add user assigned MI to Windows flow

khdownie · khdownie · commit 951e719df687 · 2026-03-17T13:00:07.000-07:00
diff --git a/articles/storage/files/files-managed-identities.md b/articles/storage/files/files-managed-identities.md
@@ -4,7 +4,7 @@ description: This article explains how you can authenticate managed identities t
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: how-to
-ms.date: 03/16/2026
+ms.date: 03/17/2026
 ms.author: kendownie
 ms.custom:
   - devx-track-azurepowershell
@@ -155,14 +155,24 @@ The enablement steps described here are for Azure VMs. If you want to enable a m
 
 ### Enable managed identity on an Azure VM
 
-Follow these steps to enable a managed identity on a Windows VM running in Azure.
+The managed identity can be either [system assigned or user assigned](/entra/identity/managed-identities-azure-resources/overview#differences-between-system-assigned-and-user-assigned-managed-identities). If the VM has both system assigned and user assigned managed identities, Azure defaults to system assigned. Assign only one for best results.
+
+#### Enable a system assigned managed identity
+
+Follow these steps to enable a system assigned managed identity on a Windows VM running in Azure.
 
 1. Sign in to the Azure portal and create a Windows VM. Your VM must run Windows Server 2019 or higher for server versions, or any Windows client version. See [Create a Windows virtual machine in the Azure portal](/azure/virtual-machines/windows/quick-create-portal).
 
-1. Enable a managed identity on the VM. It can be either [system assigned or user assigned](/entra/identity/managed-identities-azure-resources/overview#differences-between-system-assigned-and-user-assigned-managed-identities). If the VM has both system assigned and user assigned identities, Azure defaults to system assigned. Assign only one for best results. You can enable a system assigned managed identity during VM creation on the **Management** tab.
+1. You can enable a system assigned managed identity during VM creation on the **Management** tab.
 
     :::image type="content" source="media/managed-identities/enable-system-assigned-managed-identity.png" alt-text="Screenshot showing how to enable system assigned managed identity when creating a new VM using the Azure portal." border="true":::
 
+#### Enable a user assigned managed identity
+
+1. Sign in to the Azure portal and follow the steps to [create a user assigned managed identity](/entra/identity/managed-identities-azure-resources/manage-user-assigned-managed-identities-azure-portal#create-a-user-assigned-managed-identity).
+
+1. Go to the user assigned managed identity you just created and copy the **Client ID**. You need this value later when you add the managed identity to your VM.
+
 ### Assign a built-in RBAC role to the managed identity or application identity
 
 After you enable a managed identity, grant all necessary permissions through Azure RBAC. To assign roles, sign in as a user with role assignment write permission at the scope where you want to assign the role.
@@ -185,6 +195,13 @@ Follow these steps to assign the built-in Azure RBAC role [Storage File Data SMB
 
 1. Select **Review + assign** to add the role assignment to the storage account.
 
+### Add user assigned managed identity to VM
+
+If you created a user assigned managed identity, follow these steps to add it to your VM.
+
+1. Go to your VM. From the service menu, under **Security**, select **Identity**.
+
+1. Select the **User assigned** tab, and then select **Add user assigned managed identity**. Select the managed identity you created, and then select **Add**.
 
 ### [Linux](#tab/linux)
 
@@ -206,7 +223,7 @@ The managed identity can be either [system assigned or user assigned](/entra/ide
 
 1. Sign in to the Azure portal and follow the steps to [create a user assigned managed identity](/entra/identity/managed-identities-azure-resources/manage-user-assigned-managed-identities-azure-portal#create-a-user-assigned-managed-identity).
 
-1. Go to the user assigned managed identity you just created and copy the **Client ID**. You need this value later.
+1. Go to the user assigned managed identity you just created and copy the **Client ID**. You need this value later when you add the managed identity to your VM.
 
 ### Assign a built-in RBAC role to the managed identity
 
