Merge pull request #265637 from pauljewellmsft/abac-env

prmerger-automator[bot] · web-flow · commit 178f3f907075 · 2024-02-08T14:42:04.000Z
[ABAC] Add clarification for subnet attribute
diff --git a/articles/role-based-access-control/conditions-format.md b/articles/role-based-access-control/conditions-format.md
@@ -277,7 +277,7 @@ The following table lists the supported environment attributes for conditions.
 
 <sup>1</sup> For copy operations, the `Is private link`, `Private endpoint`, and `Subnet` attributes only apply to the destination, such a storage account, not the source. For more information about the copy operations this applies to, select each attribute in the table to see more details.<br />
 <sup>2</sup> You can only use the `Private endpoint` attribute if you currently have at least one private endpoint configured in your subscription.<br />
-<sup>3</sup> You can only use the `Subnet` attribute if you currently have at least one virtual network subnet configured in your subscription.<br />
+<sup>3</sup> You can only use the `Subnet` attribute if you currently have at least one virtual network subnet using [service endpoints](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) configured in your subscription.<br />
 
 #### Principal attributes
 
diff --git a/articles/role-based-access-control/conditions-prerequisites.md b/articles/role-based-access-control/conditions-prerequisites.md
@@ -61,6 +61,12 @@ For more information about custom security attributes, see:
 - [Principal does not appear in Attribute source](conditions-troubleshoot.md#symptom---principal-does-not-appear-in-attribute-source)
 - [Add or deactivate custom security attributes in Microsoft Entra ID](../active-directory/fundamentals/custom-security-attributes-add.md)
 
+## Environment attributes
+
+To use the [Private endpoint](../storage/blobs/storage-auth-abac-attributes.md#private-endpoint) attribute, you must have at least one private endpoint configured in your subscription.
+
+To use the [Subnet](../storage/blobs/storage-auth-abac-attributes.md#subnet) attribute, you must have at least one virtual network subnet using [service endpoints](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) configured in your subscription.
+
 ## Next steps
 
 - [Example Azure role assignment conditions for Blob Storage](../storage/blobs/storage-auth-abac-examples.md)
diff --git a/articles/storage/blobs/storage-auth-abac-attributes.md b/articles/storage/blobs/storage-auth-abac-attributes.md
@@ -6,7 +6,7 @@ author: pauljewellmsft
 ms.author: pauljewell
 ms.service: azure-blob-storage
 ms.topic: conceptual
-ms.date: 01/26/2024
+ms.date: 02/07/2024
 ms.reviewer: nachakra
 ---
 
@@ -524,7 +524,7 @@ The following table summarizes the available attributes by source:
 > | Property | Value |
 > | --- | --- |
 > | **Display name** | Subnet |
-> | **Description** | The subnet over which an object is accessed.<br/>Use to restrict access to a specific subnet.<br/>*Available only for storage accounts in subscriptions that have at least one virtual network subnet configured.* |
+> | **Description** | The subnet over which an object is accessed.<br/>Use to restrict access to a specific subnet.<br/>*Available only for storage accounts in subscriptions that have at least one virtual network subnet using [service endpoints](../common/storage-network-security.md#grant-access-from-a-virtual-network) configured.* |
 > | **Attribute** | `Microsoft.Network/virtualNetworks/subnets` |
 > | **Attribute source** | [Environment](../../role-based-access-control/conditions-format.md#environment-attributes) |
 > | **Attribute type** | [String](../../role-based-access-control/conditions-format.md#string-comparison-operators) |
diff --git a/articles/storage/blobs/storage-auth-abac-examples.md b/articles/storage/blobs/storage-auth-abac-examples.md
@@ -8,7 +8,7 @@ ms.service: azure-blob-storage
 ms.topic: conceptual
 ms.reviewer: nachakra
 ms.custom: devx-track-azurepowershell
-ms.date: 01/19/2024
+ms.date: 02/08/2024
 #Customer intent: As a dev, devops, or it admin, I want to learn about the conditions so that I write more complex conditions.
 ---
 
@@ -1694,7 +1694,7 @@ Set-AzRoleAssignment -InputObject $testRa -PassThru
 
 ### Example: Allow access to blobs in specific containers from a specific subnet
 
-This condition allows read, write, add and delete access to blobs in `container1` only from subnet `default` on virtual network `virtualnetwork1`.
+This condition allows read, write, add and delete access to blobs in `container1` only from subnet `default` on virtual network `virtualnetwork1`. To use the [Subnet](storage-auth-abac-attributes.md#subnet) attribute in this example, the subnet must have [service endpoints enabled](../common/storage-network-security.md#grant-access-from-a-virtual-network) for Azure Storage.
 
 There are five potential actions for read, write, add and delete access to existing blobs. To make this condition effective for principals that have multiple role assignments, you must add this condition to all role assignments that include any of the following actions.
 
