How to configure On-Prem SMB-Share to be accessed by Azure Storage Mover

Huppertz, Nikolai 20 Reputation points
2024-08-07T15:20:34.9733333+00:00

Hello everybody,

recently we have the requirement to move some files from our on-prem environment to an Azure File Share, including various metadata. I've done some research and found that the 'Azure Storage Mover' seems to be the best option for our needs.

I've installed the machine using the ovf-template and configured everything as described in this documentation: https://video2.skills-academy.com/en-us/azure/storage/files/migrate-files-storage-mover

The thing I do not understand tho, is what are the prerequisites for the SMB Share? The guide says 'During a migration, storage mover agent resources connect to your SMB endpoints with Key Vault secrets rather than with unsecure hard-coded credentials', but how do I configure the SMB-Share to permit these secrets?

How do I set permissions, so the Storage Mover Agent is allowed to access files in the SMB-Share?

For now I even assigned 'Full Control' for 'Everyone' on our newly created share, but still the migration job exits with error code AZSM1001 stating permission is denied.

Appreciate any ideas.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,277 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,105 questions
Azure Migrate
Azure Migrate
A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.
786 questions
0 comments
Accepted answer
  1. Nehruji R 7,306 Reputation points Microsoft Vendor
    2024-08-14T05:14:43.82+00:00

    Hello Huppertz, Nikolai, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

    Issue: Customer would like to move some files from our on-prem environment to an Azure File Share, including various metadata, but still the migration job exits with error code AZSM1001 stating permission is denied.

    Error Message:

    AZSM1001 stating permission is denied.

     

    Solution: Customer upgraded with new user account and tried the migration, the issue got mitigated.

    "On our On-Prem Server on which the SMB-Share is located, I created a new local user, which has the same name, as is the value of the Key-Vault-User-Secret (had to shorten the secret to match the maximum allowed characters for user names), configured its password to be the same as the Key-Vault-Password-Secret and assigned SMB permissions to this newly created local user account but afterwards the migration project runs fine and all files are migrated as should be."

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nehruji R 7,306 Reputation points Microsoft Vendor
    2024-08-08T10:45:51.6533333+00:00

    Hello Huppertz, Nikolai,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you are using Azure Storage Mover for migrating some files from on-prem environment to an Azure File Share and encountering issues with it while performing the migration with error code AZSM1001 stating permission is denied.

    Prerequisites for the SMB Share:

    1. Ensure you have an active Azure subscription and a resource group.
    2. You need at least one SMB Azure file share in your storage account.
    3. Your local network must allow the Storage Mover agent to communicate with Azure. Ensure that port 443 (TLS) is open outbound, and your firewall rules do not limit traffic to Azure.

    Configuring SMB Share for Key Vault Secrets:

    To configure your SMB share to permit access using Key Vault secrets, follow these steps:

    1. Create and Store Secrets in Azure Key Vault, store the credentials (username and password) for your SMB share in Azure Key Vault as secrets.
    2. Ensure the Storage Mover agent has the necessary permissions to access the Key Vault secrets. You can do this by assigning the appropriate roles (e.g., Key Vault Reader) to the managed identity of the Storage Mover agent.
    3. When setting up your migration job, specify the Key Vault secrets for the SMB share credentials. The Storage Mover agent will use these secrets to authenticate and access the SMB share.

    Setting Permissions on the SMB Share:

    Even though you've assigned 'Full Control' to 'Everyone', it's essential to ensure that the specific user account (whose credentials are stored in Key Vault) has the necessary permissions on the SMB share.

    1. Identify the User Account:
      • Determine the user account that will be used by the Storage Mover agent to access the SMB share.
    2. Assign Permissions:
      • On your SMB share, explicitly assign the required permissions (e.g., Read, Write, Modify) to this user account.
    3. Verify Permissions:
      • Double-check that the permissions are correctly set and that there are no conflicting permissions that might be causing the access issue.

    Troubleshooting Error Code AZSM1001,

    The error code AZSM1001 indicates a failure to mount the source path during your Azure file share migration and indicates a permission issue.

    Error Code Error Message Details/Troubleshooting steps/Mitigation
    AZSM1001 Failed to mount source path Verify the provided server name or IP-address is valid, or the source location is correct. If using SMB, verify the provided username and password is correct.
    AZSM1001 Failed to mount source path Verify the provided server name or IP-address is valid, or the source location is correct. If using SMB, verify the provided username and password is correct.
    AZSM1002 Encountered an error while scanning the source Retry or create a support ticket.
    AZSM1003 Failed to access source folder due to permission issues Verify that the agent has been granted permissions to the source file share.

    Please consider checking few additional steps to troubleshoot:

    1. Check Key Vault Access:
      • Ensure that the Storage Mover agent can access the Key Vault and retrieve the secrets.
    2. Review SMB Share Permissions:
      • Verify that the user account has the correct permissions on the SMB share.
    3. Network Connectivity:
      • Confirm that there are no network issues preventing the Storage Mover agent from accessing the SMB share.

    If you continue to face issues, reviewing the detailed logs from the Storage Mover agent might provide more insights into the specific cause of the permission denial.

    Troubleshooting doc - https://video2.skills-academy.com/en-us/azure/storage-mover/status-code, https://video2.skills-academy.com/en-us/troubleshoot/azure/azure-storage/files/connectivity/files-troubleshoot-smb-connectivity?tabs=windows

    reference docs: https://video2.skills-academy.com/en-us/azure/storage/files/migrate-files-storage-mover will help you with detailed guidance.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. Huppertz, Nikolai 20 Reputation points
    2024-08-08T11:33:26.7566667+00:00

    Thanks for your response.

    With these information I can narrow down the problem to this step:

    Setting Permissions on the SMB Share: Even though you've assigned 'Full Control' to 'Everyone', it's essential to ensure that the specific user account (whose credentials are stored in Key Vault) has the necessary permissions on the SMB share.

    1. Identify the User Account:
      • Determine the user account that will be used by the Storage Mover agent to access the SMB share.
    2. Assign Permissions:
      • On your SMB share, explicitly assign the required permissions (e.g., Read, Write, Modify) to this user account.

    As for my understanding, the Storage Mover agent uses a System-assigned managed identity within Azure, which was automatically created when registering the Agent. I've already assigned the necessary roles to this managed identity in the Key Vault, Storagemover and Azure File Share.
    But as this is only a managed identity in Entra, but not in our On-Prem Active-Directory-Environment, I can not give it any permission to the On-Prem SMB-Share.

    Is there a way to use a synchronized On-Prem User to be used by the Storage Mover agent instead of this default Managed-Identity or link an On-Prem-User with the necessary SMB permission to this SAMI?

    0 comments
  3. Huppertz, Nikolai 20 Reputation points
    2024-08-09T10:56:52.7766667+00:00

    I managed to get it working now.

    What I've done to resolve it:

    On our On-Prem Server on which the SMB-Share is located, I created a new local user, which has the same name, as is the value of the Key-Vault-User-Secret (had to shorten the secret to match the maximum allowed characters for user names), configured its password to be the same as the Key-Vault-Password-Secret and assigned SMB permissions to this newly created local useraccount.

    I don't know, whether this is the intended way, but afterwards the migration project runs fine and all files are migrated as should be.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.