I have a legacy file server that I have synced multiple shares to Azure File Shares. I assumed that I used the 3 SMB permissions to manage user access but it appears that the SMB permissions don't do anything?
Here's a sample setup. I have 3 shared folders on my file server (IT, HR, Finance). I create 3 file shares on Azure with 3 sync groups and I sync the files. I have on-prem AD synced to Azure AD. I assign Joe Smith Storage File Data SMB Share Contributor to IT File Share. I use Group Policy to map the drive for Joe. I check use permissions and filter accordingly. It works!
Now I want to retire my file server so I do the following. I make the IT share on the fileserver read-only in anticipation of breaking the share. I make sure everything is synced with no errors.
Before I can delete the share, Joe emails and says his access is read-only. I check IAM in the Azure File Share and he's still Storage File Data SMB Share Contributor but he only has read-only.
After a lot of trial and error, it appears that ACL permissions rule all here and the IAM permissions don't do anything (for synced File Shares anyway).
Is my assumption correct? Is there a way to force the shares to use SMB permissions and get rid of all the ACL? I realize ACL gives me a lot more control but I want to retire the file server and it doesn't appear there's anywhere within Azure to manage ACL (maybe I missed it) and the only way to modify ACL is to map a share, change permissions, and then disconnect.
I feel like I've clearly missed something obvious here. Appreciate any guidance someone is willing to give.