPS/REST API access.learn.microsoft+1
Question 8
Your company has users in branch offices where port 445 is blocked by the ISP. Which solution allows these users to access Azure Files without unblocking port 445?
A) Configure a point-to-site VPN
B) Use Azure File Sync with cloud tiering
C) Enable public network access on the storage account
D) Assign the SMB Share Reader role to all users
Answer: A
When port 445 is blocked, you can use a VPN (point-to-site or site-to-site) or ExpressRoute to access Azure Files. Azure File Sync can also be used as a workaround where users access files locally while the sync service handles the cloud connection.[learn.microsoft]โ
Question 9
You have an Azure Files share with AD DS authentication enabled. An admin needs to take ownership of a file to modify its ACLs. The admin already has the “Storage File Data SMB Share Elevated Contributor” role but still cannot take ownership. What is required?
A) The admin must also have Modify or Full Control NTFS permissions
B) The admin must use the takeown.exe command at the storage account level
C) The storage account must use Premium tier
D) The admin must disable Azure AD integration temporarily
Answer: A
The SMB Elevated Contributor role allows the identity to take ownership, but to actually modify ACLs, the identity still needs proper permissions (Modify or Full Control) on the target file or directory’s ACL. Alternatively, the separate “SMB Admin” role includes takeOwnership permission.[learn.microsoft]โ
Question 10
You are troubleshooting an “Access is denied” error when a user tries to mount an Azure Files share. What should you check first?
A) Verify the storage account replication type is GRS
B) Verify the user has an SMB-specific RBAC role assigned
C) Verify the file share is configured for NFS instead of SMB
D) Verify the storage account uses a private endpoint
Answer: B
The first step is to confirm the user has appropriate share-level permissions via RBAC (Storage File Data SMB Share Reader, Contributor, or Elevated Contributor). Without these roles, access is denied at the share level regardless of NTFS permissions.[learn.microsoft]โ
Question 11
You assign a user the “Storage File Data SMB Share Contributor” role at the file share level. The user can mount the share but sees “Access Denied” when trying to open certain folders. What is the cause?
A) The user is not using SMB 3.0
B) NTFS ACLs on those folders block the user
C) The storage account firewall is blocking the user’s IP
D) The role assignment has not propagated yet
Answer: B
Access is controlled at two levels: share-level (RBAC) and file/directory-level (NTFS ACLs). A user can have Contributor access at the share level but still be blocked by restrictive NTFS permissions on specific folders.[learn.microsoft]โ
Question 12
Which PowerShell command can you use to verify connectivity to Azure Files on the required SMB port?
A) Test-Connection -TargetName storageaccount.file.core.windows.net
B) Test-NetConnection -ComputerName storageaccount.file.core.windows.net -Port 445
C) Get-NetTCPConnection -RemotePort 445
D) Test-NetworkConnectivity -Port SMB
Answer: B
Test-NetConnection with the -Port 445 parameter tests the specific TCP port needed for SMB connectivity. This is the recommended diagnostic tool before attempting to mount Azure Files.[learn.microsoft]โ
Question 13
You enable AD DS authentication for Azure Files. Your domain-joined VM can reach port 445 successfully, but you still cannot mount the share. What is a likely cause?
A) The storage account must be moved to the same resource group as the VM
B) The storage account is not domain-joined using the Join-Az PowerShell cmdlet
C) The VM must be running Windows Server 2019 or later
D) Azure Files does not support AD DS authentication for standard tier
Answer: B
For AD DS authentication to work, the storage account must be domain-joined using the Join-AzStorageAccountForAuth cmdlet. This creates the computer account in AD DS that represents the storage account.bdrshield+1
Question 14
When using the PowerShell New-PSDrive cmdlet to map an Azure Files share with AD DS authentication, what credential format should you use?
A) STORAGEACCOUNTNAME\storageuser1
B) CONTOSO\storageuser1 (NETBIOS format)
C) storageuser1@contoso.com (UPN format)
D) AzureAD\storageuser1
Answer: C
When mapping with AD DS authentication, use the UPN (User Principal Name) format: username@domain.com. This is the standard format for Azure AD and AD DS authentication to Azure Files.[bdrshield]โ
Question 15
You have configured Azure Files with AD DS authentication. Which statement correctly describes the permission model?
A) RBAC roles control both share-level and file-level access
B) RBAC controls share-level access; NTFS ACLs control file/directory-level access
C) NTFS ACLs are ignored when using AD DS authentication
D) Azure AD Conditional Access policies control file-level permissions
Answer: B
Azure RBAC roles (Reader, Contributor, Elevated Contributor) control whether a user can access the share at all. Once authenticated to the share, NTFS ACLs determine what operations the user can perform on specific files and directories.examtopics+1
Quick Reference Table
| RBAC Role | Share Access | Modify NTFS ACLs |
|---|---|---|
| SMB Share Reader | Read-only | No |
| SMB Share Contributor | Read/Write | No |
| SMB Share Elevated Contributor | Read/Write | Yes |
| SMB Admin (legacy) | Varies | Yes (with take ownership) |
