MicrosoftDocs
diff --git a/‎articles/storage/files/change-identity-source.md‎
Lines changed: 23 additions & 33 deletions b/‎articles/storage/files/change-identity-source.md‎
Lines changed: 23 additions & 33 deletions
diff --git a/‎articles/storage/files/media/change-identity-source/identity-source-status.png‎
33.4 KB b/‎articles/storage/files/media/change-identity-source/identity-source-status.png‎
33.4 KB
@@ -1,5 +1,5 @@
 ---
-title: Change the Identity Source for Azure File Shares
+title: Change the Identity Source for Azure Files
 description: Learn how to switch between identity sources for Azure Files identity-based authentication for SMB file shares by disabling your current identity source and enabling a new one.
 author: khdownie
 ms.service: azure-file-storage
@@ -20,27 +20,35 @@ For guidance on choosing the right identity source for your environment, see [Ov
 > [!IMPORTANT]
 > Disabling the current identity source removes identity-based access for all file shares in the storage account immediately. Users can't access shares using identity-based authentication until you enable and configure a new identity source.
 
-## Step 1: Disable the current identity source
+## Step 1: Verify the current identity source
+
+Use the Azure portal to verify the identity source that's currently enabled on your storage account. Supported identity sources are Active Directory Domain Services (AD DS), Microsoft Entra Domain Services, and Microsoft Entra Kerberos.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) and select the storage account.
+1. From the service menu, under **Data storage**, select **File shares**.
+1. Next to **Identity-based access**, check the configuration status. It should show **Configured**. If it shows **Not configured**, then you don't have an identity source enabled on the storage account and you can proceed to [Enable a new identity source](#step-3-enable-a-new-identity-source).
+
+   :::image type="content" source="media/change-identity-source/configure-identity-based-access.png" alt-text="Screenshot of the file shares pane in your storage account, identity-based access configuration status is highlighted." lightbox="media/change-identity-source/configure-identity-based-access.png":::
+
+1. Select **Configured**. The portal shows the identity source that's enabled on the storage account and its configuration status. Other identity sources are grayed out. In this example, Microsoft Entra Kerberos is enabled on the storage account, but not yet configured.
+
+   :::image type="content" source="media/change-identity-source/identity-source-status.png" alt-text="Screenshot showing which identity source is enabled on the storage account." lightbox="media/change-identity-source/identity-source-status.png":::
+
+## Step 2: Disable the current identity source
 
 Use the tabs below to find steps for disabling your current identity source.
 
 ### Active Directory Domain Services (AD DS)
 
-# [Portal](#tab/portal)
-
-1. Sign in to the [Azure portal](https://portal.azure.com) and select the storage account.
-1. Under **Data storage**, select **File shares**.
-1. Next to **Identity-based access**, select the configuration status. It should show **Configured**. If it shows **Not configured**, then you don't have an identity source enabled on the storage account and you can proceed to [Enable a new identity source](#step-2-enable-a-new-identity-source).
+> [!IMPORTANT]
+> After disabling AD DS authentication, consider deleting the AD DS computer account or service logon account that you created to represent the storage account in your on-premises AD. If you leave the identity in AD DS, it remains as an orphaned object.
 
-   :::image type="content" source="media/change-identity-source/configure-identity-based-access.png" alt-text="Screenshot of the file shares pane in your storage account, identity-based access configuration status is highlighted." lightbox="media/change-identity-source/configure-identity-based-access.png":::
+# [Portal](#tab/portal)
 
 1. Under **Active Directory Domain Services (AD DS)**, select **Configure**.
 1. Select the **Disable Active Directory for this storage account** checkbox.
 1. Select **Save**.
 
-> [!IMPORTANT]
-> After disabling AD DS authentication, consider deleting the AD DS computer account or service logon account that you created to represent the storage account in your on-premises AD. If you leave the identity in AD DS, it remains as an orphaned object.
-
 # [Azure PowerShell](#tab/powershell)
 
 Run the following command, replacing the placeholder values with your own.
@@ -49,9 +57,6 @@ Run the following command, replacing the placeholder values with your own.
 Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableActiveDirectoryDomainServicesForFile $false
 ```
 
-> [!IMPORTANT]
-> After disabling AD DS authentication, consider deleting the AD DS computer account or service logon account that you created to represent the storage account in your on-premises AD. If you leave the identity in AD DS, it remains as an orphaned object.
-
 # [Azure CLI](#tab/cli)
 
 Run the following command, replacing the placeholder values with your own.
@@ -60,21 +65,12 @@ Run the following command, replacing the placeholder values with your own.
 az storage account update --name <storage-account-name> --resource-group <resource-group-name> --enable-files-adds false
 ```
 
-> [!IMPORTANT]
-> After disabling AD DS authentication, consider deleting the AD DS computer account or service logon account that you created to represent the storage account in your on-premises AD. If you leave the identity in AD DS, it remains as an orphaned object.
-
 ---
 
 ### Microsoft Entra Domain Services
 
 # [Portal](#tab/portal)
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and select the storage account.
-1. Under **Data storage**, select **File shares**.
-1. Next to **Identity-based access**, select the configuration status. It should show **Configured**. If it shows **Not configured**, then you don't have an identity source enabled on the storage account and you can proceed to [Enable a new identity source](#step-2-enable-a-new-identity-source).
-
-   :::image type="content" source="media/change-identity-source/configure-identity-based-access.png" alt-text="Screenshot of the file shares pane in your storage account, identity-based access configuration status is highlighted." lightbox="media/change-identity-source/configure-identity-based-access.png":::
-
 1. Under **Microsoft Entra Domain Services**, select **Configure**.
 1. Uncheck the **Microsoft Entra Domain Services** checkbox.
 1. Select **Save**.
@@ -101,12 +97,6 @@ az storage account update --name <storage-account-name> --resource-group <resour
 
 # [Portal](#tab/portal)
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and select the storage account.
-1. Under **Data storage**, select **File shares**.
-1. Next to **Identity-based access**, select the configuration status. It should show **Configured**. If it shows **Not configured**, then you don't have an identity source enabled on the storage account and you can proceed to [Enable a new identity source](#step-2-enable-a-new-identity-source).
-
-   :::image type="content" source="media/change-identity-source/configure-identity-based-access.png" alt-text="Screenshot of the file shares pane in your storage account, identity-based access configuration status is highlighted." lightbox="media/change-identity-source/configure-identity-based-access.png":::
-
 1. Under **Microsoft Entra Kerberos**, select **Configure**.
 1. Uncheck the **Microsoft Entra Kerberos** checkbox.
 1. Select **Save**.
@@ -129,10 +119,10 @@ az storage account update --name <storage-account-name> --resource-group <resour
 
 ---
 
-## Step 2: Enable a new identity source
+## Step 3: Enable a new identity source
 
 After disabling the current identity source, follow the instructions for the new identity source you want to enable:
 
-- **Active Directory Domain Services (AD DS)**: See [Enable AD DS authentication for Azure file shares](storage-files-identity-ad-ds-enable.md).
-- **Microsoft Entra Domain Services**: See [Enable Microsoft Entra Domain Services authentication on Azure Files](storage-files-identity-auth-domain-services-enable.md).
-- **Microsoft Entra Kerberos** (hybrid or cloud-only identities): See [Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities on Azure Files](storage-files-identity-auth-hybrid-identities-enable.md).
+- **Active Directory Domain Services (AD DS)**: See [Enable AD DS authentication](storage-files-identity-ad-ds-enable.md).
+- **Microsoft Entra Domain Services**: See [Enable Microsoft Entra Domain Services authentication](storage-files-identity-auth-domain-services-enable.md).
+- **Microsoft Entra Kerberos**: See [Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities](storage-files-identity-auth-hybrid-identities-enable.md).