edit pass: azure-files-authorization-and-access-control

Author: ShawnJackson

articles/storage/files/authorize-data-operations-portal.md

@@ -81,9 +81,9 @@ You can change the authentication method for individual file shares. By default,
 
 1. Select **Browse**.
 
-1. The **Authentication method** shows whether you're currently using the storage account access key or your Entra account to authenticate and authorize file share operations.
+1. **Authentication method** shows whether you're currently using the storage account access key or your Entra account to authenticate and authorize file share operations.
 
-   If you're currently authenticating by using the storage account access key, **Access Key** is specified as the authentication method, as shown in the following image. If you're authenticating by using your Entra account, **Microsoft Entra user account** is specified instead.
+   If you're currently authenticating by using the storage account access key, **Access key** is specified as the authentication method, as shown in the following image. If you're authenticating by using your Entra account, **Microsoft Entra user account** is specified instead.
 
 :::image type="content" source="media/authorize-data-operations-portal/auth-method-access-key.png" alt-text="Screenshot that shows the authentication method set to access key.":::
 

articles/storage/files/authorize-oauth-rest.md

@@ -15,17 +15,17 @@ ms.custom:
 
 # Access Azure file shares by using Microsoft Entra ID with Azure Files OAuth over REST
 
-:heavy_check_mark: **Applies to:** Classic SMB and NFS file shares created with the Microsoft.Storage resource provider
+:heavy_check_mark: **Applies to:** Classic SMB and NFS file shares created with the `Microsoft.Storage` resource provider
 
-:heavy_multiplication_x: **Doesn't apply to:** File shares created with the Microsoft.FileShares resource provider (preview)
+:heavy_multiplication_x: **Doesn't apply to:** File shares created with the `Microsoft.FileShares` resource provider (preview)
 
 By using Azure Files OAuth over REST, users and applications can get admin-level read and write access to Azure file shares through the [OAuth](https://oauth.net/) authentication protocol. This access method uses Microsoft Entra ID for REST API-based access.
 
-Users, groups, Microsoft services such as Azure portal, and partner services and applications that use REST interfaces can now use OAuth authentication and authorization with a Microsoft Entra account to access data in Azure Files. Azure PowerShell cmdlets and Azure CLI commands that call REST APIs can also use OAuth to access Azure Files.
+Users, groups, Microsoft services such as the Azure portal, and partner services and applications that use REST interfaces can now use OAuth authentication and authorization with a Microsoft Entra account to access data in Azure Files. Azure PowerShell cmdlets and Azure CLI commands that call REST APIs can also use OAuth to access Azure Files.
 
 You must call the REST API by using an explicit header to indicate your intent to use the additional privilege. This requirement also applies to Azure PowerShell and Azure CLI access.
 
-This article explains how to enable admin-level access to Azure file shares for specific [customer use cases](#customer-use-cases). For a more general article on identity-based authentication for end users, see [Overview of Azure Files identity-based authentication](storage-files-active-directory-overview.md).
+This article explains how to enable admin-level access to Azure file shares for specific [customer use cases](#customer-use-cases). For a more general article on identity-based authentication for users, see [Overview of Azure Files identity-based authentication](storage-files-active-directory-overview.md).
 
 ## Limitations
 
@@ -45,7 +45,7 @@ OAuth authentication and authorization enable developers to build applications t
 
 Customers and partners can also enable Microsoft and partner services to configure necessary access securely and transparently to a customer storage account.  
 
-DevOps tools such as the Azure portal, Azure PowerShell, the Azure CLI, AzCopy, and Storage Explorer can manage data by using the user's identity. Using this identity eliminates the need to manage or distribute storage access keys.
+DevOps tools such as the Azure portal, Azure PowerShell, the Azure CLI, AzCopy, and Azure Storage Explorer can manage data by using the user's identity. Using this identity eliminates the need to manage or distribute storage access keys.
 
 ### Managed identities  
 
@@ -80,7 +80,7 @@ These roles are similar to the [Storage File Data SMB Share Reader](../../role-b
 
 - When the user, group, or service principal assigned the Storage File Data Privileged Reader or Storage File Data Privileged Contributor role calls the FileREST data API by using OAuth, the user, group, or the service principal has:
   - **Storage File Data Privileged Reader**: Full read access on all the data in the shares for all the configured storage accounts regardless of the file-level or directory-level NTFS permissions that are set.
-  - **Storage File Data Privileged Contributor**: Full read, write, modify ACLs, and delete access on all the data in the shares for all the configured storage accounts regardless of the file-level or directory-level NTFS permissions that are set.
+  - **Storage File Data Privileged Contributor**: Full read, write, modify-ACLs, and delete access on all the data in the shares for all the configured storage accounts regardless of the file-level or directory-level NTFS permissions that are set.
 
 - When you use these special permissions and roles, the system bypasses any file-level or directory-level permissions and grants access to file share data.
 
@@ -185,15 +185,15 @@ Extensions for Azure PowerShell enable you to sign in and call Azure PowerShell
 
 You can assign permissions to file data to a Microsoft Entra security principal via Azure RBAC.
 
-## Supported operations
+### Supported operations
 
 The extensions support only operations on file data. Which operations you can call depends on the permissions granted to the Entra security principal with which you signed in to Azure PowerShell.
 
 The storage context with OAuth works only if you call it with the `-EnableFileBackupRequestIntent` parameter. This parameter specifies the explicit intent to use the additional permissions that this feature provides.
 
 The storage context with OAuth works only for operations on files and directories, and `Get`/`Set` permissions on Azure file shares. For all other operations on storage account and file shares, you must use the storage account key or SAS token.
 
-## Prerequisites
+### Prerequisites
 
 You need an Azure resource group and a storage account within that resource group. The storage account must be assigned a role that grants explicit permissions to perform data operations against file shares. Make sure that you have the required roles and permissions to access both the management services and data services. For details on the permissions required to call specific Azure Files service operations, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations).
 
@@ -203,7 +203,7 @@ You also need to install the latest [Az.Storage](https://www.powershellgallery.c
 Install-Module Az.Storage -Repository PsGallery
 ```
 
-## Authorize access to file data
+### Authorize access to file data
 
 To authorize access to file data by using Azure PowerShell, follow these steps:
 
@@ -243,21 +243,21 @@ To authorize access to file data by using Azure PowerShell, follow these steps:
 
 Core Azure CLI commands that ship as part of the CLI support the Azure Files OAuth over REST interface. You can use them to authenticate and authorize file data operations by using Entra credentials.
 
-## Supported operations
+### Supported operations
 
 The commands support operations only on file data. Which operations you can call depends on the permissions granted to the Entra security principal that you use to sign in to the Azure CLI.
 
 OAuth authentication and authorization work only if you call the CLI command by using the `--backup-intent` option or the `--enable-file-backup-request-intent` option. By using these options, you specify the explicit intent to use the additional permissions that this feature provides.
 
 All commands under the `az storage file` and `az storage directory` command groups, along with the `az storage share list-handle` and `az storage share close-handle` commands, support OAuth authentication and authorization. For all other operations on storage accounts and file shares, you must use the storage account key or shared access signature (SAS) token.
 
-## Prerequisites
+### Prerequisites
 
 You need an Azure resource group and a storage account within that resource group. The storage account must be assigned a role that grants explicit permissions to perform data operations against file shares. Make sure that you have the required roles and permissions to access both the management services and data services. For details on the permissions required to call specific Azure Files service operations, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations).
 
 If you haven't already done so, [install the latest version of the Azure CLI](/cli/azure/install-azure-cli).
 
-## Authorize access to file data
+### Authorize access to file data
 
 Follow these steps to authorize access to file data by using the Azure CLI:
 

articles/storage/files/files-managed-identities.md

@@ -154,7 +154,7 @@ You can use managed identities with Windows or Linux. Select your operating syst
 
 The enablement steps described here are for Azure VMs. If you want to enable a managed identity on non-Azure Windows machines (on-premises or other cloud), you must [onboard them to Azure Arc and assign a managed identity](/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-identity-and-access-management). You can also authenticate by using an application identity instead of using a managed identity on a VM or Windows device.
 
-### Enable managed identity on an Azure VM
+### Enable a managed identity on an Azure VM
 
 The managed identity can be either [system assigned or user assigned](/entra/identity/managed-identities-azure-resources/overview#differences-between-system-assigned-and-user-assigned-managed-identities). If the VM has both system-assigned and user-assigned managed identities, Azure defaults to system assigned. Assign only one for best results.
 
@@ -190,7 +190,7 @@ Follow these steps to assign the built-in Azure RBAC role [Storage File Data SMB
 
 1. Under **Members**, select **+ Select members**.
 
-1. For Azure VMs or Azure Arc identities, select the managed identity for your VM or Windows device. For application identities, search for and select the application identity. Click **Select**.
+1. For Azure VMs or Azure Arc identities, select the managed identity for your VM or Windows device. For application identities, search for and select the application identity. Choose **Select**.
 
 1. Verify that the managed identity or application identity is listed under **Members**. Select **Next**.
 
@@ -210,7 +210,7 @@ If you created a user-assigned managed identity, follow these steps to add it to
 
 To configure a managed identity on a Linux VM running in Azure, follow these steps. Your VM must be running Azure Linux 3.0, Ubuntu 22.04, Ubuntu 24.04, RHEL 9.6+, or SLES 15 SP6+.
 
-### Enable managed identity on an Azure VM
+### Enable a managed identity on an Azure VM
 
 The managed identity can be either [system assigned or user assigned](/entra/identity/managed-identities-azure-resources/overview#differences-between-system-assigned-and-user-assigned-managed-identities). If the VM has both system-assigned and user-assigned managed identities, Azure defaults to system assigned. Assign only one for best results.
 
@@ -240,7 +240,7 @@ The managed identity can be either [system assigned or user assigned](/entra/ide
 
 1. Under **Members**, select **+ Select members**. The **Select managed identities** pane appears.
 
-1. Under **Managed identity**, select the managed identity, and then click **Select**.
+1. Under **Managed identity**, select the managed identity, and then choose **Select**.
 
 1. Verify that the managed identity is listed under **Members**. Select **Next**.
 
@@ -258,7 +258,7 @@ If you created a user-assigned managed identity, follow these steps to add it to
 
 ## Prepare your client to authenticate by using a managed identity
 
-Follow these steps to prepare your system to mount the file share by using managed identity authentication. The steps are different for Windows and Linux clients. Clients shouldn't be domain joined.
+The steps for preparing your system to mount the file share by using managed identity authentication are different for Windows and Linux clients. Clients shouldn't be domain joined.
 
 ::: zone pivot="windows"
 

articles/storage/files/storage-files-authorization-overview.md

@@ -1,19 +1,19 @@
 ---
 title: Overview - Azure Files Authorization and Access Control
-description: Azure Files enforces authorization on user access at both the share level and the directory/file level. You can assign share-level permissions through Azure RBAC.
+description: Azure Files enforces authorization on user access at the share level, the directory level, and the file level. You can assign share-level permissions through Azure RBAC.
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: overview
 ms.date: 10/16/2025
 ms.author: kendownie
-# Customer intent: As a cloud administrator, I want to configure authorization and access control for SMB Azure file shares, so that I can manage user permissions at both the share and directory/file levels effectively.
+# Customer intent: As a cloud administrator, I want to configure authorization and access control for SMB Azure file shares, so that I can manage user permissions at the share, directory, and file levels effectively.
 ---
 
 # Overview of Azure Files authorization and access control
 
 **Applies to:** :heavy_check_mark: SMB file shares
 
-Regardless of which identity source you choose for [identity-based authentication](storage-files-active-directory-overview.md) on your storage account, you need to configure authorization and access control. Azure Files enforces authorization on user access at both the share level and the directory/file level.
+Regardless of which identity source you choose for [identity-based authentication](storage-files-active-directory-overview.md) on your storage account, you need to configure authorization and access control. Azure Files enforces authorization on user access at the share level, the directory level, and the file level.
 
 You can assign share-level permissions to Microsoft Entra users or groups that are managed through [Azure RBAC](/azure/role-based-access-control/overview). With Azure RBAC, the credentials that you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like Storage File Data SMB Share Reader to users or groups in Microsoft Entra ID to grant access to a file share.
 
@@ -25,26 +25,26 @@ After you enable an identity source on your storage account, you must do one of
 
 - Set a [default share-level permission](storage-files-identity-assign-share-level-permissions.md#share-level-permissions-for-all-authenticated-identities) that applies to all authenticated users and groups.
 - Assign built-in Azure RBAC roles to users and groups.
-- Configure custom roles for Entra identities and assign access rights to file shares in your storage account.
+- Configure custom roles for Entra identities, and assign access rights to file shares in your storage account.
 
-The assigned share-level permission grants the identity access to the share only and nothing else, not even the root directory. You still need to separately configure directory and file-level permissions.
+The assigned share-level permission grants the identity access to the share only and nothing else, not even the root directory. You still need to separately configure directory-level and file-level permissions.
 
 For more information, see [Assign share-level permissions](storage-files-identity-assign-share-level-permissions.md).
 
 > [!NOTE]
 > You can't assign share-level permissions to computer accounts (machine accounts) by using Azure RBAC, because computer accounts can't sync to an identity in Microsoft Entra ID. If you want to allow a computer account to access Azure file shares by using identity-based authentication, [use a default share-level permission](storage-files-identity-assign-share-level-permissions.md#share-level-permissions-for-all-authenticated-identities) or consider using a service logon account instead.
 
-## Configure directory and file-level permissions
+## Configure directory-level and file-level permissions
 
-Azure Files enforces standard Windows ACLs at both the directory and file levels, including the root directory. You can configure directory or file-level permissions over both SMB and REST.
+Azure Files enforces standard Windows ACLs at both the directory and file levels, including the root directory. You can configure directory-level or file-level permissions over both SMB and REST.
 
-For more information, see [Configure directory and file-level permissions](storage-files-identity-configure-file-level-permissions.md).
+For more information, see [Configure directory-level and file-level permissions](storage-files-identity-configure-file-level-permissions.md).
 
 ### Preserve directory and file ACLs when importing data to Azure Files
 
-Azure Files supports preserving directory or file-level ACLs when you copy data to Azure file shares. You can copy ACLs on a directory or file to Azure file shares by using either Azure File Sync or common file-movement toolsets. For example, you can use [robocopy](/windows-server/administration/windows-commands/robocopy) with the `/copy:s` flag to copy data and ACLs to an Azure file share. ACLs are preserved by default, so you don't need to enable identity-based authentication on your storage account to preserve ACLs.
+Azure Files supports preserving directory-level or file-level ACLs when you copy data to Azure file shares. You can copy ACLs on a directory or file to Azure file shares by using either Azure File Sync or common file-movement toolsets. For example, you can use [robocopy](/windows-server/administration/windows-commands/robocopy) with the `/copy:s` flag to copy data and ACLs to an Azure file share. ACLs are preserved by default, so you don't need to enable identity-based authentication on your storage account to preserve ACLs.
 
 ## Related content
 
 - [Assign share-level permissions for Azure file shares](storage-files-identity-assign-share-level-permissions.md)
-- [Configure directory and file-level permissions for Azure file shares](storage-files-identity-configure-file-level-permissions.md)
+- [Configure directory-level and file-level permissions for Azure file shares](storage-files-identity-configure-file-level-permissions.md)