Merging changes synced from https://github.com/MicrosoftDocs/learn-pr (branch live)

Author: Learn Build Service GitHub App

learn-pr/wwl-azure/configure-storage-security/includes/1-introduction.md

@@ -13,14 +13,7 @@ In this module, you learn how to:
 
 ## Skills measured
 
-The content in the module helps you prepare for [Exam AZ-104: Microsoft Azure Administrator](/credentials/certifications/resources/study-guides/az-104). The module concepts are covered in:
-
-Implement and manage storage (15–20%)
-
-- Secure storage
-   - Generate shared access signature (SAS) tokens.
-   - Manage access keys.
-   - Configure stored access policies.
+The content in the module helps you prepare for [Exam AZ-104: Microsoft Azure Administrator](/credentials/certifications/resources/study-guides/az-104). 
 
 ## Prerequisites
 

learn-pr/wwl-azure/configure-storage-security/includes/2-review-strategies.md

@@ -13,7 +13,7 @@ Let's look at some characteristics of Azure Storage security. As you go through
 
 - **Encryption at rest**. Storage Service Encryption (SSE) with a 256-bit Advanced Encryption Standard (AES) cipher encrypts all data written to Azure Storage. When you read data from Azure Storage, Azure Storage decrypts the data before returning it. This process incurs no extra charges and doesn't degrade performance. Encryption at rest includes encrypting virtual hard disks (VHDs) with Azure Disk Encryption. This encryption uses BitLocker for Windows images, and uses dm-crypt for Linux. 
 
-- **Encryption in transit**. Keep your data secure by enabling transport-level security between Azure and the client. Always use HTTPS to secure communication over the public internet. When you call the REST APIs to access objects in storage accounts, you can enforce the use of HTTPS by requiring *secure transfer* for the storage account. After you enable secure transfer, connections that use HTTP will be refused. This flag will also enforce secure transfer over SMB by requiring SMB 3.0 for all file share mounts.
+- **Encryption in transit**. You can configure your storage account to only accept requests from secure connections by setting the **Secure transfer required** property for the storage account. Existing accounts should explicitly disallow TLS 1.0 and 1.1, which are deprecated. 
 
 - **Encryption models**. Azure supports various encryption models, including server-side encryption that uses service-managed keys, customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware. With client-side encryption, you can manage and store keys on-premises or in another secure location.
 
@@ -33,6 +33,6 @@ Review the following strategies for authorizing requests to Azure Storage. Think
 | Authorization strategy | Description |
 | --- | --- |
 | **Microsoft Entra ID** | Microsoft Entra ID is Microsoft's cloud-based identity and access management service. With Microsoft Entra ID, you can assign fine-grained access to users, groups, or applications by using role-based access control. |
-| **Shared Key** | Shared Key authorization relies on your Azure storage account access keys and other parameters to produce an encrypted signature string. The string is passed on the request in the Authorization header. |
+| **Shared Key** | Access is authorized with an account access key. The key can be the primary or secondary access key. To enforce Entra ID authorization, disable the Shared Key at the storage account level. |
 | **Shared access signatures** | A SAS delegates access to a particular resource in your Azure storage account with specified permissions and for a specified time interval. |
-| **Anonymous access to containers and blobs** | You can optionally make blob resources public at the container or blob level. A public container or blob is accessible to any user for anonymous read access. Read requests to public containers and blobs don't require authorization.
+| **Anonymous access to containers and blobs** | Anonymous public access is disabled by default on new storage accounts. Microsoft recommends keeping anonymous access disabled for accounts containing sensitive data. |

learn-pr/wwl-azure/configure-storage-security/includes/5-determine-storage-service-encryption.md

@@ -2,7 +2,7 @@ Azure Storage encryption for data at rest protects your data by ensuring your or
 
 When you create a storage account, Azure generates two 512-bit storage account access keys for that account. These keys can be used to authorize access to data in your storage account via Shared Key authorization, or via SAS tokens that are signed with the shared key.
 
-Microsoft recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and regenerate your keys. Using Azure Key Vault makes it easy to rotate your keys without interruption to your applications. You can also manually rotate your keys.
+Microsoft recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and regenerate your keys. Azure Key Vault supports automatic key rotation policies, allowing you to define rotation schedules (for example, every 90 days) that rotate keys automatically. You can also manually rotate your keys when needed.
 
 ### Things to know about Azure Storage encryption
 

learn-pr/wwl-azure/configure-storage-security/includes/6-create-customer-managed-keys.md

@@ -12,6 +12,8 @@ Consider the following characteristics of customer-managed keys.
 
 - Customer-managed keys can be used with Azure Storage encryption. You can use a new key or an existing key vault and key. The Azure storage account and the key vault must be in the same region, but they can be in different subscriptions.
 
+- Customer-managed keys are stored in a customer-owned Azure Key Vault or Azure Key Vault Managed HSM. Managed HSM provides FIPS 140-2 Level 3 validation for organizations with the highest compliance requirements.
+
 ## Configure customer-managed keys
 
 In the Azure portal, you can configure customer-managed encryption keys. You can create your own keys, or you can have the keys managed by Microsoft. Consider how you might use Azure Key Vault to create your own customer-managed encryption keys.
@@ -24,4 +26,4 @@ In the Azure portal, you can configure customer-managed encryption keys. You can
 
 
 > [!TIP]
-> Expand your understanding of storage security in the [*Plan and implement security for storage*](/training/modules/security-storage/) training module.
+> Expand your understanding of storage security in the [*Plan and implement security for storage*](/training/modules/security-storage/) training module.

learn-pr/wwl-azure/configure-storage-security/includes/7-apply-best-practices.md

@@ -4,19 +4,33 @@
 
 ### What are the benefits of Storage insights?
 
-- **Detailed Metrics and Logs**. Azure Storage Insights offers detailed metrics, logs, and diagnostic information that enhance visibility into storage operations. This helps in monitoring key performance indicators (KPIs) such as latency, throughput, capacity utilization, and transactions.
+- **Detailed Metrics and Logs**. Azure Storage Insights offers detailed metrics, logs, and diagnostic information that enhance visibility into storage operations. Insights helps in monitoring key performance indicators (KPIs) such as latency, throughput, capacity utilization, and transactions.
 
 - **Enhanced Security and Compliance**. By using Azure Storage Insights, you can ensure enhanced security and compliance. It provides actionable insights and alerts that help in swiftly identifying and resolving security issues.
 
 - **Role-Based Access Control (RBAC)**. Azure Storage Insights integrates with Azure's security features, including role-based access control (RBAC), Microsoft Entra ID, connection strings, and access control list (ACL) permissions. RBAC ensures secure access to your data and resources.
 
 - **Unified View**. It delivers a unified view of your Azure Storage services' performance, capacity, and availability, which is crucial for maintaining the security and efficiency of your storage accounts.
 
-### Security uses for Storage Insights
+### When to use Storage Insights
 
 - **Real-Time Monitoring**. Azure Storage Insights enables real-time monitoring of storage accounts, allowing you to track usage trends, monitor performance, and set up alerts for any anomalies.
 
 - **Security Auditing**. It aids in security auditing by providing comprehensive monitoring and detailed logs, which are essential for ensuring compliance and identifying any security issues.
 
 - **Health Analysis and Optimization**. The tool helps in health analysis and optimization of storage accounts, ensuring security and optimal performance. 
 
+### When to use Microsoft Defender for Storage
+
+While Storage Insights provides passive monitoring and historical analysis, Microsoft Defender for Storage offers proactive threat detection for active security threats.
+
+**Key capabilities**
+
+- **Malware scanning**. Automatically scans blob uploads for malware and viruses.
+  
+-	**Sensitive data threat detection**. Identifies when personally identifiable information (PII) or credentials are stored inappropriately.
+  
+-	**Activity-based threat detection**. Monitors for unusual access patterns, suspicious download volumes, and hash reputation analysis.
+  
+Microsoft Defender for Storage complements Storage Insights by providing active threat detection rather than reactive monitoring and historical reporting.
+

learn-pr/wwl-azure/configure-storage-security/index.yml

@@ -5,7 +5,7 @@ metadata:
   prefetch-feature-rollout: true
   title: Configure Azure Storage Security
   description: "Learn how to configure common Azure Storage security features like storage access signatures."
-  ms.date: 02/24/2026
+  ms.date: 03/23/2026
   author: wwlpublish
   ms.author: cynthist
   ms.topic: module

learn-pr/wwl-azure/guided-project-azure-files-azure-blobs/7-knowledge-check.yml

@@ -38,7 +38,7 @@ quiz:
       explanation: "Incorrect. Data redundancy protects from planned and unplanned events."
     - content: "Lifecycle management"
       isCorrect: true
-      explanation: "Correct. A time-based immutable storage policy rule can set conditions and move data between storage tiers."
+      explanation: "Correct. Lifecycle management policies define rules with conditions based on age, last modified time, or last access time. Actions include transitioning blobs to cooler storage tiers or deleting them to optimize costs as data ages."
   - content: "Your company uses an Azure storage account for storing large numbers of video and audio files. The company wants the ability to revoke access to the files and to change the period for which users can access the files. What should you do?"
     choices:
     - content: "Provide a shared access signature (SAS)"
@@ -60,4 +60,4 @@ quiz:
       explanation: "Incorrect. This method isn't recommended because the application owner or developer must rotate the certificate."
     - content: "Managed identities"
       isCorrect: true
-      explanation: "Correct. The benefit of this approach is that Azure automatically rotates the identity."
+      explanation: "Correct. The benefit of this approach is that Azure automatically rotates the identity."

learn-pr/wwl-azure/guided-project-azure-files-azure-blobs/includes/1-introduction.md

@@ -18,16 +18,16 @@ The module is divided into five exercises, each covering a specific storage scen
 By the end of this module, you gain hands-on experience in creating and configuring Azure Files and Azure Blob Storage for different storage scenarios. You can apply this knowledge to your own projects and provide secure and efficient storage solutions.
 
 > [!NOTE]
-> This is a guided project module where you complete an end-to-end project by following step-by-step instructions. 
+> A guided project is where you complete an end-to-end project by following step-by-step instructions. 
 
 ## Skilling areas
 
 You use the Azure documentation to [review your storage options](/azure/cloud-adoption-framework/ready/considerations/storage-options). The project requires configuring storage accounts, Azure blobs, Azure Files, storage encryption, and storage networking. For each area, you identify the subtasks you need to become familiar with.
 
 | Skilling area | Skilling task |
 | --- | --- | 
-| **Create and configure a storage account** | <ul><li> Configure the storage account tier, including hot and cool. </li><li> Configure redundancy settings, including zone-redundant and geo-redundant storage.</li><li> Configure secure transfer and TLS version. </li><li> Configure storage replication. </li></ul> |
-| **Create and configure blob storage** |<ul><li> Create a Blob Storage container. </li><li>  Configure the access level for blob storage.</li><li> Configure the blob storage tiers. </li><li> Configure lifecycle management. </li><li>  Configure data protection for blob storage. </li></ul> |
+| **Create and configure a storage account** | <ul><li> Configure the storage account tier, including hot, cool, and cold. </li><li> Configure redundancy settings, including zone-redundant and geo-redundant storage.</li><li> Configure secure transfer and TLS version. </li><li> Configure storage replication. </li></ul> |
+| **Create and configure blob storage** |<ul><li> Create a Blob Storage container. </li><li>  Configure the access level for blob storage. Understand the security implications of enabling anonymous public access.</li><li> Configure the blob storage tiers. </li><li> Configure lifecycle management, including transitioning data to the cool, cold, or archive tier based on age or access patterns. </li><li>  Configure data protection for blob storage. </li></ul> |
 | **Create and configure Azure Files** | <ul><li>  Create an Azure Files share, including directories. </li><li> Configure performance tiers, like standard and premium. </li><li> Configure data protection for Azure Files, such as snapshots. </li></ul>  |
 | **Configure encryption for storage** | <ul><li> Configure encryption for data at rest, including Microsoft managed keys and customer managed keys. </li><li>  Configure encryption for data in transit. </li></ul> |
 | **Configure networking​ for storage** | <ul><li> Create and configure private endpoints. </li><li>  Create and configure service endpoints. </li><li> Configure Azure Storage firewalls and virtual networks. </li></ul>|

learn-pr/wwl-azure/guided-project-azure-files-azure-blobs/includes/3-exercise-public-website-storage.md

@@ -10,6 +10,12 @@ The company website supplies product images, videos, marketing literature, and c
 Launch the exercise and follow the instructions. When you're done, be sure to return to this page so you can continue learning.
 
 > [!NOTE]
-> To complete this lab you will need an [Azure subscription](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
+> To complete this lab, you need an [Azure subscription](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
+
+> [!CAUTION]
+> Enabling anonymous public access is demonstrated here for learning purposes only. Microsoft recommends keeping anonymous access disabled. Instead use shared access signatures or Azure CDN with authenticated origin access for secure public content delivery.
+
+
+
 
 [![Button to launch exercise.](../media/launch-exercise.png)](https://go.microsoft.com/fwlink/?linkid=2261879)

learn-pr/wwl-azure/guided-project-azure-files-azure-blobs/includes/4-exercise-private-company-storage.md

@@ -6,9 +6,16 @@ The company needs storage for their offices and departments. This content is pri
 | --- | --- |
 | :::image type="content" source="../media/task-3.png" alt-text="Diagram with one storage account and two blob containers." border="true"::: | <ul><li>Create a storage account.<li>Create a storage container with restricted access.</li><li>Configure a shared access signature for partners.</li><li>Back up the public website storage.<li>Implement lifecycle management to move content to the cool tier.</li></ul>|
 
+> [!Important]
+> This exercise uses a service SAS for simplicity, but Microsoft recommends user delegation SAS backed by Microsoft Entra ID for production scenarios.
+
 Launch the exercise and follow the instructions. When you're done, be sure to return to this page so you can continue learning.
 
 > [!NOTE]
-> To complete this lab you will need an [Azure subscription](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
+> To complete this lab, you need an [Azure subscription](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
+
+
+
+
 
 [![Button to launch exercise.](../media/launch-exercise.png)](https://go.microsoft.com/fwlink/?linkid=2262131)