Merge pull request #314497 from msmbaldwin/kv-retire-storage-key-links

Update links to retired KV-managed storage account articles

Author: prmerger-automator[bot]

articles/role-based-access-control/built-in-roles/storage.md

@@ -1102,7 +1102,7 @@ Lets you manage classic storage accounts, but not access to them.
 
 Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts
 
-[Learn more](/azure/key-vault/secrets/overview-storage-keys)
+[Learn more](/azure/storage/common/authorize-data-access)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |

articles/security/fundamentals/secrets-best-practices.md

@@ -104,7 +104,7 @@ Individual services may have additional best practices and guidance for protecti
 - Machine Learning Service: [Use authentication credential secrets in Azure Machine Learning jobs](/azure/machine-learning/how-to-use-secrets-in-runs)
 - Service Fabric: [KeyVaultReference support for Service Fabric applications](/azure/service-fabric/service-fabric-keyvault-references)
 - SQL IaaS: [Configure Azure Key Vault integration for SQL Server on Azure VMs (Resource Manager)](/azure/azure-sql/virtual-machines/windows/azure-key-vault-integration-configure)
-- Storage: [Manage storage account keys with Key Vault and the Azure CLI](/azure/key-vault/secrets/overview-storage-keys)
+- Storage: [Authorize access to data in Azure Storage](/azure/storage/common/authorize-data-access)
 
 ## Next steps
 

articles/storage/common/storage-account-keys-manage.md

@@ -77,10 +77,9 @@ To view or read an account's access keys, the user must either be a Service Admi
 
 ## Use Azure Key Vault to manage your access keys
 
-Microsoft recommends using Azure Key Vault to manage and rotate your access keys. Your application can securely access your keys in Key Vault, so that you can avoid storing them with your application code. For more information about using Key Vault for key management, see the following articles:
+Microsoft recommends using Microsoft Entra ID and managed identities to authorize access to Azure Storage. If you must use access keys, store them in Azure Key Vault and rotate them regularly. For more information, see the following article:
 
-- [Manage storage account keys with Azure Key Vault and PowerShell](/azure/key-vault/secrets/overview-storage-keys-powershell)
-- [Manage storage account keys with Azure Key Vault and the Azure CLI](/azure/key-vault/secrets/overview-storage-keys)
+- [Authorize access to data in Azure Storage](/azure/storage/common/authorize-data-access)
 
 ## Manually rotate access keys
 

articles/storage/common/storage-configure-connection-string.md

@@ -31,7 +31,7 @@ To learn how to view your account access keys and copy a connection string, see
 
 Your application needs to access the connection string at runtime to authorize requests made to Azure Storage. You have several options for storing your account access keys or connection string:
 
-- You can store your account keys securely in Azure Key Vault. For more information, see [About Azure Key Vault managed storage account keys](/azure/key-vault/secrets/about-managed-storage-account-keys).
+- Microsoft recommends using Microsoft Entra ID to authorize access to Azure Storage instead of account keys. If you must use account keys, store them securely in Azure Key Vault. For more information, see [Authorize access to data in Azure Storage](/azure/storage/common/authorize-data-access).
 - You can store your connection string in an environment variable.
 - An application can store the connection string in an **app.config** or **web.config** file. Add the connection string to the **AppSettings** section in these files.
 

articles/storage/files/storage-dotnet-how-to-use-files.md

@@ -538,7 +538,7 @@ static async Task ListDirectoryTreeAsync(ShareDirectoryClient directory)
 >[!NOTE]
 > OAuth tokens, such as those obtained when using `DefaultAzureCredential`, aren't allowed for data plane operations at the file share level. To work with share snapshots, the client object must be authorized using the account key. The `ShareClient` object created in this code example uses a connection string, which includes the account key.
 >
-> Storing account keys or connection strings presents a security risk. You should only use them when Microsoft Entra authentication isn't available. To learn more about securely storing account keys in Azure Key Vault, see [About Azure Key Vault managed storage account keys](/azure/key-vault/secrets/about-managed-storage-account-keys).
+> Storing account keys or connection strings presents a security risk. You should only use them when Microsoft Entra authentication isn't available. To learn more about securely authorizing access to storage, see [Authorize access to data in Azure Storage](/azure/storage/common/authorize-data-access).
 
 ## Manage Azure Files resources using the Azure Storage management libraries
 

articles/storage/files/storage-java-how-to-use-file-storage.md

@@ -622,7 +622,7 @@ private static void listDirectoryTree(ShareDirectoryClient directory) {
 >[!NOTE]
 > OAuth tokens, such as those obtained when using `DefaultAzureCredential`, aren't allowed for data plane operations at the file share level. To work with share snapshots, the client object must be authorized using the account key. The `ShareClient` object created in this code example uses a connection string, which includes the account key.
 >
-> Storing account keys or connection strings presents a security risk. You should only use them when Microsoft Entra authentication isn't available. To learn more about securely storing account keys in Azure Key Vault, see [About Azure Key Vault managed storage account keys](/azure/key-vault/secrets/about-managed-storage-account-keys).
+> Storing account keys or connection strings presents a security risk. You should only use them when Microsoft Entra authentication isn't available. To learn more about securely authorizing access to storage, see [Authorize access to data in Azure Storage](/azure/storage/common/authorize-data-access).
 
 ## Manage Azure Files resources using the Azure Storage management libraries
 

articles/storage/files/storage-python-how-to-use-file-storage.md

@@ -460,7 +460,7 @@ list_root_directory_snapshot(root_dir)
 >[!NOTE]
 > OAuth tokens, such as those obtained when using `DefaultAzureCredential`, aren't allowed for data plane operations at the file share level. To work with share snapshots, the client object must be authorized using the account key. The `ShareClient` object created in this code example uses a connection string, which includes the account key.
 >
-> Storing account keys or connection strings presents a security risk. You should only use them when Microsoft Entra authentication isn't available. To learn more about securely storing account keys in Azure Key Vault, see [About Azure Key Vault managed storage account keys](/azure/key-vault/secrets/about-managed-storage-account-keys).
+> Storing account keys or connection strings presents a security risk. You should only use them when Microsoft Entra authentication isn't available. To learn more about securely authorizing access to storage, see [Authorize access to data in Azure Storage](/azure/storage/common/authorize-data-access).
 
 ## Manage Azure Files resources using the Azure Storage management libraries
 

articles/synapse-analytics/spark/synapse-file-mount-api.md

@@ -102,7 +102,7 @@ mssparkutils.fs.mount(
 
 In addition to mounting through a linked service, `mssparkutils` supports explicitly passing an account key or [shared access signature (SAS)](/samples/azure-samples/storage-dotnet-sas-getting-started/storage-dotnet-sas-getting-started/) token as a parameter to mount the target. 
 
-For security reasons, we recommend that you store account keys or SAS tokens in Azure Key Vault (as the following example screenshot shows). You can then retrieve them by using the `mssparkutil.credentials.getSecret` API. For more information, see [Manage storage account keys with Key Vault and the Azure CLI (legacy)](/azure/key-vault/secrets/overview-storage-keys).
+For security reasons, we recommend using managed identities and Microsoft Entra authentication instead of account keys or SAS tokens when possible. If you must use account keys, store them in Azure Key Vault (as the following example screenshot shows). You can then retrieve them by using the `mssparkutil.credentials.getSecret` API. For more information, see [Authorize access to data in Azure Storage](/azure/storage/common/authorize-data-access).
 
 ![Screenshot that shows a secret stored in a key vault.](./media/synapse-file-mount-api/key-vaults.png)