Skip to main content

Azure Files Configuration Overview

Netwrix Auditor can monitor for operations with files and folders on file shares within Azure Files storage accounts. It supports two types of monitored items for Azure Files:

  • Storage account: monitoring actions on all shares of one specefied storage account
  • Azure Subscription: monitoring actions on all shares of all storage accounts of the specified Azure Files subscription

Note: For all "data storage accounts", you must configure Diagnostic settings to save audit events on "log storage accounts". Ensure you have the necessary access (API permissions, IAM Roles) for application to read these events and access storage accounts metadata.

Note: Azure activity logs may take 3 to 20 minutes to become available for analysis after an event occurs. This is an Azure platform limitation that applies to all services consuming Azure activity logs. As a result, some file share activities may appear in Netwrix Auditor reports with a delay. When generating reports shortly after activity occurs, extend the report time range by at least 20 minutes to capture events still in transit.

Prerequisites

  • Azure Files License - Azure Files is a paid data source requiring specific licensing

  • Azure Subscription with Azure Files storage accounts (Standard and Premium supported)

  • Admin permissions in Microsoft Entra ID and Azure Storage

  • Two separate storage accounts:

  • Azure Files identity-based access configured for the data storage account in Azure Files

    Supported options:

    • Active Directory Domain Services (AD DS)
    • Microsoft Entra Kerberos (for hybrid identities)
    • Microsoft Entra Domain Services (Entra DS) — not supported

    Netwrix Auditor relies on identity-based access to correctly map file operations to real user accounts. Without it:

    • Audit logs may not contain accurate user information
    • Reports may show activity under system or anonymous accounts instead of real users

Configuration Scope Overview

Azure Application Registration

Register an application so Netwrix Auditor can authenticate to Azure and read audit logs.

Step 1: Create the App Registration

  1. In the Azure Portal, go to Microsoft Entra ID > Manage > App registrations > + New registration
  2. Enter:
    • Name: Name: NetwrixAuditor-AzureFiles (this is an example — you can use any descriptive name for the app)
    • Supported account types (refer to Account types references)
    • Leave Redirect URI blank
  3. Click Register

Account types references

Note: Switching audiences later may cause errors

Step 2: Gather App Details

After registration, go to the Overview page of your new app and copy:

  • Application (Client) ID

Step 3: Create a Client Secret

  1. In the same app, go to Manage > Certificates & secrets > Client secrets
  2. Click + New client secret
  3. Enter a description (e.g., NetwrixSecret) and select expiration
  4. Click Add
  5. Copy the secret value immediately — Azure won't display it again

Netwrix Auditor uses the App ID + Client Secret for authentication

At the end of this step, you must have:

  • Application (Client) ID
  • Client Secret (Secret Value)

Configure API Permissions

Microsoft Graph API permissions:

Step 1: Add Permissions

The Purpose column references Microsoft Graph API endpoints that Netwrix Auditor calls to perform each resolution task.

PermissionPurpose
User.ReadBasic user information. Sign in and read user profile. (default)
User.Read.AllRead all users' full profiles. Required to resolve user security identifiers (SIDs) into display names and User Principal Names (UPNs), and to map access control entries (ACEs) from group membership via the Microsoft Graph endpoint /users/{id}/transitiveMemberOf
Group.Read.AllResolve groups and search by SID from discretionary access control lists (DACLs). Required to expand group membership via the Microsoft Graph endpoint /groups/{id}/transitiveMembers and filter groups by securityIdentifier
  1. In your app in EntraID, go to Manage > API permissions > + Add a permission.
  2. Select Microsoft Graph > Application permissions
  3. Add:
    • User.Read (default)
    • User.Read.All
    • Group.Read.All
  • User.Read – "Sign in and read user profile." (default)
  • User.Read.All – "Read all users' full profiles"
  • Group.Read.All – "Read all groups"

Click Grant admin consent for TenantName

Why this is required:

  • By default, applications can't query Microsoft Graph for directory-wide information
  • Admin consent allows the app to use User.Read.All and Group.Read.All
  • User.Read.All lets Netwrix Auditor query Microsoft Entra ID and resolve user SIDs → user accounts → display names
  • Group.Read.All lets Netwrix Auditor resolve groups from DACLs and expand group membership so reports show which users inherit access through group ACEs
  • Without admin consent, audit logs will only show unresolved SIDs and object IDs instead of usernames and group names, making reports incomplete and less useful

At the end of this step, your app has granted Microsoft Graph API permissions

Assign Identity and Access Management (IAM) Roles to the App

RoleScopePurpose
ReaderResource GroupList storage accounts
Storage File Data Privileged ReaderStorage AccountRead file shares data
Storage Blob Data ReaderLog Storage AccountAccess audit logs

IAM Roles:

You should assign Azure IAM roles so that Netwrix Auditor can:

  • Discover file shares in your resource group
  • Read metadata from your data storage account
  • Access audit logs from your log storage account

These IAM roles are mandatory

Step 1: Assign Reader Role on Resource Group

  1. In the Azure Portal, go to your Resource Group
  2. Open Access control (IAM)
  3. Click + Add > Add role assignment
  4. Select role: Reader
    • "View everything, but not make any changes"
  5. Click Next
  6. Under Members, click + Select members
  7. In the search window, select the App you registered earlier
  8. Click Select → Review + assign

Step 2: Assign Storage File Data Privileged Reader on Data Storage Account

  1. In the Azure Portal, go to your Data Storage Account
  2. Navigate to Access control (IAM) > + Add role assignment
  3. Select role: Storage File Data Privileged Reader
    • "Allows read access to file shares and directory/file metadata, including NTFS ACLs"
  4. Click Next
  5. Under Members, click + Select members
  6. Search for and select the App you registered earlier
  7. Click Select → Review + assign

Step 3: Assign Storage Blob Data Reader on Log Storage Account

  1. In the Azure Portal, go to your Log Storage Account
  2. Navigate to Access control (IAM) > + Add role assignment
  3. Select role: Storage Blob Data Reader
    • "Allows read access to Azure Storage blob containers and data"
  4. Click Next
  5. Under Members, click + Select members
  6. Search for and select the App you registered earlier
  7. Click Select → Review + assign

Notes & Best Practices

  • Data and log storage accounts can be in different resource groups
  • Supported identity sources: AD DS, Microsoft Entra Kerberos
  • Not supported: Microsoft Entra Domain Services
  • Supported protocol: SMB

At the end of this step, your app should have assigned roles:

  • Reader (Resource Group)
  • Storage File Data Privileged Reader (Data Storage Account)
  • Storage Blob Data Reader (Log Storage Account)

Diagnostic Settings

Azure Files doesn't generate audit events by default You must configure Diagnostic Settings to send file activity logs to your Log Storage Account

Step 1: Open Diagnostic Settings

  1. In the Azure Portal, go to your Data Storage Account
  2. Navigate to Monitoring > Diagnostic settings
  3. On the "Select any of the resources to view diagnostic settings" screen, choose File
    • Netwrix Auditor only supports File diagnostic settings
  4. Click + Add diagnostic setting

Step 2: Configure General Settings

  1. Enter a name (e.g., NetwrixAuditorLogs)
  2. Under Category groups, select Audit
    • Netwrix Auditor supports only the Audit category group

Step 3: Configure Destination

  1. Under Destination details, check Archive to a storage account
    • This is the only supported option for Netwrix Auditor
  2. Select your Log Storage Account
  3. Confirm the correct subscription and storage account

Note: Azure requires two separate storage accounts:

  • One for file shares (data)
  • One for audit logs

Step 4: Save the Configuration

Click Save. Azure Files now archives audit logs into your Log Storage Account

At the end of this step, you should have:

  • A Diagnostic Setting under the File resource type
  • Audit category group selected
  • Destination set to Archive to a storage account
  • Logs archiving into the Log Storage Account

Checklist

Next Steps

After completing the Azure Files configuration:

  1. Test Connectivity: Verify authentication and access to storage accounts
  2. Create Monitoring Plan: Configure Azure Files monitoring in Netwrix Auditor
  3. Validate Data Collection: Confirm that Netwrix Auditor collects audit events

For detailed instructions on creating the monitoring plan, see the Azure Files Monitoring Plan documentation

Netwrix documentation

Microsoft documentation