Can the owner of folders and files mounted via Azure Files file shares be changed?

Shohei Murasugi (c) 0 Reputation points
2026-05-13T05:20:06.76+00:00

We are building an Azure Files file share mount using on-premises AD DS authentication.

The share-level permissions for the file share are configured as follows:

"Enable permissions for all authenticated users and groups"

Role: "Storage File Data SMB Share Elevated Contributor"

With this configuration, when we mounted the file share from a Windows OS client, we were able to successfully access it through File Explorer in the same way as a network folder.

When files or folders are created in the mounted location, the owner becomes the user who created them.

On a standard Windows file system, I understand that the owner can normally be changed afterward. However, in the mounted location described above, even the owner themselves cannot change the ownership later, and the following error is displayed:

"Unable to set new owner on 'File name'. Access is denied."

Q1: Is it not possible to change the owner of folders or files after they are mounted via Azure Files file shares?

Q2: If the answer to Q1 is yes, then in a case where, due to an operational mistake, all permissions for a file were removed and the owner user had already been deleted, would it become impossible to delete the file or restore its permissions?

Azure Files
Azure Files

An Azure service that offers file shares in the cloud.


2 answers

Sort by: Most helpful
  1. Venkatesan S 9,575 Reputation points Microsoft External Staff Moderator
    2026-05-13T05:37:34.5166667+00:00

    Hi Shohei Murasugi (c),

    Thanks for reaching out in Microsoft Q&A forum,

    This is expected behavior given the role you’re using and how Azure Files enforces NTFS ownership over SMB.

    Here’s the short answer to your questions:

    Q1: Is it not possible to change the owner of folders or files after they are mounted via Azure Files file shares?

    Q1: You can’t change the owner from File Explorer (or via normal “Change Owner” dialogs) when you’ve mounted the share with the “Storage File Data SMB Share Elevated Contributor” role. That role gives you full control over the file data but doesn’t include the special takeOwnership permission that NTFS uses to reassign owners.

    If you need to change file/folder ownership you have two options:

    • Mount with your storage account key (key-based mount always grants full backup semantics, including takeOwnership).

    • Assign the built-in Storage File Data SMB Admin RBAC role to your user or group, remount the share via your domain identity, then use the Windows takeown.exe or icacls commands to take ownership and reassign it.

    Q2: If the answer to Q1 is yes, then in a case where, due to an operational mistake, all permissions for a file were removed and the owner user had already been deleted, would it become impossible to delete the file or restore its permissions?

    Q2: If you remove all ACL entries from a file and then delete its owner account, no regular user will be able to delete or modify that file because NTFS still enforces ownership and ACL checks. The only way to recover is to use one of the two methods above:

    • Mount with the storage key (which bypasses those ACL/owner checks).

    • Use a principal with the SMB Admin role to take ownership and re-ACL the file.

    As a best practice, I also recommend enabling soft delete or taking snapshots on your file share. That way, even if you lose all ACL entries or the owner account, you can restore a point-in-time copy of the file or folder.

    Hope that helps! Let me know if you need more info on role assignments or the exact takeown/icacls commands.

    Reference links:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments No comments

  2. AI answer

    2026-05-13T05:20:22.4766667+00:00

    Q1: Changing the owner of files and folders in Azure Files is possible, but only for identities that have the ability to take ownership. With identity-based access, this is done via the Windows takeown command and requires the appropriate Azure RBAC role.

    For Azure Files over SMB, the supported and recommended way to perform admin-level ownership changes is:

    1. Assign the Storage File Data SMB Admin role to the admin identity that will manage ACLs and ownership.
    2. Mount the Azure file share using identity-based authentication from a domain-joined machine.
    3. Use takeown (and then icacls or File Explorer) to change ownership and ACLs.

    The Storage File Data SMB Share Elevated Contributor role alone allows read/write/delete and modify ACLs where access is already granted, but it does not grant the special “take ownership” capability when the existing ACL/owner does not allow it. That capability is provided by Storage File Data SMB Admin, which includes the takeOwnership data action and allows using takeown even when the current ACL does not grant sufficient permissions.

    Therefore, in the scenario described (only Elevated Contributor at share level, no SMB Admin), the owner cannot be changed later if the ACL/ownership does not already allow it, which explains the “Access is denied” error.

    Q2: If all permissions on a file are removed and the original owner account is deleted, recovery is still possible as long as an admin identity has the correct Azure RBAC role and mounts the share appropriately:

    1. Assign Storage File Data SMB Admin (or a custom role including takeOwnership) to an admin identity.
    2. From a domain-joined Windows client, mount the share using that identity with identity-based authentication.
    3. Use takeown on the problematic file or directory to assume ownership.
    4. After taking ownership, use icacls or File Explorer to restore or adjust the ACLs, or delete the file if desired.

    If no identity has the Storage File Data SMB Admin role (or equivalent custom role with takeOwnership) and the ACLs lock everyone out, then from the SMB/NTFS perspective there is no way to change ownership or permissions on that object. In practice, the remediation is to:

    • Assign Storage File Data SMB Admin to an admin identity and repeat the steps above, or
    • Use a REST-based privileged data-plane role (for example, Storage File Data Privileged Contributor) and REST/portal/PowerShell tools to override ACLs at the data plane, if operating via REST rather than SMB.

    To avoid being locked out operationally:

    • Use Storage File Data SMB Admin for admins who manage ACLs and ownership.
    • Mount with identity-based authentication when performing ACL/ownership operations.
    • Prefer icacls or Azure portal/PowerShell for ACL management, especially in complex environments.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.