Merge pull request #230816 from khdownie/kendownie031523

v-regandowner · web-flow · commit 19e5d6439bc0 · 2023-03-15T11:28:21.000-04:00
changing AAD to Azure AD
diff --git a/articles/storage/file-sync/file-sync-resource-move.md b/articles/storage/file-sync/file-sync-resource-move.md
@@ -1,17 +1,17 @@
 ---
 title: Azure File Sync resource moves and topology changes
-description: Learn how to move sync resources across resource groups, subscriptions, and Azure Active Directory (AAD) tenants.
+description: Learn how to move sync resources across resource groups, subscriptions, and Azure Active Directory tenants.
 author: khdownie
 ms.service: storage
 ms.topic: how-to
-ms.date: 04/13/2021
+ms.date: 03/15/2023
 ms.author: kendownie
 ms.subservice: files
 ---
 
-# Move Azure File Sync resources to a different resource group, subscription, or AAD tenant
+# Move Azure File Sync resources to a different resource group, subscription, or Azure AD tenant
 
-This article describes how to make changes to resource group, subscription, or Azure Active Directory (AAD) tenant for your Azure File Sync cloud resources and Azure storage accounts.
+This article describes how to make changes to resource group, subscription, or Azure Active Directory (Azure AD) tenant for your Azure File Sync cloud resources and Azure storage accounts.
 
 When planning to make changes to the Azure File Sync cloud resources, it's important to consider the storage resources at the same time. The following resources exist:
 
@@ -42,9 +42,9 @@ As a best practice, the Storage Sync Service and the storage accounts that have
 * Storage Sync Service and storage accounts are located in **different subscriptions** (same Azure tenant)
 
 > [!IMPORTANT]
-> Through different combinations of moves, a Storage Sync Service and storage accounts can end up in different subscriptions, governed by different AAD tenants. Sync would even appear to be working, but this is not a supported configuration. Sync can stop in the future with no ability to get back into a working condition.
+> Through different combinations of moves, a Storage Sync Service and storage accounts can end up in different subscriptions, governed by different Azure AD tenants. Sync would even appear to be working, but this is not a supported configuration. Sync can stop in the future with no ability to get back into a working condition.
 
-When planning your resource move, there are different considerations for [moving within the same AAD tenant](#move-within-the-same-azure-active-directory-tenant) and moving across [to a different AAD tenant](#move-to-a-new-azure-active-directory-tenant). When moving AAD tenants, always move sync and storage resources together.
+When planning your resource move, there are different considerations for [moving within the same Azure AD tenant](#move-within-the-same-azure-active-directory-tenant) and moving across [to a different Azure AD tenant](#move-to-a-new-azure-active-directory-tenant). When moving Azure AD tenants, always move sync and storage resources together.
 
 ### Move within the same Azure Active Directory tenant
 
@@ -62,13 +62,13 @@ When planning your resource move, there are different considerations for [moving
 
 ### Move to a new Azure Active Directory tenant
 
-Individual resources like a Storage Sync Service or storage accounts, can't move by themselves to a different AAD tenant. Only Azure subscriptions can move AAD tenants. Think about your subscription structure in the new AAD tenant. You can use a dedicated subscription for Azure File Sync. 
+Individual resources like a Storage Sync Service or storage accounts, can't move by themselves to a different Azure AD tenant. Only Azure subscriptions can move Azure AD tenants. Think about your subscription structure in the new Azure AD tenant. You can use a dedicated subscription for Azure File Sync. 
 
 1. Create an Azure subscription (or determine an existing one in the old tenant that should move).
-1. [Perform a subscription move within the same AAD tenant](#move-within-the-same-azure-active-directory-tenant) of your Storage Sync Service and all associated storage accounts.
-1. Sync will stop. Complete your tenant move immediately or [restore sync's ability to access the storage accounts that moved](#azure-file-sync-storage-access-authorization). You can then move to the new AAD tenant later.
+1. [Perform a subscription move within the same Azure AD tenant](#move-within-the-same-azure-active-directory-tenant) of your Storage Sync Service and all associated storage accounts.
+1. Sync will stop. Complete your tenant move immediately or [restore sync's ability to access the storage accounts that moved](#azure-file-sync-storage-access-authorization). You can then move to the new Azure AD tenant later.
 
-Once all related Azure File Sync resources have been sequestered into their own subscription, you're ready to move the entire subscription to the target AAD tenant. The [transfer subscription guide](../../role-based-access-control/transfer-subscription.md) allows you to plan and execute such a transfer.
+Once all related Azure File Sync resources have been sequestered into their own subscription, you're ready to move the entire subscription to the target Azure AD tenant. The [transfer subscription guide](../../role-based-access-control/transfer-subscription.md) allows you to plan and execute such a transfer.
 
 > [!WARNING]
 > When you transfer a subscription from one tenant to another, sync will stop immediately. You have to manually authorize sync to access the relevant storage accounts in the new subscription. The [Azure File Sync storage access authorization](#azure-file-sync-storage-access-authorization) section will provide the necessary steps.
@@ -81,13 +81,13 @@ Once all related Azure File Sync resources have been sequestered into their own
         You are ready to start the migration once you have a plan and the required permissions:
         1. In the Azure portal, navigate to your subscription, **Overview** blade.
         1. Select **Change directory**
-        1. Follow the wizard steps to assign the new AAD tenant.
+        1. Follow the wizard steps to assign the new Azure AD tenant.
     :::column-end:::
 :::row-end:::
 
 ## Azure File Sync storage access authorization
 
-When storage accounts are moved to either a new subscription or are moved within a subscription to a new Azure Active Directory (AAD) tenant, sync will stop. Role-based access control (RBAC) is used to authorize Azure File Sync to access a storage account, and these role assignments are not migrated with the resources.
+When storage accounts are moved to either a new subscription or are moved within a subscription to a new Azure Active Directory tenant, sync will stop. Role-based access control (RBAC) is used to authorize Azure File Sync to access a storage account, and these role assignments aren't migrated with the resources.
 
 ### Azure File Sync service principal
 
@@ -96,7 +96,7 @@ When storage accounts are moved to either a new subscription or are moved within
         :::image type="content" source="media/storage-sync-resource-move/storage-sync-resource-move-afs-rp-registered-small.png" alt-text="An image showing the Azure portal, subscription management, registered resource providers." lightbox="media/storage-sync-resource-move/storage-sync-resource-move-afs-rp-registered.png":::
     :::column-end:::
     :::column:::
-        The Azure File Sync service principal must exist in your AAD tenant before you can authorize sync access to a storage account. </br></br> When you create a new Azure subscription today, the Azure File Sync resource provider *Microsoft.StorageSync* is automatically registered with your subscription. Resource provider registration will make a *service principal* for sync available in the Azure Active Directory tenant that governs the subscription. A service principal is similar to a user account in your AAD. You can use the Azure File Sync service principal to authorize access to resources via role-based access control (RBAC). The only resource sync needs access to is your storage accounts containing the file shares that are supposed to sync. *Microsoft.StorageSync* must be assigned to the built-in role **Reader and Data access** on the storage account. </br></br> This assignment is done automatically through the user context of the logged on user when you add a file share to a sync group, or in other words, you create a cloud endpoint. When a storage account moves to a new subscription, or AAD tenant, this role assignment is lost and [must be manually reestablished](#establish-sync-access-to-a-storage-account).
+        The Azure File Sync service principal must exist in your Azure AD tenant before you can authorize sync access to a storage account. </br></br> When you create a new Azure subscription today, the Azure File Sync resource provider *Microsoft.StorageSync* is automatically registered with your subscription. Resource provider registration will make a *service principal* for sync available in the Azure Active Directory tenant that governs the subscription. A service principal is similar to a user account in your Azure AD. You can use the Azure File Sync service principal to authorize access to resources via role-based access control (RBAC). The only resource sync needs access to is your storage accounts containing the file shares that are supposed to sync. *Microsoft.StorageSync* must be assigned to the built-in role **Reader and Data access** on the storage account. </br></br> This assignment is done automatically through the user context of the logged on user when you add a file share to a sync group, or in other words, you create a cloud endpoint. When a storage account moves to a new subscription, or Azure AD tenant, this role assignment is lost and [must be manually reestablished](#establish-sync-access-to-a-storage-account).
     :::column-end:::
 :::row-end:::
 
@@ -107,20 +107,20 @@ When storage accounts are moved to either a new subscription or are moved within
 
 The [Azure File Sync service principal](#azure-file-sync-service-principal) must be used to authorize access to a storage account via role-based access control (RBAC). *Microsoft.StorageSync* must be assigned to the built-in role **Reader and Data access** on the storage account. 
 
-This assignment is typically done automatically through the user context of the logged on user when you add a file share to a sync group, or in other words, you create a cloud endpoint. However, when a storage account moves to a new subscription or AAD tenant, this role assignment is lost and must be manually reestablished.
+This assignment is typically done automatically through the user context of the logged on user when you add a file share to a sync group, or in other words, you create a cloud endpoint. However, when a storage account moves to a new subscription or Azure AD tenant, this role assignment is lost and must be manually reestablished.
 
 :::row:::
     :::column:::
         :::image type="content" source="media/storage-sync-resource-move/storage-sync-resource-move-assign-rbac.png" alt-text="An image displaying the Microsoft.StorageSync service principal assigned to the Reader and Data access role on a storage account":::
     :::column-end:::
     :::column:::
-        In the Azure portal, navigate to the storage account you need to reauthorize sync access to. <ol><li>Select **Access control (IAM)** on the left-hand table of contents.</li><li>Select the Role assignments tab to the list the users and applications (service principals) that have access to your storage account.</li><li>Select **Add**</li><li>In the **Role** tab, search and select the **Reader and Data Access** role.</li><li>In the **Members** tab, have *Assigned access to* selected as *User, group, or service principal*, click on *Select members* and in the **Select field**, type *Microsoft.StorageSync*, select the role and click **Save**. If the **Microsoft.StorageSync** service principal is not found, type **Hybrid File Sync Service** (old service principal name), select the role and click **Save**.</li></ol>
+        <ol><li>In the Azure portal, navigate to the storage account you need to reauthorize sync access to.</li><li>Select **Access control (IAM)** on the left-hand table of contents.</li><li>Select the **Role assignments** tab to list the users and applications (service principals) that have access to your storage account.</li><li>Select **Add**</li><li>In the **Role** tab, search and select the **Reader and Data Access** role.</li><li>In the **Members** tab, have *Assigned access to* selected as *User, group, or service principal*, click on *Select members*, and in the **Select field**, type *Microsoft.StorageSync*, select the role, and select **Save**. If the **Microsoft.StorageSync** service principal isn't found, type **Hybrid File Sync Service** (old service principal name), select the role, and select **Save**.</li></ol>
     :::column-end:::
 :::row-end:::
 
 ## Move to a different Azure region
 
-The Azure File Sync resource *Storage Sync Service* and the storage accounts that contain file shares that are syncing, have an Azure region they are deployed in. You determine that region when you create a resource. The region of the Storage Sync Service and storage account resources must match. These regions can't be changed on either resource type after their creation.
+The Azure File Sync resource *Storage Sync Service* and the storage accounts that contain file shares that are syncing have an Azure region they are deployed in. You determine that region when you create a resource. The region of the Storage Sync Service and storage account resources must match. These regions can't be changed on either resource type after their creation.
 
 Assigning a different region to a resource is different from a [region fail-over](#region-fail-over), which can be supported depending on your storage account redundancy setting.
 
