What is a one sentence summary of your feature request?
Azure Files: reporting on ACL’s of NTFS folders (+ state-in-time support)
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Currently we provide the various Data Owners in our organization with reporting on Access Management to their data hosted on Azure File Shares. Since access to this data is granted to users via specific AD Security Groups, we provide them with a quarterly report (via Subscription) of a selected list of Security Groups and their members. If the Data Owner spot any person that should not have access they are informed and can take actions by informing IT.
But this is a workaround and only shows and reports on Security Groups that should be used to control Access Management to a Data Owner’s data. If other Security Groups are added or direct Users assignments are granted, this is not reflected in the report. So we were trilled to finally see Azure Files being added to the possible data sources. Finally we could report on the effective Security Groups and Users having access to data. However … the reporting is very limited: it does not report at all on the Access Control Lists of NTFS folders. And it does not support State-in time.
So can we get State-in-time for Azure File Shares; and reporting on ACLs of NTFS folders please?
We are about to renew our Netwrix Auditor licenses. And were planning to add Azure File licenses, but after playing around with the trial, we noticed our actual current usecase is not supported at all, nor on the roadmap. Hence we will not add this license and possible not renew others.
How do you currently solve the challenges you have by not having this feature?
As described earlier, the workaround is currently done via State-in-time reporting of memberships of specific Security Groups in AD.
Thank you for reaching out.
Netwrix Auditor does not currently support State-in-Time for Azure Files. We are in the planning phase for State-in-Time for Azure Files (SMB) and would appreciate your insights. When feasible, please provide an overview of your Azure Files (SMB) environment and access patterns by providing input:
Directory Environment:
What’s your directory setup — on-prem Active Directory, hybrid AD + EntraID, or EntraID-only?
How are user and group identities synchronized or federated across environments?
Do you rely on Azure AD Connect or other identity synchronization tools?
Authentication:
Which authentication models are currently used in your environment?
Have you encountered any challenges or limitations with your existing authentication model?
Access:
How do users, services actually access/connect to Azure Files ?
Do different roles (for example, admins, end users, or automated services) use different access methods?
Access Control:
How do you manage/grant access governance - group-based permissions, individual permissions?
At which level do you usually apply permissions — at the share level, folder level, or deeper?
How do you handle exceptions or unique ACLs that break inheritance or deviate from standard policy?
Do you rely on the default share permission (“all authenticated users”) or is it locked down?
Reporting:
Can you please provide your core reporting use cases?
What audit or visibility data would be most valuable for Azure Files in Netwrix Auditor?
Are there specific compliance or internal audit standards (ISO 27001, GDPR, HIPAA, SOX, etc.) that drive your reporting needs?
How often do you need to generate access or permission change reports — monthly, quarterly, or on demand?
Hello Alexander,
Thank you in advance for providing feedback that quickly.
When you say planning phase for state-in-time for Azure Files, would you already be able to give a rough estimate?
Is this something that should be feasible for the upcoming year or would we be looking beyond 2026?
Directory Environment:
Hybrid: on-premises AD and EntraID in cloud
What is your definition of an environment? To sync between on-premise and cloud, next point: Entra Connect Sync.
Yes, Entra Connect Sync
Authentication:
Currently we use on-premises AD Domain Services.
Yes, we now have Entra Groups for the Management Plane and Security Groups on the Data Plane, as we don’t have any Group Writeback.
With every new Security Group or every now Azure File Share we keep adding dependency to on-premises AD for the Data Plane, wile we have clear Cloud first strategy.
Group Writeback is only possible when transitioning from Entra Connect Sync to Entta Cloud Sync (since Group Writeback is no longer supported in Entra Connect Sync).
Access:
Azure File Shares are mapped as drives via GPO to Windows clients; and we have drive mappings via Intune policies.
No difference in access methods.
Access Control:
How do you manage/grant access governance - group-based permissions, individual permissions?
Individual permissions should be used. But sometimes there are set, hence we would like to know in order to mitigate.
We have Security Groups per folder/subfolder and per permissions:
For every important folder/subfolder level we have a read-only and a read+write Security Groups in place.
Since most are legacy and were migrated from on-premise file server to Azure File Shares, without data clean-up, we do not have that many different File Shares.
In an ideal world, we should split the Azure Files Share we have to multiple ones: per business unit or group of data owner: Finance, HR, Legal, R&D, IT are all grouped in one single File Share.
We apply permissions on the folders and on subfolders; and sometimes deeper: up to 4 or 5 levels deep.
Don’t really understand the question. What should we handle about exceptions? Sometimes we have indeed permissions on folder structures that break inheritance on a certain level.
For newer setup Azure File Shares, the default share permissions are hardened and kept minimal. Our legacy File Shares still have default share permissions.
Reporting:
80% of our configured reporting, is a quarterly report sent out to the specific Data Owner of a folder/subfolder (done on a project level, not only business unit level).
These reports do not mention any folder path, but the subject of the configured report is.
The report contains the Security Groups (using a filter on Group Path) that are configured on the specific folder/subfolder and thus provides access to their data.
It’s using the Active Directory (state-in-time) reporting on Group Membership.
It’s the responsibility of the Data Owner to check the report and come back to IT with any anomality’s they spotted.
Via a specific Service Catalog item for “folder access”, we require a formal request to grant/revoke a user with access to a specific folder/subfolder.
Such Request is approved by the Data Owner, before actually granting/revoking access via the Security Group.
If the Data Owner sees someone that should not have access and it can not be traced back to a request, that User is removed from the specific Security Groups.
What audit or visibility data would be most valuable for Azure Files in Netwrix Auditor?
Changes on permissions of folders on Azure File Shares
Yes indeed, since we are a regulated industry, al the mentioned standards are driving our requirements to report on Access Management.
Very few reports are schedule monthly. Almost all reports are scheduled quarterly, as we tried to align everybody within the company. On demand is possible but very very low frequency.
Thank you for the detailed feedback and for sharing your environment specifics so quickly.
Short answer first: State-in-Time for Azure Files (SMB) is in planning. We can’t publish dates on the forum, but we’re actively shaping scope and lining up design-partner pilots. If you’re open to a brief call, we’ll share some details and discuss your overall experience with Auditor.
@Aleksander, please feel free to get in touch to setup a call, I have the following availability:
tomorrow Thursday 30/10 from 9:00 to 10:00 CET, from 12:00 to 14 CET, after 16:0 CET.
or next Monday 3/11 from 11:00 to 14:00 CET, between 15:00 and 16:00 CET.