Add ACL permissions for a local user in SFTP enabled storage account.

Question

Add ACL permissions for a local user in SFTP enabled storage account.

Sumit Gaur 285

We are using an Azure Storage Account as an SFTP server to support various integration needs. For one of the integration Instead of creating separate blob containers for each application, we designed a shared folder structure within a single container containerA. This approach allows multiple applications to send and receive data while keeping the setup manageable and let us build a generic integration behind it using Azure Function / Azure Logic Apps.The folder structure in containerA looks like this:

/containerA

├── App1

│ ├── Incoming

│ └── Outgoing

└── App2

├── Incoming

└── Outgoing

SFTP Access Setup

We created two local users, one for each application (App1 and App2).

Both users were granted read access to containerA and were configured to use Access Control List (ACL) authorization.
Our goal is to isolate access so that:

App1 can only access /App1/**

App2 can only access /App2/**

Neither application can access the other’s directories

While Microsoft documentation mentions that directory-level access isolation is possible through ACLs, it is not clearly explained where or how to define these ACLs at the virtual directory level within the blob container when using SFTP.

When setting up local users, we only get the option to enable ACL-based authorization, but not to explicitly define or assign ACLs for specific folders.

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-authorize-access?tabs=azure-portal

is this something doable via ACL and if so how to configure this at user or container level?

User's image

Accepted answer

1 additional answer

Your answer

Answer 1

Manu Philip 20,456 MVP Volunteer Moderator

Hi Sumit Gaur

I am documenting the steps needed to assign ACL for local users for respective directories as you needed

Create an admin user first to assign the ACL for App1 and App2. For example admin1. containerA as the home directory
Allow all permissions to the admin user as below:
Get the connection string for the admin user like below:
Connect sftp with the admin user as below: Use the password copied during the admin user creation
Now, the admin user can list the folders for App1 and App2 using ls command, like below:
Now admin user has to take ownership of all directories using the command chmod 001 .
As the next step, admin user can start assigning ownership permissions to users on respective folders as below. Note that the ownership permissions are assigned to the corresponding user id . 1000 and 1001 are my user ids chown 1000 fold1 chown 1001 fold1
Now we are set with the ACL for the users on required folders.
You may test it by connecting the sftp for corresponding users Hope the above steps will help to work out on assigning the required permissions

Hope this helps.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Sumit Gaur 285 Reputation points

2025-08-04T09:35:09.94+00:00

Thanks @Manu Philip - i will check this out.

isn't there a way to do it via portal?
Manu Philip 20,456 Reputation points MVP Volunteer Moderator

2025-08-04T11:29:42.5733333+00:00

Azure portal allows to alter ACLs for containers easily. However, I am not seeing a way for altering folder's ACL through portal
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-08-05T01:12:46.4066667+00:00

Hello Sumit Gaur
We are checking to see if the answer provided by Manu Philip helped, or you have any additional queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "accept answer" and "up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-08-06T01:04:39.87+00:00

Hello Sumit Gaur

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Sumit Gaur 285 Reputation points

2025-08-06T12:25:00.6233333+00:00

Hi @Manu Philip

It is working in the sense that users are restricted to their respective folders and cannot navigate backward, which is good. However, they are also unable to access subfolders within their own directories and get this error

Error message from server (en): AuthorizationPermissionMismatch: This request is not authorized to perform this operation using this permission.

For example, if folder1 contains upload and download subdirectories, the user assigned to folder1 cannot access those subdirectories.

I tried using the command: chmod -R 700 /folder1 to grant the owner full access recursively, but the SFTP module throws an “Invalid Key” error.

Could you please advise on the correct way to set permissions to allow users to access subfolders within their assigned directories?
Manu Philip 20,456 Reputation points MVP Volunteer Moderator

2025-08-06T19:07:55.8+00:00

Hi Sumit Gaur

I have tried to re-produce the issue that you face. I am able to create new folders in the landing folder and browse through the newly created folders. So, if you have followed the steps correctly, this will work for you too.

However, if you are looking for changing the permissions for many subfolders within the landing folder, you may use FileZilla kind of clients

Login FileZilla with the user. Try to change the file attributes as follows. Select Recursive into subdirectories to change permissions in bulk
Sumit Gaur 285 Reputation points

2025-08-07T12:52:02.0666667+00:00
Hi @Manu Philip

I was able to work it out via WinScp by logging into the directory as admin and then set permission for each user on folder and its subfolders, but it is not working from the command setup.

I followed the steps as outlined:

Created a new container named acl-test.

Inside it, created two folders: acl1 and acl2.

Under both folders, created two subdirectories: incoming and outgoing.

Created three local users: acladmin, acl1, and acl2.

Assigned acladmin full permissions on the container.

For users acl1 and acl2, enabled ACL and set their respective home directories as: acl-test/acl1
`acl-test/acl2`

From PowerShell, I logged in using the acladmin account and ran the following commands:

chmod 001 .

chown 1011 acl1

chown 1012 acl2

However, when I log in using either the acl1 or acl2 users via WinSCP, I’m unable to access the incoming and outgoing subdirectories under their respective folders.
Manu Philip 20,456 Reputation points MVP Volunteer Moderator

2025-08-07T18:09:14.0666667+00:00

Hi Sumit Gaur

Following two commands will help. Execute those commands from acladmin

chown 1004 acl1/*

chown 1005 acl2/*
Sumit Gaur 285 Reputation points

2025-08-08T04:23:03.9033333+00:00

Thanks @Manu Philip this is working now as expected.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-08-08T04:28:25.04+00:00

Hello Sumit Gaur

Thank you for your response. I'm glad to hear that it is working as expected. Please consider accepting the answer provided by Manu Philip as it will help other community members find the solution more easily.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "accept answer" and "up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Manu Philip 20,456 MVP Volunteer Moderator

Hi Sumit Gaur

Have you checked the following reference, which shows how to assign container level permission to sftp users using ACL

Give permission to containers

Hope this helps.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Sumit Gaur 285 Reputation points

2025-08-03T14:16:09.2066667+00:00

Hi @Manu Philip - I have checked this article but this only talks about giving permission at the container level and not via ACL, it only says on how to enable the ACL for the user but then doesn't specify how can i give fine-grained permission at the sub folder inside the container. read of one directory and then write for another.

or

have one user access to one specific folder and and one to another?

Share via

Add ACL permissions for a local user in SFTP enabled storage account.

1 additional answer

Your answer