An Azure service that offers file shares in the cloud.
Thanks for reaching out in Microsoft Q&A forum,
This is expected behavior given the role you’re using and how Azure Files enforces NTFS ownership over SMB.
Here’s the short answer to your questions:
Q1: Is it not possible to change the owner of folders or files after they are mounted via Azure Files file shares?
Q1: You can’t change the owner from File Explorer (or via normal “Change Owner” dialogs) when you’ve mounted the share with the “Storage File Data SMB Share Elevated Contributor” role. That role gives you full control over the file data but doesn’t include the special takeOwnership permission that NTFS uses to reassign owners.
If you need to change file/folder ownership you have two options:
• Mount with your storage account key (key-based mount always grants full backup semantics, including takeOwnership).
• Assign the built-in Storage File Data SMB Admin RBAC role to your user or group, remount the share via your domain identity, then use the Windows takeown.exe or icacls commands to take ownership and reassign it.
Q2: If the answer to Q1 is yes, then in a case where, due to an operational mistake, all permissions for a file were removed and the owner user had already been deleted, would it become impossible to delete the file or restore its permissions?
Q2: If you remove all ACL entries from a file and then delete its owner account, no regular user will be able to delete or modify that file because NTFS still enforces ownership and ACL checks. The only way to recover is to use one of the two methods above:
• Mount with the storage key (which bypasses those ACL/owner checks).
• Use a principal with the SMB Admin role to take ownership and re-ACL the file.
As a best practice, I also recommend enabling soft delete or taking snapshots on your file share. That way, even if you lose all ACL entries or the owner account, you can restore a point-in-time copy of the file or folder.
Hope that helps! Let me know if you need more info on role assignments or the exact takeown/icacls commands.
Reference links:
- Configure ACLs & take ownership: https://learn.microsoft.com/azure/storage/files/storage-files-identity-configure-file-level-permissions#mount-the-file-share-with-admin-level-access
- Storage File Data SMB Admin role (includes takeOwnership): https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#storage-file-data-smb-admin
- Enable soft delete on file shares: https://learn.microsoft.com/azure/storage/files/storage-files-prevent-file-share-deletion?tabs=azure-portal
Kindly let us know if the above helps or you need further assistance on this issue.
Please
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.