edit pass: azure-files-authorization-and-access-control

ShawnJackson · ShawnJackson · commit 612f3688c640 · 2026-03-25T12:18:43.000-05:00
diff --git a/articles/storage/files/authorize-data-operations-portal.md b/articles/storage/files/authorize-data-operations-portal.md
@@ -33,9 +33,9 @@ Depending on how you want to authorize access to file data in the Azure portal,
 To access file data from the Azure portal by using your Entra account, both of the following statements must be true:
 
 - You're assigned either a built-in or custom role that provides access to file data.
-- You're assigned the Azure Resource Manager [Reader](../../role-based-access-control/built-in-roles.md#reader) role, at a minimum, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable.
+- You're assigned the Azure Resource Manager [Reader](../../role-based-access-control/built-in-roles.md#reader) role, at a minimum, scoped to the level of the storage account or higher. The Reader role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable.
 
-The Azure Resource Manager **Reader** role permits users to view storage account resources, but not modify them. It doesn't provide read permissions to data in Azure Storage, but only to account management resources. The **Reader** role is necessary so that users can go to file shares in the Azure portal.
+The Azure Resource Manager Reader role permits users to view storage account resources, but not modify them. It doesn't provide read permissions to data in Azure Storage, but only to account management resources. The Reader role is necessary so that users can go to file shares in the Azure portal.
 
 Two built-in roles have the required permissions to access file data by using OAuth:
 
@@ -45,13 +45,15 @@ Two built-in roles have the required permissions to access file data by using OA
 For information about the built-in roles that support access to file data, see [Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST](authorize-oauth-rest.md).
 
 > [!NOTE]
-> The **Storage File Data Privileged Contributor** role has permissions to read, write, delete, and modify ACLs/NTFS permissions on files and directories in Azure file shares. Modifying ACLs/NTFS permissions isn't supported via the Azure portal.
+> The Storage File Data Privileged Contributor role has permissions to read, write, delete, and modify ACLs/NTFS permissions on files and directories in Azure file shares. Modifying ACLs/NTFS permissions isn't supported via the Azure portal.
 
 Custom roles can support different combinations of the same permissions that the built-in roles provide. For more information, see [Azure custom roles](../../role-based-access-control/custom-roles.md) and [Understand role definitions for Azure resources](../../role-based-access-control/role-definitions.md).
 
 ### Use the storage account access key (not recommended)
 
-To access file data by using the storage account access key, you must have an Azure role assigned to you that includes the Azure RBAC action `Microsoft.Storage/storageAccounts/listkeys/action`. This Azure role can be a built-in role or a custom role. Built-in roles that support `Microsoft.Storage/storageAccounts/listkeys/action` include the following, listed in order from least to greatest permissions:
+To access file data by using the storage account access key, you must have an Azure role assigned to you that includes the Azure RBAC action `Microsoft.Storage/storageAccounts/listkeys/action`. This Azure role can be built in or custom.
+
+The following built-in roles support `Microsoft.Storage/storageAccounts/listkeys/action`. They're listed in order from least to greatest permissions.
 
 - [Reader and Data Access role](../../role-based-access-control/built-in-roles.md#reader-and-data-access)
 - [Storage Account Contributor role](../../role-based-access-control/built-in-roles.md#storage-account-contributor)
@@ -61,11 +63,11 @@ To access file data by using the storage account access key, you must have an Az
 When you attempt to access file data in the Azure portal, the portal first checks whether you have a role with `Microsoft.Storage/storageAccounts/listkeys/action`. If you have a role with this action, the portal uses the storage account key for accessing file data. If you don't have a role with this action, the portal attempts to access data by using your Entra account.
 
 > [!IMPORTANT]
-> When you lock a storage account by using a Resource Manager `ReadOnly` lock, you can't perform the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation for that storage account. **List Keys** is a `POST` operation, and all `POST` operations are prevented when a `ReadOnly` lock is configured for the account.
+> When you lock a storage account by using a Resource Manager `ReadOnly` lock, you can't perform the [listKeys](/rest/api/storagerp/storageaccounts/listkeys) operation for that storage account. The `listKeys` operation is a `POST` operation, and all `POST` operations are prevented when a `ReadOnly` lock is configured for the account.
 >
 > For this reason, when you lock the account by using a `ReadOnly` lock, you must use Entra credentials to access file data in the portal. For information about accessing file data in the Azure portal by using Microsoft Entra ID, see [Use your Microsoft Entra account](#use-your-azure-ad-account).
 
-The classic subscription administrator roles **Service Administrator** and **Co-Administrator** include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the `Microsoft.Storage/storageAccounts/listkeys/action` action. A user with one of these administrative roles can also access file data by using the storage account key. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).
+The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The Owner role includes all actions, including the `Microsoft.Storage/storageAccounts/listkeys/action` action. A user with one of these administrative roles can also access file data by using the storage account key. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).
 
 ## Specify how to authorize operations on a specific file share
 
diff --git a/articles/storage/files/authorize-oauth-rest.md b/articles/storage/files/authorize-oauth-rest.md
@@ -78,7 +78,7 @@ These roles are similar to the [Storage File Data SMB Share Reader](../../role-b
 
 - The new roles contain the extra data actions that OAuth access requires.
 
-- When the user, group, or service principal assigned the **Storage File Data Privileged Reader** or **Storage File Data Privileged Contributor** role calls the FileREST data API by using OAuth, the user, group, or the service principal has:
+- When the user, group, or service principal assigned the Storage File Data Privileged Reader or Storage File Data Privileged Contributor role calls the FileREST data API by using OAuth, the user, group, or the service principal has:
   - **Storage File Data Privileged Reader**: Full read access on all the data in the shares for all the configured storage accounts regardless of the file-level or directory-level NTFS permissions that are set.
   - **Storage File Data Privileged Contributor**: Full read, write, modify ACLs, and delete access on all the data in the shares for all the configured storage accounts regardless of the file-level or directory-level NTFS permissions that are set.
 
@@ -175,7 +175,7 @@ The [Azure portal](https://portal.azure.com?azure-portal=true) can use either yo
 
 When you attempt to access file data, the Azure portal first checks whether you have an Azure role with `Microsoft.Storage/storageAccounts/listkeys/action`. If you have a role with this action, the Azure portal uses the storage account key for accessing file data via shared key authorization. If you don't have a role with this action, the Azure portal attempts to access data by using your Entra account.
 
-To access file data from the Azure portal by using your Entra account, you need permissions to access file data. You also need permissions to move through the storage account resources in the Azure portal. The built-in Azure roles grant access to file resources, but they don't grant permissions to storage account resources. For this reason, access to the portal also requires assigning an Azure Resource Manager role such as the **Reader** role, scoped to the level of the storage account or higher. The **Reader** role grants the most restrictive permissions, but any Resource Manager role that grants access to storage account management resources is acceptable.
+To access file data from the Azure portal by using your Entra account, you need permissions to access file data. You also need permissions to move through the storage account resources in the Azure portal. The built-in Azure roles grant access to file resources, but they don't grant permissions to storage account resources. For this reason, access to the portal also requires assigning an Azure Resource Manager role such as the Reader role, scoped to the level of the storage account or higher. The Reader role grants the most restrictive permissions, but any Resource Manager role that grants access to storage account management resources is acceptable.
 
 When you go to a container, the Azure portal indicates which authorization scheme is in use. For more information about data access in the portal, see [Choose how to authorize access to file data in the Azure portal](authorize-data-operations-portal.md).
 
diff --git a/articles/storage/files/storage-files-authorization-overview.md b/articles/storage/files/storage-files-authorization-overview.md
@@ -15,7 +15,7 @@ ms.author: kendownie
 
 Regardless of which identity source you choose for [identity-based authentication](storage-files-active-directory-overview.md) on your storage account, you need to configure authorization and access control. Azure Files enforces authorization on user access at both the share level and the directory/file level.
 
-You can assign share-level permissions to Microsoft Entra users or groups that are managed through [Azure RBAC](/azure/role-based-access-control/overview). With Azure RBAC, the credentials that you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like **Storage File Data SMB Share Reader** to users or groups in Microsoft Entra ID to grant access to a file share.
+You can assign share-level permissions to Microsoft Entra users or groups that are managed through [Azure RBAC](/azure/role-based-access-control/overview). With Azure RBAC, the credentials that you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like Storage File Data SMB Share Reader to users or groups in Microsoft Entra ID to grant access to a file share.
 
 At the directory and file levels, Azure Files supports preserving, inheriting, and enforcing [Windows ACLs](/windows/win32/secauthz/access-control-lists). You can choose to keep Windows ACLs when you copy data over SMB between your existing file share and your Azure file shares. Whether you plan to enforce authorization or not, you can use Azure Files to back up ACLs along with your data.
 
diff --git a/articles/storage/files/storage-files-identity-assign-share-level-permissions.md b/articles/storage/files/storage-files-identity-assign-share-level-permissions.md
@@ -48,7 +48,7 @@ Several built-in Azure role-based access control (RBAC) roles are intended for u
 |[Storage File Data SMB Share Elevated Contributor](../../role-based-access-control/built-in-roles.md#storage-file-data-smb-share-elevated-contributor) | Grants read, write, delete, and modify-ACL access on files and directories in Azure Files. This role is similar to a file share ACL of *change* on Windows file servers.         |
 |[Storage File Data Privileged Contributor](../../role-based-access-control/built-in-roles/storage.md#storage-file-data-privileged-contributor) | Grants read, write, delete, and modify-ACL access in Azure Files by overriding existing ACLs. |
 |[Storage File Data Privileged Reader](../../role-based-access-control/built-in-roles/storage.md#storage-file-data-privileged-reader) | Grants read access in Azure Files by overriding existing ACLs. |
-|[Storage File Data SMB Admin](../../role-based-access-control/built-in-roles/storage.md#storage-file-data-smb-admin) | Grants admin access equivalent to an storage account key for users over SMB. |
+|[Storage File Data SMB Admin](../../role-based-access-control/built-in-roles/storage.md#storage-file-data-smb-admin) | Grants admin access equivalent to a storage account key for users over SMB. |
 |[Storage File Data SMB Take Ownership](../../role-based-access-control/built-in-roles/storage.md#storage-file-data-smb-take-ownership) | Allows users to assume ownership of a file/directory. |
 
 <a name='share-level-permissions-for-specific-azure-ad-users-or-groups'></a>
@@ -185,7 +185,7 @@ az storage account update --name $storageAccountName --resource-group $resourceG
 
 You can assign permissions to all authenticated Entra users and to specific Entra users or groups. When you use this configuration, a specific user or group gets the higher-level permission between the default share-level permission and the RBAC assignment.
 
-For example, suppose you grant a user the **Storage File Data SMB Reader** role on the target file share. You also grant the default share-level permission **Storage File Data SMB Share Elevated Contributor** to all authenticated users. With this configuration, that particular user has **Storage File Data SMB Share Elevated Contributor** access to the file share. Higher-level permissions always take precedence.
+For example, suppose you grant a user the Storage File Data SMB Reader role on the target file share. You also grant the default share-level permission Storage File Data SMB Share Elevated Contributor to all authenticated users. With this configuration, that particular user has Storage File Data SMB Share Elevated Contributor access to the file share. Higher-level permissions always take precedence.
 
 ## Understanding group-based access for non-synced users
 
diff --git a/articles/storage/files/storage-files-identity-configure-file-level-permissions.md b/articles/storage/files/storage-files-identity-configure-file-level-permissions.md
@@ -26,7 +26,7 @@ Before you can configure Windows ACLs, you need to mount the file share with adm
 
 ## How Azure RBAC and Windows ACLs work together
 
-Whereas share-level permissions (RBAC) act as a high-level gatekeeper that determines whether a user can access the share, Windows ACLs (NTFS permissions) operate at a more granular level to control what operations the user can do at the directory or file level. You can set Windows ACLs at the root, directory, or file level.
+Share-level permissions (RBAC) act as a high-level gatekeeper that determines whether a user can access the share. Windows ACLs (NTFS permissions) operate at a more granular level to control what operations the user can do at the directory or file level. You can set Windows ACLs at the root, directory, or file level.
 
 When a user tries to access a file or directory, both share-level and file/directory-level permissions are enforced. If there's a difference between either of them, only the most restrictive one applies.
 
@@ -85,7 +85,7 @@ If a user has the **Full Control** ACL and the [Storage File Data SMB Share Elev
 
 Use the Windows permission model for SMB admin instead of the storage account key. This feature enables you to assign the built-in RBAC role [Storage File Data SMB Admin](/azure/role-based-access-control/built-in-roles/storage#storage-file-data-smb-admin) to users, so they can take ownership of a file or directory to configure ACLs.
 
-The Storage File Data SMB Admin RBAC role doesn't grant the identity direct access to a file or directory if the identity isn't granted the proper permission (such as Modify or Full Control) in the target file's or directory's ACL. However, the identity with the Storage File Data SMB Admin RBAC role can take ownership of the target file or directory by using the Windows [takeown](/windows-server/administration/windows-commands/takeown) command, and then modify the ACL to grant proper access permissions.
+The Storage File Data SMB Admin RBAC role doesn't grant the identity direct access to a file or directory if the identity isn't granted the proper permission (such as Modify or Full Control) in the target file's or directory's ACL. However, the identity with the Storage File Data SMB Admin RBAC role can take ownership of the target file or directory by using the Windows [`takeown`](/windows-server/administration/windows-commands/takeown) command, and then modify the ACL to grant proper access permissions.
 
 The Storage File Data SMB Admin RBAC role includes the following three data actions:
 
