Modifying SFTP container directory permissions via ACL

Hello Shashwat Tiwary,

Greetings! Welcome to Microsoft Q&A Platform.

Yes, you can configure ACLs for an SFTP local account down to the container and sub-folder level using Azure CLI, Azure PowerShell or via Azure Portal and you can configure based on your required method.

If you are referring to containers, you need to use ADLS Gen2 for more granular access. Access control lists (ACLs): ACLs give you the ability to apply "finer grain" level of access to directories and files. An ACL is a permission construct that contains a series of ACL entries. Each ACL entry associates security principal with an access level. To learn more, see Access control lists (ACLs) in Azure Data Lake Storage Gen2.

Also refer - https://video2.skills-academy.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support, https://video2.skills-academy.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-authorize-access?tabs=azure-cli.

You can set the desired permissions at the container level using Azure Portal or Azure Storage Explorer. These permissions are inherited by all blobs (files) and virtual directories (folders) within the container.

To grant access to a container, you can assign an RBAC role at the container scope or above to a user, group, service principal, or managed identity. You may also choose to add one or more conditions to the role assignment. You can read about the assignment of roles at Assign Azure roles using the Azure portal.

Also, folders in the Azure Blob storage are virtual. They look like folders, but they are not real folders just like the folders on your local computer.

If you need to grant access on folder level, you need to use Azure Data Lake Gen2 i.e. Azure Storage account where Hierarchical namespace setting is enabled. For existing storage account blob container/ folder: Access control lists (ACLs) in Azure Data Lake Storage Gen2

For more fine-grained control, you can set ACLs at the individual blob (file) level.

Navigate to the specific blob, and in the Azure Portal or Azure Storage Explorer, set the access controls for that specific blob (This can be more granular but might not be practical for a large number of files).

Additional information: Authorizing access to Azure Storage

If you are referring to Azure File shares, please see: Configure directory and file level permissions over SMB: After you assign share-level permissions, you must first connect to the Azure file share using the storage account key and then configure Windows access control lists (ACLs), also known as NTFS permissions, at the root, directory, or file level. While share-level permissions act as a high-level gatekeeper that determines whether a user can access the share, Windows ACLs operate at a more granular level to control what operations the user can do at the directory or file level.

Similar thread for reference - https://video2.skills-academy.com/en-us/answers/questions/1290110/setting-up-sftp-with-windows-vm-azure-file-share?source=docs

Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

@Shashwat Tiwary Apologies for the delay response!

The referenced article has the instructions for ACLs and should work for this scenario. Have you used an SFTP client to set the granular permissions for each folder and user?

Example: https://video2.skills-academy.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-connect#modify-the-acl-of-a-file-or-directory

If the issue still persist, I would like to work closer on this issue!

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members