fix enable NSP

EdB-MSFT · EdB-MSFT · commit b512d3853f2b · 2026-02-08T14:18:31.000+02:00
diff --git a/articles/sentinel/TOC.yml b/articles/sentinel/TOC.yml
@@ -752,6 +752,8 @@
           href: cisco-ftd-firewall.md
         - name: Google Cloud Platform connectors
           href: connect-google-cloud-platform.md
+        - name: Azure Storage Blob connector
+          href: setup-azure-storage-connector.md
         - name: Microsoft Entra
           href: connect-azure-active-directory.md
         - name: Azure Stack VMs
@@ -1021,6 +1023,12 @@
           href: data-connector-connection-rules-reference.md
         - name: GCP data connectors API reference
           href: data-connection-rules-reference-gcp.md
+        - name: Azure Storage Blob data connector reference
+          href: data-connection-rules-reference-azure-storage.md
+        - name: Troubleshoot Azure Storage Blob connector issues
+          href: azure-storage-blob-connector-troubleshoot.md  
+        - name: AWS data connectors API reference
+          href: data-connection-rules-reference-aws.md  
         - name: Sample API requests for creating Data Collection Rules (DCRs)
           href: api-dcr-reference.md
         - name: Microsoft Purview Information Protection reference
diff --git a/articles/sentinel/enable-storage-network-security.md b/articles/sentinel/enable-storage-network-security.md
@@ -4,33 +4,31 @@ description: Learn how to enable network security for Azure Storage connector re
 author: EdB-MSFT
 ms.author: edbaynash
 ms.reviewer: edbaynash
-ms.date: 02/05/2026
+ms.date: 02/08/2026
 ms.topic: how-to
 ms.service: microsoft-sentinel
-
 #customer intent: As a security engineer, I want to configure a Network Security Perimeter for storage accounts used in storage blob connectors
-
 ---
 
 # Enable network security on connector integrated storage resources
 
-This article provides step-by-step instructions on how to enable network security on the storage resources integrated with your Azure Storage connector. Azure network security perimeter (NSP) is an Azure-native feature that creates a logical isolation boundary for your PaaS resources. By associating resources like storage accounts or databases with an NSP, you can centrally manage network access using a simplified rule set – reference network security perimeters documentation (/azure/private-link/network-security-perimeter-concepts). 
+This article provides step-by-step instructions on how to enable network security on the storage resources integrated with your Azure Storage connector. Azure network security perimeter (NSP) is an Azure-native feature that creates a logical isolation boundary for your PaaS resources. By associating resources like storage accounts or databases with an NSP, you can centrally manage network access using a simplified rule set. For more information, see [Network security perimeter concepts](/azure/private-link/network-security-perimeter-concepts).
 
 
 ## Prerequisites
 
-Before Enable network security you must create your connector resources. See  [Set up your Azure Storage Connector to stream logs to Microsoft Sentinel](setup-azure-storage-connector.md) including an Event Grid System Topic used to stream blob creation events to the Azure Storage queue. 
+Before enabling network security, create your connector resources. See [Set up your Azure Storage Connector to stream logs to Microsoft Sentinel](setup-azure-storage-connector.md), including the Event Grid system topic used to stream blob creation events to the Azure Storage queue.
 
 To complete this setup, ensure you have the following permissions:
 
-- Subscription-level Owner or Contributor to create Security Perimeter resources.
--  Storage Account Contributor to associate the storage account with the NSP.
--  Storage Account User Access Administrator or Owner to assign RBAC roles to the Event Grid managed identity.
--  Event Grid Contributor to enable managed identity and manage event subscriptions.
+- Subscription Owner or Contributor to create network security perimeter resources.
+- Storage Account Contributor to associate the storage account with the NSP.
+- Storage Account User Access Administrator or Owner to assign RBAC roles to the Event Grid managed identity.
+- Event Grid Contributor to enable managed identity and manage event subscriptions.
 
 ## Enable Network Security
 
-To enable network security on the storage resources integrated with your Azure Storage connector, you need to create a Network Security Perimeter (NSP) and associate the storage account with it. Then configure the necessary rules to allow traffic from Event Grid and other relevant sources while blocking unauthorized access. Use the following steps to complete the configuration.
+To enable network security on the storage resources integrated with your Azure Storage connector, create a Network Security Perimeter (NSP), associate the storage account with it, and configure the rules to allow traffic from Event Grid and other required sources while blocking unauthorized access. Use the following steps to complete the configuration.
 
 ### Create a Network Security Perimeter
 1. In the Azure portal, search for *Network Security Perimeters*
@@ -45,13 +43,13 @@ To enable network security on the storage resources integrated with your Azure S
    :::image type="content" source="./media/enable-storage-network-security/create-network-security-perimeter.png" lightbox="./media/enable-storage-network-security/create-network-security-perimeter.png" alt-text="A screenshot showing the creation of a Network Security Perimeter in the Azure portal.":::
 
 ### Associate the Storage Account with the Network Security Perimeter
-1. Open your newly created Network Security Perimeter resource
+1. Open your newly created Network Security Perimeter resource in the Azure portal.
 
 1. Select **Profiles**, then select the profile name you used when creating the NSP resource.
 1. Select **Associated resources**.
 1. Select **Add**.
 1. Search for and add your storage account, then select **Select**.
-1. Select **Associate**. 
+1. Select **Associate**.
 
 The access mode is set to **Transition** by default, allowing you to validate the configuration before enforcing restrictions.
 
@@ -68,8 +66,7 @@ The access mode is set to **Transition** by default, allowing you to validate th
 1. Select **Identity**.
 
 1. On the **System assigned** tab, set the **Status** to **On**.
-1. Select **Save**.
-1. After saving, copy the **Object ID** of the managed identity for later use.
+1. Select **Save**, then copy the **Object ID** of the managed identity for later use.
 
    :::image type="content" source="./media/enable-storage-network-security/create-system-assigned-identity.png" lightbox="./media/enable-storage-network-security/create-system-assigned-identity.png" alt-text="A screenshot showing the creation of a managed identity for an Event Grid System Topic in the Azure portal.":::
 
@@ -80,30 +77,30 @@ The access mode is set to **Transition** by default, allowing you to validate th
 
 1. Select **Access Control (IAM)**.
 1. Select **Add**.
-1. Search for and select the *Storage Queue Data Message Sender* role.
+1. Search for and select the **Storage Queue Data Message Sender** role (scope: the storage account).
 1. Select the **Members** tab and then **Select members**.
-1. In the **Select members** pane, paste the Object ID for the Event Grid system topic managed identity created in the previous step
-1. Select the managed identity and then click **Select**
-1. Select **Review + assign** to complete the role assignment   
+1. In the **Select members** pane, paste the Object ID for the Event Grid system topic managed identity created in the previous step.
+1. Select the managed identity and then select **Select**.
+1. Select **Review + assign** to complete the role assignment.
    :::image type="content" source="./media/enable-storage-network-security/add-role-assignment.png" lightbox="./media/enable-storage-network-security/add-role-assignment.png" alt-text="A screenshot showing the assignment of the Storage Queue Data Message Sender role to a managed identity in the Azure portal.":::
 
 
 ### Enable Managed Identity on the event subscription
 
 1. Open the **Event Grid System Topic**.
 
-1. Select the event subscription targeting the queue.
+1. Select the event subscription that targets the queue.
 1. Select the **Additional settings** tab.
 1. Set **Managed identity type** to **System-assigned**.
 1. Select **Save**.
-1. Review the Event Grid subscriptions metrics to validate messages are still successfully published to the storage queue after this update.
+1. Review the Event Grid subscription metrics to validate messages are successfully published to the storage queue after this update.
 
 :::image type="content" source="./media/enable-storage-network-security/set-additional-features.png" lightbox="./media/enable-storage-network-security/set-additional-features.png" alt-text="A screenshot showing the enabling of managed identity for an Event Grid subscription in the Azure portal.":::
 
 
 ### Configure Inbound Access rules on the Network Security Perimeter profile
 
-The following rules are required to allow Event Grid to deliver messages to the storage account while blocking unauthorized access. Depending on the system sending data to the storage account or accessing the storage resources, you may need to add additional inbound rules. Review your scenario and traffic patterns to safely apply the necessary rules.
+The following rules are required to allow Event Grid to deliver messages to the storage account while blocking unauthorized access. Depending on the system sending data to the storage account or accessing the storage resources, you may need to add additional inbound rules. Review your scenario and traffic patterns to safely apply the necessary rules, and allow time for rule propagation.
 
 #### Rule 1: Allow the Subscription (Event Grid Delivery)
 
@@ -125,7 +122,7 @@ Event Grid delivery doesn't originate from fixed public IPs. The NSP validates d
    :::image type="content" source="./media/enable-storage-network-security/add-inbound-rule.png" lightbox="./media/enable-storage-network-security/add-inbound-rule.png" alt-text="A screenshot showing the creation of an inbound access rule to allow a subscription in the Azure portal.":::
 
 > [!NOTE]
-> Rules can take a few of minutes to appear in the list after creation.
+> Rules can take a few minutes to appear in the list after creation.
 
 
 #### Rule 2: Allow Scuba service IP ranges
@@ -135,15 +132,15 @@ Event Grid delivery doesn't originate from fixed public IPs. The NSP validates d
 
 1. Enter a **Rule name**, for example `Allow-Scuba`.
 1. Select **IP address ranges** from the **Source type** drop-down.
-1. Open the [service tag download](/azure/virtual-network/service-tags-overview#discover-service-tags-by-using-downloadable-json-files) page. 
-1. Select your cloud, for example **Azure Public** .
+1. Open the [service tag download](/azure/virtual-network/service-tags-overview#discover-service-tags-by-using-downloadable-json-files) page.
+1. Select your cloud, for example **Azure Public**.
 1. Select the **Download** button and open the downloaded file to get the list of IP ranges.
 1. Find the `Scuba` service tag and copy the associated IPv4 ranges.
 1. Paste the IPv4 ranges into the **Allowed Sources** field after removing any quotes and trailing commas.
 1. Select **Add** to create the rule.
 
    > [!IMPORTANT]
-   > Remove the quotes from the IP ranges and ensure that there's no trailing comma on the last entry before pasting them into the **Allowed Sources** field.
+   > Remove the quotes from the IP ranges and ensure that there's no trailing comma on the last entry before pasting them into the **Allowed Sources** field. Service tag ranges update over time; refresh regularly to keep rules current.
 
    :::image type="content" source="./media/enable-storage-network-security/scuba-ipv4-addresses.png" lightbox="./media/enable-storage-network-security/scuba-ipv4-addresses.png" alt-text="A screenshot showing a part of the ServiceTags_Public.json file with the Scuba service tag and IPv4 ranges highlighted.":::
 
@@ -154,39 +151,42 @@ After configuring the rules, monitor the diagnostic logs for the Network Securit
 
 #### Transition mode
 
-Consider enabling network security perimeters diagnostic logs to review collected telemetry to validate communication patterns before enforcement. For more information, see [Diagnostic logs for Network Security Perimeter](/azure/private-link/network-security-perimeter-diagnostic-logs)
+Enable Network Security Perimeter diagnostic logs and review collected telemetry to validate communication patterns before enforcement. For more information, see [Diagnostic logs for Network Security Perimeter](/azure/private-link/network-security-perimeter-diagnostic-logs).
 
 #### Apply Enforcement mode
 
-Once validation is successful set the access mode to **Enforced** as follows:
+Once validation is successful, set the access mode to **Enforced** as follows:
 1. From the Network Security Perimeter page, under **Settings**, select **Associated resources**.
 
 1. Select the storage account.
 1. Select **Change access mode**.
 1. Select **Enforced** and then **Save**.
 
-   :::image type="content" source="./media/enable-storage-network-security/change-access-mode.png" lightbox="./media/enable-storage-network-security/change-access-mode.png" alt-text="A screenshot showing how to change the access mode of a storage account associated with a Network Security Perimeter in the Azure portal." :::
+   :::image type="content" source="./media/enable-storage-network-security/change-access-mode.png" lightbox="./media/enable-storage-network-security/change-access-mode.png" alt-text="A screenshot showing how to change the access mode of a storage account associated with a Network Security Perimeter in the Azure portal.":::
 
 ### Post-enforcement validation
 
-Following enforcement, monitor the environment closely for any blocked traffic that may indicate misconfigurations. You can validate the Event Grid configuration isn't impacted by the new network settings by reviewing the Event Grid system topic subscriptions metrics. 
+Following enforcement, monitor the environment closely for any blocked traffic that may indicate misconfigurations. Validate the Event Grid configuration isn't impacted by reviewing the Event Grid system topic subscription metrics.
 
-Use the diagnostic logs to investigate and resolve any issues that arise. Review the metrics on the storage account and Event Grid to validate for any errors. Roll back to Transition Mode if you experience any disruption and repeat investigation using the diagnostic logs.
+Use the diagnostic logs to investigate and resolve any issues that arise. Review the metrics on the storage account (queue ingress and errors) and Event Grid (delivery success) to validate for any errors. Roll back to Transition Mode if you experience any disruption and repeat investigation using the diagnostic logs.
 
 #### Set Secured by Perimeter on the Storage Account (Optional)
 
-Setting the storage account to **Secured by Perimeter** ensures that all traffic to the storage account is evaluated against the Network Security Perimeter rules. This adds an additional layer of security by enforcing that all access to the storage account goes through the perimeter.
+Setting the storage account to **Secured by Perimeter** ensures that all traffic to the storage account is evaluated against the Network Security Perimeter rules and blocks public network access.
 
 1. Navigate to your **Storage Account**.
 
 1. Under **Security + networking**, select **Networking**.
 1. Under **Public network access**, select **Manage**.
-3. Set **Secured by Perimeter (Most restricted)**.
-4. Select **Save**.
+1. Set **Secured by Perimeter (Most restricted)**.
+1. Select **Save**.
 
 :::image type="content" source="./media/enable-storage-network-security/set-storage-networking.png" lightbox="./media/enable-storage-network-security/set-storage-networking.png" alt-text="A screenshot showing how to set a storage account to 'Secured by Perimeter' in the Azure portal.":::
 
 
 ## Next steps
 
-In this article, you learned how to enable network security on the storage resources integrated with your Azure Storage connector. For more information, see the [Network Security Perimeter](/azure/private-link/network-security-perimeter-concepts) articles.
+In this article, you learned how to enable network security on the storage resources integrated with your Azure Storage connector. For more information, see the [Network Security Perimeter](/azure/private-link/network-security-perimeter-concepts) articles.
+
+- Review data-connection rules in [`data-connection-rules-reference-azure-storage.md`](data-connection-rules-reference-azure-storage.md).
+- Troubleshoot connector networking issues in [`azure-storage-blob-connector-troubleshoot.md`](azure-storage-blob-connector-troubleshoot.md).
