Skip to Content

Microsoft AZ-104: Can Azure AD and On-Premises Users Access Azure File Shares with Identity-Based Access Enabled?

By: Author Alex Lim

Posted on

Categories Exam

Learn how identity-based access impacts Azure AD and on-premises synced user access to Azure file shares. Understand share permissions for different user types.

Table of Contents

Question

You have an Azure subscription linked to a hybrid Microsoft Entra tenant. The tenant contains the users shown in the following table.

Name On-premises sync enabled
User1 No
User2 Yes

You create the Azure Files shares shown in the following table.

Name Storage account
share1 contoso2024
share2 contoso2024
share3 contoso2025

You configure identity-based access for contoso2024 as shown in the following exhibit.

You configure identity-based access for contoso2024 as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  • User1 can access the content in share1.
  • User2 can access the content in share2.
  • User2 can access the content in share3.

Answer

  • User1 can access the content in share1: No
  • User2 can access the content in share2: Yes
  • User2 can access the content in share3: No

Explanation

To determine user access:

No, User1 cannot access the content in share1.

  • User1 does not have on-premises sync enabled, so they are a cloud-only Azure AD user.
  • The configuration shows that Azure AD Kerberos authentication is enabled for contoso2024, but Azure AD users/groups are not allowed access by default. Explicit share-level permissions would need to be granted.

Yes, User2 can access the content in share2.

  • User2 has on-premises sync enabled, making them a hybrid identity.
  • contoso2024 has enabled permissions for all authenticated users and groups.
  • As a synced on-premises user, User2 is considered authenticated and is granted the Storage File Data SMB Share Contributor role permissions to access share2.

No, User2 cannot access the content in share3.

  • While User2 is an authenticated hybrid user, share3 is in a different storage account (contoso2025).
  • The identity-based access configuration and permissions only apply to shares in the contoso2024 account.
  • For User2 to access share3, identity-based access would need to be separately enabled and configured on the contoso2025 storage account.

In summary, cloud-only Azure AD users cannot access the file shares by default when identity-based access is enabled, explicit permissions are required. Synced on-premises users gain access through the default authenticated user permissions, but only for shares in the storage account where it is configured.

Microsoft AZ-104 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-104 exam and earn Microsoft AZ-104 certification.