MicrosoftDocs
diff --git a/‎articles/storage-discovery/TOC.yml
Lines changed: 28 additions & 0 deletions b/‎articles/storage-discovery/TOC.yml
Lines changed: 28 additions & 0 deletions
diff --git a/‎articles/storage-discovery/create-workspace.md
Lines changed: 124 additions & 0 deletions b/‎articles/storage-discovery/create-workspace.md
Lines changed: 124 additions & 0 deletions
diff --git a/‎articles/storage-discovery/deployment-planning.md
Lines changed: 138 additions & 0 deletions b/‎articles/storage-discovery/deployment-planning.md
Lines changed: 138 additions & 0 deletions
@@ -0,0 +1,28 @@
+items:
+- name: Azure Storage Discovery documentation
+  href: ./index.yml
+- name: Overview
+  items:
+  - name: What is Azure Storage Discovery?
+    href: overview.md  
+  expanded: true
+- name: Concepts
+  items:
+  - name: Management components
+    href: management-components.md
+  - name: Planning for deployment
+    href: deployment-planning.md
+  - name: Pricing
+    href: pricing.md
+- name: How-To
+  items: 
+  - name: Deploy
+    items:
+    - name: Create Storage Discovery Workspace
+      href: create-workspace.md     
+- name: Resources
+  items:
+  - name: Release notes
+    href: release-notes.md
+  - name: Frequently Asked Questions
+    href: frequently-asked-questions.md
@@ -0,0 +1,124 @@
+---
+title: Create and manage an Azure Storage Discovery Workspace
+titleSuffix: Azure Storage Discovery
+description: Learn how to create an Azure Storage Discovery Workspace.
+author: fauhse
+
+ms.service: azure-storage-discovery
+ms.topic: overview
+ms.date: 07/22/2025
+ms.author: fauhse
+---
+
+<!-- 
+!########################################################
+STATUS: DRAFT
+
+CONTENT: IN PROGRESS
+
+REVIEW Stephen/Fabian: IN PROGRESS
+EDIT PASS: IN PROGRESS
+
+Document score: 100 - 495/0 (words, issues)
+
+!########################################################
+-->
+
+# Create and manage a storage discovery workspace
+
+The Azure Storage Discovery Workspace (ASDW) is a central resource within the Azure Storage Discovery platform. A discovery workspace is designed to help users manage and visualize storage data across various scopes such as tenants, subscriptions, and resource groups.
+
+Follow the steps in this article to create an ASDW resource.
+
+## Create a storage discovery workspace
+
+You can create a storage discovery workspace using the Azure portal, Azure CLI, or ARM templates. 
+
+### [Azure portal](#tab/portal)
+
+Create an ASDW resource by selecting **Create** as shown in the following image.
+
+:::image source="media/create-workspace/create-resource-sml.png" alt-text="Screenshot of the Create ASDW page."  lightbox="media/create-workspace/create-resource.png":::
+
+Choose the **Subscription** and **Resource group** in which to create the discovery workspace. The following table describes each element.
+
+| Element        | Description                                                       |
+|----------------|-------------------------------------------------------------------|
+| `Name`         | The name of the Discovery workspace resource.                     |
+| `Description`  | Optional. Description of the Discovery workspace resource.        |
+| `Region`       | Azure region where the Discovery resource is created.<sup>1</sup> |
+| `Pricing plan` | Storage Discovery pricing plan.<sup>2</sup>                       |
+
+<sup>1</sup> For information on regions covered, see [Storage Discovery workspace regions](deployment-planning.md). 
+<sup>2</sup> For information on Storage Discovery pricing plan, see [Understand Storage Discovery Pricing](pricing.md).
+
+## Define workspaceRoots
+
+A workspaceRoot specifies the top-level Azure resource identifiers where Storage Discovery initiates its scan for storage accounts. These identifiers are typically subscriptions or resource groups, and serve as the root of the discovery process. WorkspaceRoots define the overall scope and boundaries of your Azure estate for analysis.
+
+Select the subscriptions and/or resource groups you want to include in the workspace.
+
+> [!NOTE]
+> - Ensure that the user or service principal deploying the workspace is granted at least **Reader** access to each specified root.
+> - Up to 100 resources - subscriptions and/or resource groups can be included in one ASDW.
+
+:::image source="media/create-workspace/workspace-roots-checks-sml.png" alt-text="Screenshot of the workspaceRoots."  lightbox="media/create-workspace/workspace-roots-checks.png":::
+
+After you add your subscriptions, resource groups, or tenant to your workspace, the service runs an access check to verify that the user has `Microsoft.Storage/storageAccounts/read` on the added resources. The following image provides an example of an access check failure with the associated status message.
+
+:::image source="media/create-workspace/create-access-sml.png" alt-text="Screenshot of the access check on workspaceRoots."  lightbox="media/create-workspace/create-access.png":::
+
+If you don't have `Microsoft.Storage/storageAccounts/read` on any of the resources added, remove the resource from the workSpaceRoots to proceed with the creation of workspace or resolve the access issue and try again.
+
+## Create a Scope
+Scopes are logical groupings of storage accounts within the defined workspaceRoots. Scopes allow you to filter and organize data using tags and resource types, enabling targeted insights. For example, you can create scopes for individual departments, environments, or compliance zones.
+
+:::image source="media/create-workspace/create-scope-sml.png" alt-text="Screenshot of a scope."  lightbox="media/create-workspace/create-scope.png":::
+
+> [!IMPORTANT]
+> A **default Scope** is added automatically, which includes all storage accounts within subscriptions or resource groups added in the **workspaceRoots**.
+
+Add tags on the ASDW resource, if needed, and select **Review and Create**. You aren't able to deploy the resource until an access validation is complete. If the check for the workspaceRoots resources isn't complete, a message is displayed.
+
+:::image source="media/create-workspace/access-check-sml.png" alt-text="Screenshot of access checks running."  lightbox="media/create-workspace/access-check.png":::
+
+> [!NOTE]
+> Discovery resource creation fails if the access checks on any subscription, resource group, or tenant isn't successful.
+
+After the access checks complete successfully, the resource can be deployed as shown in the following sample image.
+
+:::image source="media/create-workspace/deploy-resource-sml.png" alt-text="Screenshot of the deployment complete."  lightbox="media/create-workspace/deploy-resource.png":::
+
+### [Azure PowerShell](#tab/powershell)
+
+Something like this:
+
+```powershell
+
+# Set variables for the resources
+$resGroupName   = "MyResourceGroup"
+$workSpaceName  = "MyStorageDiscoveryWorkspace"
+$location       = "East US"
+$DiscoveryScopeLevel1 = "MyScopeLevel1"
+$DiscoveryScopeLevel2 = "MyScopeLevel2"
+
+# First, prepare local DiscoveryScope object, which can be used to 
+# both create/update Workspace
+$scope1 =  New-AzStorageDiscoveryScopeObject -DisplayName "test1" `
+            -ResourceType "Microsoft.Storage/storageAccounts"  `
+            -TagKeysOnly "e2etest1" -Tag @{"tag1" = "value1"; "tag2" = "value2" }
+$scope2 =  New-AzStorageDiscoveryScopeObject -DisplayName "test2" `
+            -ResourceType "Microsoft.Storage/storageAccounts"  `
+            -TagKeysOnly "e2etest2" -Tag @{"tag3" = "value3" }
+
+# CVreate the discovery workspace
+New-AzStorageDiscoveryWorkspace -Name $workSpaceName  -ResourceGroupName $resGroupName `
+-Location $location -Description 123 -WorkspaceRoot $DiscoveryScopeLevel1 `
+-Sku Standard   -Scope $scope1  # -debug 
+
+```
+
+---
+
+> [!NOTE]
+> It can take up to 24 hours after scope creation for metrics to begin appearing in reports.
@@ -0,0 +1,138 @@
+---
+title: Planning for an Azure Storage Discovery deployment
+titleSuffix: Azure Storage Discovery
+description: Considerations and best-practices for deploying the Azure Storage Discovery service
+author: fauhse
+ms.service: azure-storage-mover
+ms.topic: overview
+ms.date: 08/01/2025
+ms.author: fauhse
+---
+
+# Planning for an Azure Storage Discovery deployment
+
+Before you continue, be sure to get an [overview of the Storage Discovery service](overview.md) and the value it can provide to you.
+
+## Make sure the service works for your scenario
+
+Azure Storage Discovery currently surfaces insights for resources of the Azure Blob Storage service.
+Coverage also includes storage accounts configured with the [hierarchical namespace feature](../storage/blobs/data-lake-storage-namespace.md) to enable [Azure Data Lake Storage](../storage/blobs/data-lake-storage-introduction.md).
+
+Discovery currently doesn't work for [Azure Files](../storage/files/storage-files-introduction.md) or other storage types.
+
+## Deployment basics
+
+Your Azure Storage resources (like storage accounts) experience no transactions or performance impact when analyzing them with Azure Storage Discovery.
+
+Deploying the service means deploying and configuring a *Storage Discovery workspace resource* into a resource group in one of your subscriptions.
+The Discovery service works to compute and store insights about your Azure Blob Storage estate. These computed insights are stored in the region of the workspace you created. Other than the Storage Discovery workspace, no other infrastructure needs to be deployed.
+
+The workspace can be configured to aggregate insights across any subscriptions in the Azure tenant the workspace is deployed in.
+To generate insights about Azure Storage resources, such as storage accounts, you need to be a member of the RBAC (Role Based Access Control) Reader role for every storage resource.
+
+> [!IMPORTANT]
+> To get accurate insights, you need to configure your workspace for resources you have permissions to.<br> The [permissions section](#permissions) in this article has important details you should review.
+
+## Getting your subscription ready
+
+You need to choose a subscription governed by the same Azure tenant as the Azure Storage resources (such as storage accounts) you want to receive insights for. When you decided on an Azure subscription and resource group for your Storage Discovery workspace, review the following sections to ensure your subscription is prepared.
+
+### Resource provider namespace
+
+Before a service is used for the first time in an Azure subscription, its resource provider namespace must be registered once with the chosen subscription. Azure Storage Discovery has the same requirement. A subscription *Owner* or *Contributor* can perform this action. Performing this registration action before the actual Storage Discovery workspace deployment enables admins with fewer rights to deploy and use the Storage Discovery service.
+
+> [!IMPORTANT]
+> The subscription must be registered with the resource provider namespaces *Microsoft.StorageDiscovery*.
+
+Register a resource provider:
+
+- [via the Azure portal](../azure-resource-manager/management/resource-providers-and-types.md#azure-portal)
+- [via Azure PowerShell](../azure-resource-manager/management/resource-providers-and-types.md#azure-powershell)
+- [via Azure CLI](../azure-resource-manager/management/resource-providers-and-types.md#azure-cli)
+
+> [!TIP]
+> When you deploy a Storage Discovery workspace as a subscription *Owner* or *Contributor* through the Azure portal, your subscription is automatically registered with this resource provider namespace. You only need to perform the registration manually when using Azure PowerShell or CLI.
+
+Once a subscription is enabled for this resource provider namespace, it remains enabled until manually unregistered. You can even delete the last Storage Discovery workspace and your subscription still remains enabled. Subsequent Storage Discovery workspace deployments then require reduced permissions from an admin. The following section contains a breakdown of different management scenarios and their required permissions.
+
+### Decide on the number of workspaces you need
+
+A Storage Discovery workspace needs to be configured with *scopes*. The management components article shares [details about workspace scopes](management-components.md).
+Scopes are logical groups of storage resources. For instance, a scope can refer to all the storage resources of a specific workload or department that you want to get insights for separately. 
+
+Since you can only configure a limited number of scopes in a workspace, you may need more than one workspace to cover your insights reporting needs.
+
+If a workspace is to be used for higher-level insights, you can create one with one scope for your entire Azure Storage estate and then add scopes for each department.
+If a workspace is designated to provide insights for specific workloads, then you can create a workspace containing a scope for each workload.
+
+> [!IMPORTANT]
+> During the Azure Storage Discovery preview period, the Discovery service covers only storage accounts located in select regions. <br>The [Understand region limitations](#understand-region-limitations) section in this article has details.
+
+### Review your Azure resource tags
+
+You can select which storage resources are included in a [workspace scope](management-components.md) by first selecting specific subscriptions or resource groups, and then filtering the storage resources within them by [Azure resource tags](../azure-resource-manager/management/tag-resources.md).
+It's important that you familiarize yourself with the available resource tags on your storage resources. Ensure they're consistently applied and then catalog them for building the scopes in your workspace. Plan the scopes you need in order to have insights available per department, workload, or other grouping you have a use for.
+
+## Select an Azure region for your deployment
+
+When you deploy a Storage Discovery workspace, you need to choose a region. The region you select determines where the computed insights about your Azure Storage resources are stored. You can still capture insights for Azure Storage resources that are located in other regions. A general best practice is to choose the region for your workspace according to metadata residency requirements that apply to you and in closer proximity to your location. Visualizing your insights from a workspace closer to you can have a slight performance advantage.
+
+Storage Discovery workspaces can be created in the following regions. More regions are added throughout the preview period.
+
+[!INCLUDE [control-plane-regions](includes/control-plane-regions.md)]
+
+## Understand region limitations
+
+While a Storage Discovery workspace can cover storage accounts from other subscriptions and resource groups, and even other regions, there's an important region limitation you need to be aware of for a successful Storage Discovery deployment.
+
+The Discovery service covers only storage accounts located in the following regions:
+<br><br>
+[!INCLUDE [data-plane-regions](includes/data-plane-regions.md)]
+<br>
+
+> [!WARNING]
+> The Discovery service currently can't consider storage accounts located in regions not included in the previously listed locations. Including storage accounts from unsupported regions in a scope can lead to an incomplete set of insights. A short-term limitation of the preview period.
+
+## Permissions
+
+Permissions are managed via the familiar Azure [Role Based Access Control](../role-based-access-control/overview.md) (RBAC).
+This sections covers:
+* Permission to the storage resources you want to get insights for from the Discovery service.
+* Permission considerations for a workspace resource.
+
+### Permissions to your storage resources
+
+During the creation of a Storage Discovery workspace, you configure the [workspace root](management-components.md). The [management components](management-components.md) article provides more details for this configuration.
+In the workspace root, you list at least one and at most 100 Azure resources of different types:
+- subscriptions
+- resource groups
+- storage accounts
+
+The person deploying the workspace must have at least the RBAC role assignment *Reader* for every resource in the workspace root.
+*Reader* is the minimum permission level required. *Contributor* and *Owner* are also supported.
+
+It's possible that you see a subscription listed in the Azure portal, for which you don't have this direct *Reader* role assignment. When you can see a resource you don't have a role assignment to, then most likely you have permissions to a sub resource in this subscription. In this case, the existence of this "parent" was revealed to you, but you have no rights on the subscription resource itself. This example can be extended to resource groups as well. Missing a *Reader* or higher direct role assignment disqualifies an Azure resource from being the basis (root) of a workspace.
+
+Permissions are only validated when a workspace is created. Any change to permissions of the Azure account that created the workspace, including its deletion, has no effect on the workspace or the Discovery service functionality.
+
+### Permission considerations for a workspace resource
+
+The Azure Storage Discovery workspace stores the computed insights for your storage estate. You can access reports in the Azure portal, or use these insights via the Azure Copilot. In order to access insights stored in a workspace, a user must have at least the RBAC role *Reader* on the workspace. *Contributor* and *Owner* role assignments also work. You can provide insights-access to another user by assigning them one of the three previously listed roles on the workspace.
+
+
+|Scenario |Minimal RBAC role assignments needed                                             |
+|:--------|--------------------------------------------------------------------------------:|
+|Register a resource provider namespace with a subscription|	Subscription: `Contributor`	|
+|Deploy a Storage Discovery workspace <br>*([Resource provider namespace already registered](#resource-provider-namespace))*|	Resource group: `Contributor` |
+|Share the Storage Discovery insights with another person | Storage Discovery workspace: `Reader`|
+|Enable a person to make changes to the workspace configuration| Storage Discovery workspace: `Contributor`|
+|Enable a person to share these insights with others | Storage Discovery workspace: `Owner`|
+
+> [!CAUTION]
+> When you provide other users access to a workspace, you're disclosing all insights of the workspace. Other users might not be privileged to know about the existence of the Azure resources or insights about the data they store. Providing access to a workspace doesn't provide access to an individual storage account, resource group, or subscription. Individual resources remain governed by RBAC.
+
+## Next steps
+
+- [Review the Storage Discovery management components](management-components.md)
+- [Understand Storage Discovery pricing](pricing.md)
+- [Create a Storage Discovery workspace](create-workspace.md)