Merge pull request #9782 from MicrosoftDocs/rladbsal-patch-1

Update file-sync-troubleshoot-managed-identities.md

Author: rladbsal

support/azure/azure-storage/files/file-sync/file-sync-troubleshoot-managed-identities.md

@@ -221,3 +221,14 @@ Set-AzStorageSyncServerEndpointPermission -ResourceGroupName <string> -StorageSy
 This issue occurs when the **Allow Azure services on the trusted services list to access this storage account** exception isn't enabled on a storage account. To resolve this issue, enable this exception by following instructions in [Grant access to trusted Azure services and restrict access to the storage account public endpoint to specific virtual networks](/azure/storage/file-sync/file-sync-networking-endpoints#grant-access-to-trusted-azure-services-and-restrict-access-to-the-storage-account-public-endpoint-to-specific-virtual-networks).
 
 [!INCLUDE [Azure Help Support](../../../../includes/azure-help-support.md)]
+
+
+## Unsupported cross-tenant configurations 
+
+Cross-tenant topologies where the server resource (Arc-enabled server or Azure VM) and the Storage Sync Service are in **different Microsoft Entra tenants** aren't supported. Managed identity and Azure RBAC require tokens issued by the same tenant; cross-tenant authorization fails in this scenario. Do not attempt cross-tenant setups. 
+
+**Mitigation:** Align the Storage Sync Service, server resource identity, storage account RBAC assignments, and managed identity to the **same tenant**, then retry.
+
+> [!NOTE]
+> This requirement applies to **both** Arc-enabled servers and Azure VMs.
+