In this section, we will look at the steps involved to assign share-level permissions:

1. Create a new user on AD and assign this user Storage File Data SMB Share Contributor permissions for the share from the previous exercise. The synchronization can take some time to replicate to Azure.
2. Navigate to your test VM and paste some files in there. Notice that you have permission to do so. Right-click one of the files and click Properties. On the window that pops up, click Security.
3. Click edit. Notice that your user has full permission. Click Add…, type in the new username, click the Check Names button, and then click OK. Click Apply. You get an error stating that you don’t have permission. This is because you need to assign the Storage File Data SMB Share Elevated Contributor role to this user account to modify ACL permissions. Repeat the operation after assigning this to the new user account and you will now complete the operation.
4. Navigate to the AD server and mount the SMB share using the new user credentials. Note that you may need to wait for synchronization to complete before this works as expected.
5. You can play around with changing settings and completely removing read permissions on the files and confirming the other users indeed cannot read this.

You have now learned how to configure file-level ACLs for Azure Storage shares. This concludes the section for Azure AD authentication and integration for access to Azure file shares. In the next section, we provide additional reading material should you wish to learn more.

Further reading
We encourage you to read up on this topic further by using the following links:

• Enabling AADDS authentication: https://docs.microsoft.com/en-us/ azure/storage/files/storage-files-identity-auth-active-directory-enable
• Automation of storage access key rotation: https://docs.microsoft. com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azure-cli
• How to mount an SMB file share on Windows: https://docs.microsoft. com/en-us/azure/storage/files/storage-how-to-use-files-windows
• Configuring file-level permissions: https://docs.microsoft.com/ en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions

Copying data by using AzCopy
AzCopy is a utility that can be used for copying files to and from Azure Storage accounts. Authentication can be conducted using either an Active Directory account or a SAS token from storage. AzCopy provides many different functions, but the primary function is for file copying and is structured as azcopy copy [source] [destination] [flags].

Downloading and installing
You can download AzCopy from here: https://docs.microsoft.com/en-us/ azure/storage/common/storage-use-azcopy-v10.

In this exercise, you will copy data to your Azure blob using a SAS token:

1. Download and install the relevant AzCopy installer from the preceding link.
2. Extract the files from the archive you downloaded and place them in a location that suits you, such as C:\AzCopy.
3. Launch PowerShell, navigate to the folder using the cd command, and press Enter.

Figure 7.22 – Changing directory in PowerShell

You now have a copy of AzCopy on your machine ready to work with.