If you have an Azure-exclusive environment and wish to include cloud users in a local file share you can either login with each account separately and then add them via command line using the command 'net localgroup <group name> /add "AzureAD\<username>"'.
net localgroup <group name> /add AzureAD\<username>
This works well if you have a small number of users, but if you want to use a group it take a bit of extra work.
First login to the Azure portal and create the group
Now we need another Azure Security group to hold the device that will house the share.
Click on Properties and get the Object ID for the group
Use Graph explorer to get the group SID
Copy the security identifier, we will use it later
Login to Intune management center and create a new device configuration policy.
Click Create
Choose "Windows 10 and later" for Platform
Select "Templates"
Select "Custom"
Click "Create"
Give your new policy a name
Under Configuration Settings OMA-URI Click Add
OMA-URI:
./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
Data Type: String
Value:
<groupmembership>
<accessgroup desc = "<Local Group Name">
<member name = "<Security Identifier Copied earlier>" />
</accessgroup>
</groupmembership>
Add the group you created to hold the device
Once the device syncs with the policy the SID should show up as a member of the local group
You can now use that local group to assign permissions as you normally would.
Comments