edit pass: azure-files-authorization-and-access-control

Author: ShawnJackson

articles/storage/files/authorize-data-operations-portal.md

@@ -1,5 +1,5 @@
 ---
-title: Authorize Access to Azure File Share Data in the Azure portal
+title: Authorize Access to Azure File Share Data in the Azure Portal
 description: When you access file data using the Azure portal, the portal makes requests to Azure Files behind the scenes. These requests can be authenticated and authorized using either your Microsoft Entra account or the storage account access key.
 author: khdownie
 ms.service: azure-file-storage
@@ -9,19 +9,20 @@ ms.author: kendownie
 # Customer intent: "As a cloud administrator, I want to configure authorization access for Azure file share data so that I can securely manage user permissions and control data access through the Azure portal."
 ---
 
-# Choose how to authorize access to file data in the Azure portal
+# Authorize access to file data in the Azure portal
 
 **Applies to:** :heavy_check_mark: SMB file shares
 
-When you access file data by using the [Azure portal](https://portal.azure.com?azure-portal=true), the portal makes requests to the Azure Files service behind the scenes. You can authorize these requests by using either your Microsoft Entra account (preferred) or the storage account access key (less secure). The portal shows which method you're using and enables you to switch between the two methods if you have the appropriate permissions. By default, the portal uses whichever method you're already using to authorize all file shares, but you can change this setting for individual file share operations.
+When you access file data by using the [Azure portal](https://portal.azure.com?azure-portal=true), the portal makes requests to the Azure Files service behind the scenes. You can authorize these requests by using either your Microsoft Entra account (preferred) or the storage account access key (less secure).
 
-> [!IMPORTANT]
-> This article explains how to authorize access to file data in the Azure portal. It doesn't cover how to set up identity-based authentication to file shares for end users. To learn about identity-based authentication, see [Overview of Azure Files identity-based authentication](storage-files-active-directory-overview.md).
+The portal shows which method you're using and enables you to switch between the two methods if you have the appropriate permissions. By default, the portal uses whichever method you're already using to authorize all file shares, but you can change this setting for individual file share operations.
+
+This article explains how to authorize access to file data in the Azure portal. It doesn't cover how to set up identity-based authentication to file shares for end users. To learn about identity-based authentication, see [Overview of Azure Files identity-based authentication](storage-files-active-directory-overview.md).
 
 > [!WARNING]
 > Accessing a file share by using storage account keys has inherent security risks. Always authenticate by using Microsoft Entra when possible. For information on how to protect and manage your keys, see [Manage storage account access keys](../common/storage-account-keys-manage.md).
 
-## Permissions needed to access file data
+## Get permissions to access file data
 
 Depending on how you want to authorize access to file data in the Azure portal, you need specific permissions. In most cases, you get these permissions through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).
 
@@ -37,6 +38,7 @@ To access file data from the Azure portal by using your Entra account, both of t
 The Azure Resource Manager **Reader** role permits users to view storage account resources, but not modify them. It doesn't provide read permissions to data in Azure Storage, but only to account management resources. The **Reader** role is necessary so that users can navigate to file shares in the Azure portal.
 
 Two built-in roles have the required permissions to access file data by using OAuth:
+
 - [Storage File Data Privileged Reader](../../role-based-access-control/built-in-roles.md#storage-file-data-privileged-reader)
 - [Storage File Data Privileged Contributor](../../role-based-access-control/built-in-roles.md#storage-file-data-privileged-contributor)
 
@@ -61,20 +63,25 @@ When you attempt to access file data in the Azure portal, the portal first check
 > [!IMPORTANT]
 > When you lock a storage account by using a Resource Manager **ReadOnly** lock, you can't perform the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when you lock the account by using a **ReadOnly** lock, you must use Entra credentials to access file data in the portal. For information about accessing file data in the Azure portal by using Microsoft Entra ID, see [Use your Microsoft Entra account](#use-your-azure-ad-account).
 
-> [!NOTE]
-> The classic subscription administrator roles **Service Administrator** and **Co-Administrator** include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action** action, so a user with one of these administrative roles can also access file data by using the storage account key. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).
+The classic subscription administrator roles **Service Administrator** and **Co-Administrator** include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action** action, so a user with one of these administrative roles can also access file data by using the storage account key. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).
 
 ## Specify how to authorize operations on a specific file share
 
 You can change the authentication method for individual file shares. By default, the portal uses the current authentication method. To determine the current authentication method, follow these steps.
 
-1. Go to your storage account in the Azure portal.
-1. In the service menu, under **Data storage**, select **File shares**.
+1. In the Azure portal, go to your storage account.
+
+1. On the service menu, under **Data storage**, select **File shares**.
+
 1. Select a file share.
+
 1. Select **Browse**.
-1. The **Authentication method** shows whether you're currently using the storage account access key or your Entra account to authenticate and authorize file share operations. If you're currently authenticating by using the storage account access key, you see **Access Key** specified as the authentication method, as in the following image. If you're authenticating by using your Entra account, you see **Microsoft Entra user account** specified instead.
 
-:::image type="content" source="media/authorize-data-operations-portal/auth-method-access-key.png" alt-text="Screenshot showing the authentication method set to access key.":::
+1. The **Authentication method** shows whether you're currently using the storage account access key or your Entra account to authenticate and authorize file share operations.
+
+   If you're currently authenticating by using the storage account access key, **Access Key** is specified as the authentication method, as shown in the following image. If you're authenticating by using your Entra account, **Microsoft Entra user account** is specified instead.
+
+:::image type="content" source="media/authorize-data-operations-portal/auth-method-access-key.png" alt-text="Screenshot that shows the authentication method set to access key.":::
 
 <a name='authenticate-with-your-azure-ad-account'></a>
 
@@ -83,6 +90,7 @@ You can change the authentication method for individual file shares. By default,
 To switch to using your Entra account, select the link highlighted in the image that says **Switch to Microsoft Entra user account**. If you have the appropriate permissions through the Azure roles that are assigned to you, you can proceed. However, if you lack the necessary permissions, you see an error message that you don't have permissions to list the data by using your user account with Entra ID.
 
 Two additional RBAC permissions are required to use your Entra account:
+
 - `Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action`
 - `Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action`
 
@@ -102,20 +110,23 @@ When you create a new storage account, you can specify that the Azure portal def
 
 To specify that the portal uses Entra authorization by default for data access when you create a storage account, follow these steps:
 
-1. Create a new storage account, following the instructions in [Create a storage account](../common/storage-account-create.md).
+1. Create a new storage account by following the instructions in [Create an Azure storage account](../common/storage-account-create.md).
+
 1. On the **Advanced** tab, in the **Security** section, check the box next to **Default to Microsoft Entra authorization in the Azure portal**.
 
-    :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-create-portal.png" alt-text="Screenshot showing how to configure default Microsoft Entra authorization in Azure portal for new account.":::
+    :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-create-portal.png" alt-text="Screenshot that shows how to configure default Microsoft Entra authorization in Azure portal for new account.":::
 
 1. Select **Review + create** to run validation and create the storage account.
 
 To update this setting for an existing storage account, follow these steps:
 
 1. Go to the storage account overview in the Azure portal.
+
 1. Under **Settings**, select **Configuration**.
+
 1. Set **Default to Microsoft Entra authorization in the Azure portal** to **Enabled**.
 
-## See also
+## Related content
 
 - [Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST](authorize-oauth-rest.md)
 - [Authorize access to data in Azure Storage](../common/authorize-data-access.md)

articles/storage/files/storage-files-authorization-overview.md

@@ -15,19 +15,19 @@ ms.author: kendownie
 
 Regardless of which identity source you choose for [identity-based authentication](storage-files-active-directory-overview.md) on your storage account, you need to configure authorization and access control. Azure Files enforces authorization on user access at both the share level and the directory/file level.
 
-You can assign share-level permissions to Microsoft Entra users or groups that are managed through [Azure RBAC](/azure/role-based-access-control/overview). With Azure RBAC, the credentials you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like **Storage File Data SMB Share Reader** to users or groups in Microsoft Entra ID to grant access to a file share.
+You can assign share-level permissions to Microsoft Entra users or groups that are managed through [Azure RBAC](/azure/role-based-access-control/overview). With Azure RBAC, the credentials that you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like **Storage File Data SMB Share Reader** to users or groups in Microsoft Entra ID to grant access to a file share.
 
-At the directory and file level, Azure Files supports preserving, inheriting, and enforcing [Windows ACLs](/windows/win32/secauthz/access-control-lists). You can choose to keep Windows ACLs when copying data over SMB between your existing file share and your Azure file shares. Whether you plan to enforce authorization or not, you can use Azure Files to back up ACLs along with your data.
+At the directory and file levels, Azure Files supports preserving, inheriting, and enforcing [Windows ACLs](/windows/win32/secauthz/access-control-lists). You can choose to keep Windows ACLs when you copy data over SMB between your existing file share and your Azure file shares. Whether you plan to enforce authorization or not, you can use Azure Files to back up ACLs along with your data.
 
 ## Configure share-level permissions
 
-After you enable an identity source on your storage account, you must do one of the following to access the file share:
+After you enable an identity source on your storage account, you must do one of the following tasks to access the file share:
 
 - Set a [default share-level permission](storage-files-identity-assign-share-level-permissions.md#share-level-permissions-for-all-authenticated-identities) that applies to all authenticated users and groups.
 - Assign built-in Azure RBAC roles to users and groups.
 - Configure custom roles for Entra identities and assign access rights to file shares in your storage account.
 
-The assigned share-level permission grants the identity access to the share only, nothing else, not even the root directory. You still need to separately configure directory and file-level permissions.
+The assigned share-level permission grants the identity access to the share only and nothing else, not even the root directory. You still need to separately configure directory and file-level permissions.
 
 For more information, see [Assign share-level permissions](storage-files-identity-assign-share-level-permissions.md).
 
@@ -36,17 +36,15 @@ For more information, see [Assign share-level permissions](storage-files-identit
 
 ## Configure directory and file-level permissions
 
-Azure Files enforces standard Windows ACLs at both the directory and file level, including the root directory. You can configure directory or file-level permissions over both SMB and REST.
+Azure Files enforces standard Windows ACLs at both the directory and file levels, including the root directory. You can configure directory or file-level permissions over both SMB and REST.
 
 For more information, see [Configure directory and file-level permissions](storage-files-identity-configure-file-level-permissions.md).
 
 ### Preserve directory and file ACLs when importing data to Azure Files
 
-Azure Files supports preserving directory or file-level ACLs when copying data to Azure file shares. You can copy ACLs on a directory or file to Azure file shares by using either Azure File Sync or common file movement toolsets. For example, you can use [robocopy](/windows-server/administration/windows-commands/robocopy) with the `/copy:s` flag to copy data as well as ACLs to an Azure file share. ACLs are preserved by default, so you don't need to enable identity-based authentication on your storage account to preserve ACLs.
+Azure Files supports preserving directory or file-level ACLs when you copy data to Azure file shares. You can copy ACLs on a directory or file to Azure file shares by using either Azure File Sync or common file-movement toolsets. For example, you can use [robocopy](/windows-server/administration/windows-commands/robocopy) with the `/copy:s` flag to copy data and ACLs to an Azure file share. ACLs are preserved by default, so you don't need to enable identity-based authentication on your storage account to preserve ACLs.
 
-## Next step
-
-For more information, see:
+## Related content
 
 - [Assign share-level permissions for Azure file shares](storage-files-identity-assign-share-level-permissions.md)
 - [Configure directory and file-level permissions for Azure file shares](storage-files-identity-configure-file-level-permissions.md)