azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Unable to assign permissions to hybrid groups using icacls with a system not joined to the domain

Open Bigmouse1976 opened this issue 2 years ago • 1 comments

Hello there,

I have setup a test environment to try to have an Azure Files storage account + Azure Virtual Desktop Azure AD Joined Session Hosts environment. I am aware this is currently in preview, and I have gone through the steps of this document here to setup and test this feature: (https://docs.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-azure-ad)

However I ran into a strange behavior once it was time to assign directory level permissions. In the documentation I noticed the following: image

Here I can see that I can use a device that is Azure AD joined but NOT domain joined to the same DC that is used for Kerberos authentication, if I wanted to assign permissions using icacls.

My understanding of this is that I can assign permissions to users and groups using icacls without having the system domain joined. With this in mind, I have tried to setup permissions from the Azure AD Joined Session Host itself, and I managed to get hybrid users to work as expected as shown here(Z: is the mapped storage account from Azure Files): image

However this does not work when using Hybrid Groups: image

I have also tried with ObjectID instead of group name, and group SID from the AD, but it doesn't work.

Is it possible to assign directory level permissions using icacls to hybrid groups from a system that is Azure AD joined but not domain joined? If so, please clarify if I'm missing some extra steps to do so, as this is not clear enough in the documentation.

To clarify, both user and group have been synchronized from the same DC that is used for authentication using AD Connect.

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Bigmouse1976 avatar Aug 17 '22 13:08 Bigmouse1976

Thanks for reaching out. We are looking into this.

SreejaBhattacharya-MSFT avatar Aug 17 '22 13:08 SreejaBhattacharya-MSFT

Hi @Heidilohr , could you please take a look at this?

SreejaBhattacharya-MSFT avatar Aug 19 '22 10:08 SreejaBhattacharya-MSFT

Sorry for the late response, but this article has changed a lot since it was written and the prerequisites are now covered by the Azure Files documentation, as it's for that feature: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-azure-active-directory-enable#prerequisites

#please-close

dknappettmsft avatar Feb 07 '23 14:02 dknappettmsft