Azure Files Configuration Overview
Prerequisites
-
Azure Files License - Azure Files is a paid data source requiring specific licensing
-
Azure Subscription with Azure Files storage accounts (Standard and Premium supported)
-
Admin permissions in Microsoft Entra ID and Azure Storage
-
Two separate storage accounts:
-
One for file shares (data) — Create a storage account Create a storage account (Microsoft Learn)
-
One for audit logs — Create a storage account Create a storage account (Microsoft Learn)
-
-
Azure Files identity-based access is configured for data storage account in Azure Files
Supported options:
- Active Directory Domain Services (AD DS)
- Microsoft Entra Kerberos (for hybrid identities)
- Microsoft Entra Domain Services (Entra DS) — not supported
Netwrix Auditor relies on identity-based access to correctly map file operations to real user accounts. Without it:
- Audit logs may not contain accurate user information
- Activity may be shown as system or anonymous accounts
Configuration Scope Overview
- Azure Application Registration - Create Azure AD application
- Configure API Permissions - Assign required permissions for created application in EntraID
- Assign IAM Roles to the App- Assigning roles to Resource Group, Data Storage Account and Log Storage Account
- Diagnostic Settings - Configure audit logging
Azure Application Registration
You should register an application so Netwrix Auditor can authenticate to Azure and read audit logs
Step 1: Create the App Registration
- In the Azure Portal, go to Microsoft Entra ID > Manage > App registrations > + New registration
- Enter:
- Name: Name:
NetwrixAuditor-AzureFiles(this is an example — you can use any descriptive name for the app) - Supported account types (see below)
- Leave Redirect URI blank
- Name: Name:
- Click Register
Account Types references:
Note: Switching audiences later may cause errors
Step 2: Gather App Details
After registration, go to the Overview page of your new app and copy:
- Application (Client) ID
Step 3: Create a Client Secret
- In the same app, go to Manage > Certificates & secrets > Client secrets
- Click + New client secret
- Enter a description (e.g.,
NetwrixSecret) and select expiration - Click Add
- Copy the secret value immediately — it won't be shown again
Netwrix Auditor uses the App ID + Client Secret for authentication
At the end of this step, you must have:
- Application (Client) ID
- Client Secret (Secret Value)
Configure API Permissions
Microsoft Graph API permissions:
Step 1: Add Permissions
| Permission | Purpose |
|---|---|
User.Read | Basic user information. Sign in and read user profile. (default) |
User.Read.All | Read all users' profiles. Required to resolve SIDs into usernames in reports |
- In your app in EntraID, go to Manage > API permissions > + Add a permission.
- Select Microsoft Graph > Application permissions
- Add:
- User.Read (default)
- User.Read.All
- User.Read – "Sign in and read user profile." (default)
- User.Read.All – "Read all users' full profiles"
Step 2: Grant Admin Consent
Click Grant admin consent for TenantName
Why this is required:
- By default, applications cannot query Microsoft Graph for directory-wide information
- Admin consent allows the app to use User.Read.All
- This lets Netwrix Auditor query Azure AD and resolve user SIDs → user accounts → display names
- Without admin consent, audit logs will only show unresolved SIDs instead of usernames, making reports incomplete and less useful
At the end of this step, your app has granted Microsoft Graph API permissions
Assign IAM Roles to the App
| Role | Scope | Purpose |
|---|---|---|
Reader | Resource Group | List storage accounts |
Storage File Data Privileged Reader | Storage Account | Read file shares data |
Storage Blob Data Reader | Log Storage Account | Access audit logs |
IAM Roles:
You mshould assign Azure IAM roles so that Netwrix Auditor can:
- Discover file shares in your resource group
- Read metadata from your data storage account
- Access audit logs from your log storage account
These IAM roles are mandatory
Step 1: Assign Reader Role on Resource Group
- In the Azure Portal, go to your Resource Group
- Open Access control (IAM)
- Click + Add > Add role assignment
- Select role: Reader
- "View everything, but not make any changes"
- Click Next
- Under Members, click + Select members
- In the search window, find and select the App you registered earlier
- Click Select → Review + assign
Step 2: Assign Storage File Data Privileged Reader on Data Storage Account
- In the Azure Portal, go to your Data Storage Account
- Navigate to Access control (IAM) > + Add role assignment
- Select role: Storage File Data Privileged Reader
- "Allows read access to file shares and directory/file metadata, including NTFS ACLs"
- Click Next
- Under Members, click + Select members
- Search for and select the App you registered earlier
- Click Select → Review + assign
Step 3: Assign Storage Blob Data Reader on Log Storage Account
- In the Azure Portal, go to your Log Storage Account
- Navigate to Access control (IAM) > + Add role assignment
- Select role: Storage Blob Data Reader
- "Allows read access to Azure Storage blob containers and data"
- Click Next
- Under Members, click + Select members
- Search for and select the App you registered earlier
- Click Select → Review + assign
Notes & Best Practices
- Data and log storage accounts can be in different resource groups
- Supported identity sources: AD DS, Microsoft Entra Kerberos
- Not supported: Microsoft Entra Domain Services
- Supported protocol: SMB
At the end of this step, your app should have assigned roles:
- Reader (Resource Group)
- Storage File Data Privileged Reader (Data Storage Account)
- Storage Blob Data Reader (Log Storage Account)
Diagnostic Settings
Azure Files does not generate audit events by default You must configure Diagnostic Settings to send file activity logs to your Log Storage Account
Step 1: Open Diagnostic Settings
- In the Azure Portal, go to your Data Storage Account
- Navigate to Monitoring > Diagnostic settings
- On the "Select any of the resources to view diagnostic settings" screen, choose File
- Netwrix Auditor only supports File diagnostic settings
- Click + Add diagnostic setting
Step 2: Configure General Settings
- Enter a name (e.g.,
NetwrixAuditorLogs) - Under Category groups, select Audit
- Only the Audit category group is supported by Netwrix Auditor
Step 3: Configure Destination
- Under Destination details, check Archive to a storage account
- This is the only supported option for Netwrix Auditor
- Select your Log Storage Account
- Confirm the correct subscription and storage account
Note: Azure requires two separate storage accounts:
- One for file shares (data)
- One for audit logs
Step 4: Save the Configuration
Click Save. Azure Files audit logs will now be archived into your Log Storage Account
At the end of this step, you should have:
- A Diagnostic Setting under the File resource type
- Audit category group selected
- Destination set to Archive to a storage account
- Logs archiving into the Log Storage Account
Checklist
- Azure Application registered with App ID + Secret
- API permissions (User.Read, User.Read.All) granted
- IAM roles assigned (Reader, Storage File Data Privileged Reader, Storage Blob Data Reader)
- Diagnostic Settings configured to log to a Log Storage Account
Next Steps
After completing the Azure Files configuration:
- Test Connectivity: Verify authentication and access to storage accounts
- Create Monitoring Plan: Configure Azure Files monitoring in Netwrix Auditor
- Validate Data Collection: Confirm audit events are being collected
For detailed instructions on creating the monitoring plan, see the Azure Files Monitoring Plan documentation