fixes for pr-review

Author: R-C-Stewart

learn-pr/wwl-azure/security-storage/includes/3-authorize-requests-azure-storage.md

@@ -12,7 +12,7 @@ The following table describes the options that Azure Storage offers for authoriz
 
 Each authorization option is briefly described below:
 
-- **Microsoft Entra ID (Recommended)**: Microsoft Entra ID is Microsoft's cloud-based identity and access management service. Microsoft Entra ID integration is available for the Blob, File, Queue, and Table services. With Microsoft Entra ID, you can assign fine-grained access to users, groups, or applications via Azure role-based access control (RBAC).  RBAC is the most secure method as it eliminates the need to store credentials in your code and supports advanced security features like conditional access, multi-factor authentication, and managed identities.
+- **Microsoft Entra ID (Recommended)**: Microsoft Entra ID is Microsoft's cloud-based identity and access management service. Microsoft Entra ID integration is available for the Blob, File, Queue, and Table services. With Microsoft Entra ID, you can assign fine-grained access to users, groups, or applications via Azure role-based access control (RBAC).  RBAC is the most secure method as it eliminates the need to store credentials in your code and supports advanced security features like conditional access, multifactor authentication, and managed identities.
 - **Microsoft Entra Domain Services authorization for Azure Files**: Azure Files supports identity-based authorization over Server Message Block (SMB) through Microsoft Entra Domain Services. You can use Azure RBAC for share-level access control and Windows ACLs for file and directory-level permissions, providing fine-grained control over a client's access to Azure Files resources.
 - **Active Directory (AD) authorization for Azure Files**: Azure Files supports identity-based authorization over SMB through on-premises Active Directory Domain Services. Your AD domain service can be hosted on on-premises machines or in Azure VMs. SMB access to Files is supported using AD credentials from domain-joined machines, either on-premises or in Azure. You can use Azure RBAC for share-level access control and NTFS DACLs (Discretionary Access Control Lists) for directory and file-level permission enforcement. Credentials must be synchronized to Microsoft Entra ID.
 - **Shared Key**: Shared Key authorization relies on your account access keys and other parameters to produce an encrypted signature string that is passed in the request's *Authorization* header. The downside is a Shared Key provides full access to the storage account and should be avoided when possible. Consider disabling Shared Key authorization if your scenarios support identity-based authentication.

learn-pr/wwl-azure/security-storage/includes/5-select-configure-access-azure-files.md

@@ -99,6 +99,6 @@ When configuring access to Azure Files, follow these security recommendations:
 - **Use appropriate RBAC roles**: Assign the most restrictive role that meets user requirements. Use **Storage File Data Privileged Reader** for read-only access rather than more permissive roles.
 - **Enable default Microsoft Entra authorization**: Configure storage accounts to default to Microsoft Entra ID authentication in the portal to reduce accidental use of account keys.
 - **Leverage managed identities**: For applications running in Azure, use managed identities to access Azure Files without storing credentials.
-- **Implement conditional access**: Use Microsoft Entra Conditional Access policies to enforce additional requirements such as multi-factor authentication or compliant device checks for file access.
+- **Implement conditional access**: Use Microsoft Entra Conditional Access policies to enforce additional requirements such as multifactor authentication or compliant device checks for file access.
 - **Monitor access**: Regularly review Azure Monitor logs to track who is accessing your file shares and identify any unauthorized access attempts.
 - **Consider disabling Shared Key**: If all your scenarios support identity-based authentication, consider disabling Shared Key authorization at the storage account level to prevent its use entirely.

learn-pr/wwl-azure/security-storage/includes/6-authorize-access-blobs-use-microsoft-entra-id.md

@@ -117,7 +117,7 @@ Access to blob data via the Azure portal, PowerShell, or Azure CLI can be author
 
 **Security recommendations**:
 
-- **Avoid Shared Key authorization**: Authorization with Shared Key is not recommended as it provides full access to the storage account and doesn't support advanced security features like conditional access or multi-factor authentication. For optimal security, disable authorization via Shared Key for your storage account, as described in [Prevent Shared Key authorization for an Azure Storage account](/azure/storage/common/shared-key-authorization-prevent).
+- **Avoid Shared Key authorization**: Authorization with Shared Key is not recommended as it provides full access to the storage account and doesn't support advanced security features like conditional access or multifactor authentication. For optimal security, disable authorization via Shared Key for your storage account, as described in [Prevent Shared Key authorization for an Azure Storage account](/azure/storage/common/shared-key-authorization-prevent).
 - **Limit access key usage**: Use of access keys and connection strings should be limited to initial proof of concept apps or development prototypes that don't access production or sensitive data. For production workloads, always use token-based authentication classes available in the Azure SDK.
 - **Prefer Microsoft Entra ID**: Microsoft recommends that clients use Microsoft Entra ID for the most secure authorization method. When direct user access delegation is required, use a user delegation SAS secured with Microsoft Entra credentials rather than an account SAS. For more information, see [Authorize operations for data access](/azure/storage/common/authorize-data-access?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json).
 
@@ -150,4 +150,4 @@ When implementing Microsoft Entra ID authorization for blob storage, follow thes
 - **Disable Shared Key authorization**: Once you've migrated to Microsoft Entra ID authentication, disable Shared Key authorization at the storage account level to prevent unauthorized access via account keys.
 - **Use user delegation SAS**: When you need to provide temporary access, prefer user delegation SAS over account SAS or service SAS, as they're secured with Microsoft Entra credentials.
 - **Monitor access**: Enable diagnostic logging and review Azure Monitor logs regularly to track who is accessing your blob data and identify any suspicious activity.
-- **Apply conditional access**: Use Microsoft Entra Conditional Access policies to enforce additional security requirements such as multi-factor authentication, device compliance, or location-based access controls.
+- **Apply conditional access**: Use Microsoft Entra Conditional Access policies to enforce additional security requirements such as multifactor authentication, device compliance, or location-based access controls.

learn-pr/wwl-azure/security-storage/includes/7-authorize-access-tables-use-microsoft-entra-id.md

@@ -77,6 +77,6 @@ When implementing Microsoft Entra ID authorization for Azure Table storage, foll
 - **Avoid Shared Key authorization**: Once you've migrated to Microsoft Entra ID authentication, consider disabling Shared Key authorization at the storage account level to prevent unauthorized access via account keys.
 - **Use custom roles for fine-grained control**: If the built-in roles don't meet your specific requirements, create custom Azure RBAC roles that include only the necessary permissions.
 - **Monitor access**: Enable diagnostic logging and regularly review Azure Monitor logs to track who is accessing your table data and identify any suspicious or unauthorized access attempts.
-- **Apply conditional access policies**: Use Microsoft Entra Conditional Access policies to enforce additional security requirements such as multi-factor authentication, device compliance checks, or location-based restrictions.
+- **Apply conditional access policies**: Use Microsoft Entra Conditional Access policies to enforce additional security requirements such as multifactor authentication, device compliance checks, or location-based restrictions.
 - **Regular access reviews**: Periodically review and audit role assignments to ensure users and applications still require their assigned permissions.
 - **Separate development and production**: Use different storage accounts and role assignments for development and production environments to minimize the risk of accidental data exposure or modification.

learn-pr/wwl-azure/security-storage/includes/8-authorize-access-queue-data-azure-portal.md

@@ -136,7 +136,7 @@ When implementing Microsoft Entra ID authorization for Azure Queue storage, foll
 - **Disable Shared Key authorization**: Once you've migrated to Microsoft Entra ID authentication, consider disabling Shared Key authorization at the storage account level to prevent unauthorized access via account keys.
 - **Use custom roles for fine-grained control**: If the built-in roles don't meet your specific requirements, create custom Azure RBAC roles with only the necessary permissions.
 - **Monitor access patterns**: Enable diagnostic logging and regularly review Azure Monitor logs to track queue access and identify any suspicious or unauthorized activity.
-- **Apply conditional access policies**: Use Microsoft Entra Conditional Access policies to enforce additional security requirements such as multi-factor authentication, device compliance, or location-based restrictions.
+- **Apply conditional access policies**: Use Microsoft Entra Conditional Access policies to enforce additional security requirements such as multifactor authentication, device compliance, or location-based restrictions.
 - **Implement retry logic**: Queue-based applications should implement appropriate retry logic with exponential backoff to handle transient authentication or authorization failures gracefully.
 - **Regular access reviews**: Periodically audit role assignments to ensure users and applications still require their assigned permissions and remove unnecessary access.
 - **Separate environments**: Use different storage accounts and role assignments for development, testing, and production environments to minimize the risk of accidental data exposure or modification.