Add a new monitoring plan

Follow the steps to add a new monitoring plan with Azure Files data collector.

1. Go to Home > Monitoring Plans.

2. Click Add Plan.

3. Select Azure Files from the list.

4. Create audit database by using default SQL Server settings or custom connection parameters.

5. Select a delivery method for sending emails with reports, alerts, activity and health summaries.

   • To configure notifications with SMTP, see the Enable Notifications via SMTP documentation topic for additional information.

   • To configure notifications with Exchange Online, see the Enable Notifications via Exchange Online topic for additional information.

6. Provide name and description (optional) for the monitoring plan. Make sure to select “Add item now” checkbox if you want to start monitoring your data source right after the initial configuration.

7. Specify Item for Monitoring:

   • Storage Account

• Azure Subscription

Note: Subscription automatically identifies which target and storage account the Monitoring Plan will use to track logs.

Azure Files monitoring plan has been created and ready for configuration.

Configuration

Double click on the “Azure Files” to access the following settings:

General

• Monitor this data source and collect activity data — Enable monitoring of the selected data source and configure Auditor to collect and store audit data.

• Specify actions for monitoring — Specify actions you want to track and auditing mode.

Changes

Read access

Please note that read access auditing significantly increases the number of audit events stored in the AuditArchive.

In addition, due to the way Azure Files auditing works, certain bulk operations such as mass deletions or modifications may produce significantly more audit events than the actual number of file actions. This can affect event processing speed and may increase Azure costs, since each event requires a request to Blob Storage.
Netwrix is working on optimizations to minimize these effects while preserving full audit visibility.

Users

• Specify monitoring restrictions — You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Azure Files monitoring scope. To do so, click Add and provide the name of the user you want to exclude in the following way (through the UPN):

The image shows a user interface for adding a new user, featuring a field for entering an email address with options to 'Add' or 'Cancel'. (Captioned by AI)517×198 6.3 KB

Monitored Object Types, Actions, and Attributes

Examine the list of actions that have been audited and reported by Azure Files data collector in the Netwrix Auditor.

Ports and Protocols

See the full list of protocols and ports required for Netwrix Auditor for Azure Files.

Configure Microsoft Azure application

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol.

To create a storage account and resource group, refer to the following Microsoft articles:

• https://learn.microsoft.com/en-us/azure/storage/files/storage-files-introduction
• https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application

Follow the steps to configure storage account for saving audit logs.

1. Go to Storage account with share > Monitoring > Diagnostic settings > file > Add diagnostic settings.
2. Set the name of diagnostic settings.
3. Select the log categories you need.
4. Select Archive to the storage account.
5. Choose resource group and storage account to store audit logs.

For additional information, refer to the Monitor Azure Files Microsoft article.

API Permissions

We need a separate Application created in EntraID. Below are the permissions to be configured for it (API, for resource group and storage account).

App registrations\API permissions:

1. Microsoft Graph\User.Read — default permission for all created Applications
2. Microsoft Graph\User.Read.All (type: Application) — for successfully resolving user SIDs by the collector.

Azure resource group and storage account with file shares:I

1. Resource group for the storage account\Access Control (IAM)\Reader (for Application) — to allow reading the structure of all file shares within the resource group of the monitored storage account.
2. Storage account\SMB File share\Access Control (IAM)\Storage File Data Privileged Reader (for Application) — to read metadata for the specified file share.

Azure storage account with audit logs:

1. Storage account\Access Control (IAM)\Storage Blob Data Reader (for Application) —to read audit data located in blobs within containers.

Resource Group

To configure storage account in the Microsoft Azure Application, perform the required steps below.

Go to “Access Control (IAM)”. Click Add role assignment and select “Reader” from the Roles list. Click Next. Select member from the pop-up search window. Member here is the application that you have created before and gained the required permissions. Click Select and confirm the action.

After that, go to “Overview” and choose the storage account with data. Go to “Access Control (IAM)”. Click Add and select Storage File Data Privileged Reader from the Roles list. Click Next. Select member from the pop-up search window. Click Select and confirm the action.

The last permission you need is the permission for storage with logs, which is Storage Blob Data Reader. Click Add role assignment and select group from the pop-up search window. After that, click Review + assign.

Note: It is not necessary that storage account with data and storage account with logs will be in the same resource group.

OR

You can put that storage account with data and storage account with logs in the different resource groups.

The following identity sources are supported:

• Active Directory Domain Services (AD DS)
• Microsoft Entra Kerberos

Click Set up and follow the provided steps. Refer to the AD DS and Kerberos Microsoft articles for additional information.

Note: Microsoft Entra Domain Services is not supported yet.

Note: The network protocol that is currently supported is SMB.

Azure Files Auditing Behavior

When monitoring Azure Files, be aware that some types of activity may produce a disproportionately large number of audit events.

• Examples: Mass deletions, bulk file modifications, or large-scale read operations.

• Impact: Event volume can exceed the actual number of file operations, which may:

  • Slow down event processing.

  • Increase Azure billing, since every event is logged to Blob Storage.

• Next steps: Netwrix is actively improving how Netwrix Auditor processes Azure Files logs to reduce overhead and optimize costs, while keeping visibility complete.

Netwrix Auditor Configuration for Azure Files – End-User Setup Guide

This guide explains how to configure Azure Files auditing with Netwrix Auditor.
You will:

1. Register and configure an Azure App in Microsoft Entra ID

2. Assign API permissions and IAM roles

3. Configure Diagnostic settings in Azure Files

4. Add and configure an Azure Files monitoring plan in Netwrix Auditor

   Netwrix_Auditor_Azure_Files_Guide.pdf (150.7 KB)

Thanks for the detailed setup! When I click Add Plan, I don’t seem to have Azure Files as an option and I’m on the latest version (10.7). Any ideas on why I wouldn’t see it? I do have Active Directory, AD FS, and Azure AD.

Hi @kevin.mcrae , Netwrix Auditor 10.8 is the latest version: Netwrix Auditor Version 10.8 Released

Hi Kevin,

Welcome to the Netwrix Community!

I wanted to share that Azure Files is considered a paid data source and requires a license that includes it. However, you’re welcome to explore it through a trial.

When you begin setting up the Monitoring Plan, you’ll be prompted with the option to start a trial for this data source:

CleanShot 2025-07-14 at 10.41.43793×525 21 KB

If you find the trial useful and would like to continue using Azure Files, you can reach out to your Account Manager for licensing and pricing details.

Let us know if you have any questions!

Michael Purdin
Netwrix Technical Support Manager

Thanks so much as this has been extremely helpful! I ended up upgrading to 10.8 quickly and going through the setup. The one bit of conflicting information I’m seeing that perhaps you can help with is what types of storage accounts are supported. We have a premium storage account which I don’t believe allows you to turn on file level logging in Azure, and unless I’m understanding that incorrectly, Netwrix needs that in order to process the logs? The error I’m receiving is
Unable to process item: 0x8004A505 Azure Log Service error:Internal error. (0xa0140101).
Contact Netwrix technical support at www.netwrix.com/support.html.

Kevin,

Thanks for the update. Let me do a bit of research on this and I’ll get you update ASAP.

Really appreciate the help! Glad to screenshare with support as well.

Hi Kevin,

Thank you for your update. Netwrix supports premium storage accounts. However, it’s important to note that auditing is not configured automatically; it needs to be set up according to the initial topic.

Based on the error received, Netwrix was able to find the storage account you specified with the data, but it couldn’t find any storage account with audit logs. A separate storage account for audit logs needs to be created first and then specified in the diagnostic settings of the data storage account you want to audit.

Please verify your configuration according to the following section below:

image1076×790 45.6 KB

The image displays a Microsoft Azure interface for configuring diagnostic settings, including options for log categories, metrics, and destination details for data archiving. (Captioned by AI)1032×837 39.1 KB

Let us know if you have any questions!

Thank you,
Dmitriy

Thanks Dmitriy! I actually do have it set up exactly this way after reading through some of the documentation. Is there perhaps something I’m missing with the application or permissions? I created the application, put in the Application (ClientID), and the secret value as well.

Thanks again Dmitriy. All of these permissions were set up correctly- maybe even more than the application needed. I just figured it out- in the setup of the monitoring plan, it asks for Tenant Name, which I was putting in. I decided to test and put the Tenant ID instead and this worked!

Hi Kevin,

Thank you for the update! Yes, specifying the ID instead of the name is also possible, and Netwrix supports it, as your test has proven.

I would only add that when specifying the tenant name, Netwrix tries to resolve it to an ID, and for some reason, this ends with an error. There could be one or several reasons related to the environment:

• Network issues
• Firewall blocking requests
• Insufficient API permissions for resolving the tenant name or lack of administrative approval for the granted permissions
• Authentication problems with the application on portal.azure.com

To summarize, everything should work when specifying the tenant ID, as you did earlier, and no additional actions are required. However, if you want it to work with the tenant Name as well, I recommend checking your environment against the list above.

Thank you for providing your scenario and results; we will conduct additional research on this scenario and consider improvements for error control.

Thank you,
Dmitriy

I’m getting “Unable to process item: 0x8004A504 Cannot find storage account in subscription specified”.

Configurations match the screenshots except Corp IT will not grant the Azure app “Microsoft Graph\User.Read.All (type: Application)” due to it exposing other companies within the tenant. Does that do more than just map SIDs?

Apologies for the delayed response, and thank you for your patience. The Microsoft Graph → User.Read.All (Application) permission is only used by Netwrix Auditor to resolve SIDs into user accounts in reports. It does not affect the actual collection of audit data from Azure Files.

The error “Unable to process item: 0x8004A504 Cannot find storage account in subscription specified” usually points to a configuration or permissions issue on the Azure side. Please double-check that:

• The application has been granted the correct roles on the Storage Account with blobs (logs).

• The application has the proper role assignments on the Resource Group where the Data Storage Account is located.

• The correct Subscription and Storage Account are specified in the Monitoring Plan.

Without logs or screenshots, it’s difficult to say more precisely — otherwise it’s just guessing. If you can provide those, we’ll be able to help validate the configuration more effectively.

Hi Aleksander, thank you for the reply. Hoping the screenshots below help.

Azure Files Resource Group:

Azure Files Storage Account Resource Group1566×173 16.3 KB

Azure Files File Share:

Azure Files File Share1511×251 25.6 KB

Azure Blob Storage Account (Logs):

Azure Blob Storage Acount for Logs1498×516 50.6 KB

Storage accounts are in different Resource Groups but both are given Netwrix Application permissions. Here are errors in Health Log:

Unable to find Storage Account on Azure portal. Make sure you have sufficient permissions for the Application used in data collection to access Storage Account that contains audit logs.

Unable to process item: 0x8004A504 Cannot find storage account in subscription specified.

Cannot determine what I’m missing. If I messed up the App Secret would that give same error or something different? Thank you.

Hi Charles, we checked what could be wrong.

Seems like the issue is with Netwrix Auditor settings.

Check Storage Account name:

image947×773 117 KB

This error which you provided from health log is about it.

Also, if you specified storage account containing audit logs → Check the name and ensure that there is filled in Storage Account with logs.

Thanks Aleksander. I’ve manually entered and copy/pasted the storage accounts names. It must be something else. Unfortunately, I feel I’ve tried everything possible.

Hi Charles, can you please share with us screenshots:

1. The same screenshot that I shared with General settings from Auditor, but please do not hide storage account names.
2. Screenshot with application permissions from EntraId.

Have you tried using Specify storage account containing audit logs: detect automatically?

Also, I recommend double-checking everything with End-User Setup Guide: https://community.netwrix.com/uploads/short-url/nYd08hQQztQ7PTWLPik8j6xTcoV.pdf

Should be just one specified storage account in the Specify Azure Storage Account containing File Shares settings.

Thank you

Ok I got it and I apologize for taking so much of your time. Let me explain the resolution.

I had Diagnostic Settings configured prior to this setup but then deleted them. The logs were still present however and I made the assumption that was good enough. Once I recreated the Diagnostic File settings the monitoring plan went into a Ready state. So, just for reference, if anyone else cannot locate the Storage Account, also ensure File Diag settings are already configured.

While I have you, are you aware of any way to create a file to statically map SIDs to Users since Corporate won’t grant the User.Read.All Graph permission?

Thanks again for all the support!

Having User.Read.All Graph permission is the minimum requirement.