MicrosoftDocs
diff --git a/‎articles/search/cognitive-search-how-to-debug-skillset.md‎
Lines changed: 6 additions & 6 deletions b/‎articles/search/cognitive-search-how-to-debug-skillset.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎articles/search/search-how-to-index-azure-blob-one-to-many.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/search/search-how-to-index-azure-blob-one-to-many.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/search/search-how-to-index-azure-data-lake-storage.md‎
Lines changed: 6 additions & 6 deletions b/‎articles/search/search-how-to-index-azure-data-lake-storage.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎articles/search/search-how-to-index-onelake-files.md‎
Lines changed: 16 additions & 17 deletions b/‎articles/search/search-how-to-index-onelake-files.md‎
Lines changed: 16 additions & 17 deletions
diff --git a/‎articles/search/search-howto-managed-identities-cosmos-db.md‎
Lines changed: 4 additions & 4 deletions b/‎articles/search/search-howto-managed-identities-cosmos-db.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/search/search-query-access-control-rbac-enforcement.md‎
Lines changed: 9 additions & 9 deletions b/‎articles/search/search-query-access-control-rbac-enforcement.md‎
Lines changed: 9 additions & 9 deletions
@@ -30,12 +30,6 @@ For background on how a debug session works, see [Debug sessions in Azure AI Sea
 
 + An existing enrichment pipeline, including a data source, a skillset, an indexer, and an index. 
 
-## Security and permissions
-
-+ To save a debug session to Azure storage, the search service identity must have **Storage Blob Data Contributor** permissions on Azure Storage. Otherwise, plan on choosing a full access connection string for the debug session connection to Azure Storage.
-
-+ If the Azure Storage account is behind a firewall, configure it to [allow search service access](search-indexer-howto-access-ip-restricted.md).
-
 ## Limitations
 
 Debug sessions work with all generally available [indexer data sources](search-data-sources-gallery.md) and most preview data sources, with the following exceptions:
@@ -50,6 +44,12 @@ Debug sessions work with all generally available [indexer data sources](search-d
 
 + For custom skills, a user-assigned managed identity isn't supported for a debug session connection to Azure Storage. As stated in the prerequisites, you can use a system managed identity, or specify a full access connection string that includes a key. For more information, see [Connect a search service to other Azure resources using a managed identity](search-how-to-managed-identities.md).
 
+## Security and permissions
+
++ To save a debug session to Azure storage, the search service identity must have **Storage Blob Data Contributor** permissions on Azure Storage. Otherwise, plan on choosing a full access connection string for the debug session connection to Azure Storage.
+
++ If the Azure Storage account is behind a firewall, configure it to [allow search service access](search-indexer-howto-access-ip-restricted.md).
+
 ## Create a debug session
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices).
 
@@ -138,7 +138,7 @@ Similar to the previous example, this mapping doesn't result in four documents s
 
 ## Limitations
 
-When a document entry in the index is created from a line in a file, as explained in this article, deleting that line from the file does'nt automatically remove the corresponding entry from the index. To delete the document entry, you must manually submit a deletion request to the index using the [REST API deletion operation](/rest/api/searchservice/addupdate-or-delete-documents).
+When a document entry in the index is created from a line in a file, as explained in this article, deleting that line from the file doesn't automatically remove the corresponding entry from the index. To delete the document entry, you must manually submit a deletion request to the index using the [REST API deletion operation](/rest/api/searchservice/addupdate-or-delete-documents).
 
 ## Next steps
 
 
@@ -37,6 +37,12 @@ For a code sample in C#, see [Index Data Lake Gen2 using Microsoft Entra ID](htt
 
 + Use a [REST client](search-get-started-text.md) to formulate REST calls similar to the ones shown in this article.
 
+## Limitations
+
++ Unlike blob indexers, ADLS Gen2 indexers can't use container-level SAS tokens for enumerating and indexing content from a storage account. This is because the indexer makes a check to determine if the storage account has hierarchical namespaces enabled by calling the [Filesystem - Get properties API](/rest/api/storageservices/datalakestoragegen2/filesystem/get-properties). For storage accounts where hierarchical namespaces are not enabled, customers are instead recommended to utilize [blob indexers](search-how-to-index-azure-blob-storage.md) to ensure performant enumeration of blobs.
+
++ If the property `metadata_storage_path` is mapped to be the index key field, blobs are not guaranteed to get reindexed upon a directory rename. If you desire to reindex the blobs that are part of the renamed directories, update the `LastModified` timestamps for all of them.
+
 <a name="SupportedFormats"></a>
 
 ## Supported document formats
@@ -306,12 +312,6 @@ PUT /indexers/[indexer name]?api-version=2025-09-01
 |"failOnUnprocessableDocument" |  true or false | If the indexer is unable to process a document of an otherwise supported content type, specify whether to continue or fail the job. |
 | "indexStorageMetadataOnlyForOversizedDocuments"  | true or false |  Oversized blobs are treated as errors by default. If you set this parameter to true, the indexer will try to index its metadata even if the content cannot be indexed. For limits on blob size, see [service Limits](search-limits-quotas-capacity.md). |
 
-## Limitations
-
-1. Unlike blob indexers, ADLS Gen2 indexers cannot utilize container level SAS tokens for enumerating and indexing content from a storage account. This is because the indexer makes a check to determine if the storage account has hierarchical namespaces enabled by calling the [Filesystem - Get properties API](/rest/api/storageservices/datalakestoragegen2/filesystem/get-properties). For storage accounts where hierarchical namespaces are not enabled, customers are instead recommended to utilize [blob indexers](search-how-to-index-azure-blob-storage.md) to ensure performant enumeration of blobs.
-
-2. If the property `metadata_storage_path` is mapped to be the index key field, blobs are not guaranteed to get reindexed upon a directory rename. If you desire to reindex the blobs that are part of the renamed directories, update the `LastModified` timestamps for all of them.
-
 ## Next steps
 
 You can now [run the indexer](search-howto-run-reset-indexers.md), [monitor status](search-monitor-indexers.md), or [schedule indexer execution](search-howto-schedule-indexers.md). The following articles apply to indexers that pull content from Azure Storage:
 
@@ -48,6 +48,22 @@ This article uses the REST APIs to illustrate each step.
 
 + A [REST client](search-get-started-text.md) to formulate REST calls similar to the ones shown in this article.
 
+## Limitations
+
++ Parquet (including delta parquet) file types aren't currently supported.
+
++ File deletion isn't supported for Amazon S3 and Google Cloud Storage shortcuts.
+
++ This indexer doesn't support OneLake workspace Table location content. 
+
++ This indexer doesn't support SQL queries, but the query used in the data source configuration is exclusively to add optionally the folder or shortcut to access.
+
++ There's no support to ingest files from **My Workspace** workspace in OneLake since this is a personal repository per user.
+
++ Microsoft Purview Sensitivity Labels applied via Data Map are not currently supported. If sensitivity labels are applied to artifacts in OneLake using [Microsoft Purview Data Map](/purview/data-map-sensitivity-labels-apply), the indexer may fail to execute properly. To bypass this restriction, an exception must be granted by your organization’s IT team responsible for managing Purview sensitivity labels and Data Map configurations.
+  
++ Workspace role-based permissions in Microsoft OneLake may affect indexer access to files. Ensure that the Azure AI Search service principal (managed identity) has sufficient permissions over the files you intend to access in the target [Microsoft Fabric workspace](/fabric/fundamentals/workspaces). 
+
 ## Supported tasks
 
 You can use this indexer for the following tasks:
@@ -78,23 +94,6 @@ The following OneLake shortcuts are supported by the OneLake files indexer:
 
 + [Google Cloud Storage shortcut](/fabric/onelake/create-gcs-shortcut)
 
-## Limitations
-
-+ Parquet (including delta parquet) file types aren't currently supported.
-
-+ File deletion isn't supported for Amazon S3 and Google Cloud Storage shortcuts.
-
-+ This indexer doesn't support OneLake workspace Table location content. 
-
-+ This indexer doesn't support SQL queries, but the query used in the data source configuration is exclusively to add optionally the folder or shortcut to access.
-
-+ There's no support to ingest files from **My Workspace** workspace in OneLake since this is a personal repository per user.
-
-+ Microsoft Purview Sensitivity Labels applied via Data Map are not currently supported. If sensitivity labels are applied to artifacts in OneLake using [Microsoft Purview Data Map](/purview/data-map-sensitivity-labels-apply), the indexer may fail to execute properly. To bypass this restriction, an exception must be granted by your organization’s IT team responsible for managing Purview sensitivity labels and Data Map configurations.
-  
-+ Workspace role-based permissions in Microsoft OneLake may affect indexer access to files. Ensure that the Azure AI Search service principal (managed identity) has sufficient permissions over the files you intend to access in the target [Microsoft Fabric workspace](/fabric/fundamentals/workspaces). 
-
-
 ## Prepare data for indexing
 
 Before you set up indexing, review your source data to determine whether any changes should be made to your data in the lakehouse. An indexer can index content from one container at a time. By default, all files in the container are processed. You have several options for more selective processing:
 
@@ -24,6 +24,10 @@ You can use a system-assigned managed identity or a user-assigned managed identi
 
 * [Create a managed identity](search-how-to-managed-identities.md) for your search service.
 
+## Limitations
+
+* Indexers that connect to Azure Cosmos DB for Gremlin and MongoDB (currently in preview) only support the _legacy_ approach.
+
 ## Supported approaches for managed identity authentication
 
 Azure AI Search supports two mechanisms to connect to Azure Cosmos DB using managed identity. 
@@ -34,10 +38,6 @@ Azure AI Search supports two mechanisms to connect to Azure Cosmos DB using mana
 
 Indexers that connect to Azure Cosmos DB for NoSQL support both the _legacy_ and the _modern_ approach - the _modern_ approach is recommended.
 
-## Limitations
-
-* Indexers that connect to Azure Cosmos DB for Gremlin and MongoDB (currently in preview) only support the _legacy_ approach.
-
 ## Connect to Azure Cosmos DB for NoSQL
 
 This section outlines the steps to configure connecting to Azure Cosmos DB for NoSQL via the _modern_ approach.
 
@@ -17,7 +17,7 @@ Azure Data Lake Storage (ADLS) Gen2 provides an access model that makes fine-gra
 
 This article explains how to set up queries that use permission metadata to filter results.
 
-## Requirements
+## Prerequisites
 
 - Permission metadata must be in `filterable` string fields. You won't use the filter in your queries, but the search engine builds a filter internally to exclude unauthorized content.
 
@@ -27,6 +27,14 @@ This article explains how to set up queries that use permission metadata to filt
 
 - The latest preview REST API (2025-08-01-preview) or a preview package of an Azure SDK to query the index. This API version supports internal queries that filter out unauthorized results.
 
+## Limitations
+
+- If ACL evaluation fails (for example, the Graph API is unavailable), the service returns **5xx** and does **not** return a partially filtered result set.
+
+- Document visibility requires both:
+  - the calling application’s RBAC role (Authorization header)  
+  - the user identity carried by **x-ms-query-source-authorization**
+
 ## How query-time enforcement works
 
 This section lists the order of operations for ACL enforcement at query time. Operations vary depending on whether you use Azure RBAC scope or Microsoft Entra ID group or user IDs.
@@ -51,14 +59,6 @@ For Azure RBAC, permissions are lists of resource ID strings. There must be an A
 
 The security filter efficiently matches the userIds, groupIds, and rbacScope from the request against each list of ACLs in every document in the search index to limit the results returned to ones the user has access to. It's important to note that each filter is applied independently and a document is considered authorized if any filter succeeds. For example, if a user has access to a document through userIds but not through groupIds, the document is still considered valid and returned to the user.
 
-## Limitations
-
-- If ACL evaluation fails (for example, the Graph API is unavailable), the service returns **5xx** and does **not** return a partially filtered result set.
-
-- Document visibility requires both:
-  - the calling application’s RBAC role (Authorization header)  
-  - the user identity carried by **x-ms-query-source-authorization**
-
 ## Query example
 
 Here's an example of a query request from [sample code](https://github.com/Azure-Samples/azure-search-rest-samples/tree/main/Quickstart-ACL). The query token is passed in the request header. The query token is the personal access token of a user or a group identity behind the request.