Windows 10 NTFS permissions for Azure AD account

windows-10 office365 azure-activedirectory

I joined Windows 10 to Azure Active Directory and signed in with my Azure AD email address and password.

whoami returns AzureAD\<Full Name> and the NTFS permissions of the user profile folder also show the folder owner as AzureAD\<Full Name>. The user has a profile folder called Users\<Full Name>.

However I am unable to select this user at all in the Select a principal dialog when I want to grant permissions to other folders. What is the correct syntax for Azure AD users?

When using just Azure AD accounts, there are no user accounts at all in in Local Users (unlike a Microsoft Account which is linked to a local user).


Solution 1:

Newer versions show the actual domain name, but the same issue still exists. You can use Powershell to set the permissions.

    $dir = get-item -Path 'C:\users\jshelby\Desktop\testdir\'    
    $acl = $dir.GetAccessControl('Access')
    $username = 'domain\username'
    $AccessRights = New-Object System.Security.AccessControl.FileSystemAccessRule($Username,'Modify','ContainerInherit,ObjectInherit','None','Allow')
    $Acl.SetAccessRule($AccessRights)
    Set-Acl -path $Path -AclObject $Acl

Solution 2:

You can use this short PowerShell example which is tested on Windows 10, build 1809, which is Azure Active Directory registered. Please modify $path to your local folder, and for $permission you can use any Azure AD user, but username must be in AzureAD\upn format (example AzureAD\[email protected])

$path = "C:\myfolder"
$permission = "AzureAD\[email protected]","FullControl","Allow"
(Get-Acl $path).SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule $permission)) | Set-Acl $path

Solution 3:

There is a typo in Jesus's script.

Set-Acl : Cannot bind argument to parameter 'Path' because it is null.
At line:6 char:19
+     Set-Acl -path $Path -AclObject $Acl
+                   ~~~~~
    + CategoryInfo          : InvalidData: (:) [Set-Acl], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAclCommand

This is an updated script:

    $dir = get-item -Path 'C:\users\jshelby\Desktop\testdir\'    
    $acl = $dir.GetAccessControl('Access')
    $username = 'domain\username'
    $AccessRights = New-Object System.Security.AccessControl.FileSystemAccessRule($Username,'Modify','ContainerInherit,ObjectInherit','None','Allow')
    $Acl.SetAccessRule($AccessRights)
    Set-Acl -path $dir -AclObject $Acl

Also, I tried this first on PowerShell Core. $dir.GetAccessControl() does not seem to exist in PowerShell Core, only Windows PowerShell.

Related

How to remove the 25MB file size limit on PNG desktop wallpaper for Windows 10
Show the Google Chrome tray icon after accidentally hiding it
Is there a Lebesgue measurable subset $A \subset R$ such that for every interval $(a,b)$ we have $0 < \lambda(A\cap(a,b))< (b-a)$ [duplicate]
Intuitive explanation of CDF of a Binomial distribution in the volume of a Hyperspherical Cap
Simplify: $\frac{\sqrt{10+\sqrt{1}}+\sqrt{10+\sqrt{2}}+\ldots+\sqrt{10+\sqrt{99}}}{\sqrt{10-\sqrt{1}}+\sqrt{10-\sqrt{2}}+\ldots+\sqrt{10-\sqrt{99}}}$ [duplicate]
Prove there exists $[a,b] \subset [0,1]$ such that $\int_a^b f(x)\,dx=\int_a^b g(x)\,dx=\frac{ 1}n$ [duplicate]
Blob download is not working in IE
Flutter: Get the filename of a File
How to use sed to remove all double quotes within a file
Unable to use dot syntax for ruby hash
Angularjs $http post file and form data
How to get 1 hour ago from a date in iOS swift?