Merge pull request #195108 from tamram/tamram22-0413

Azure AD conditional access requires disallowing Shared Key

Author: laurabren

articles/storage/common/authorize-data-access.md

@@ -1,20 +1,23 @@
 ---
-title: Authorize data operations
+title: Authorize operations for data access
 titleSuffix: Azure Storage
 description: Learn about the different ways to authorize access to data in Azure Storage. Azure Storage supports authorization with Azure Active Directory, Shared Key authorization, or shared access signatures (SAS), and also supports anonymous access to blobs.
 services: storage
 author: tamram
 
 ms.service: storage
 ms.topic: conceptual
-ms.date: 11/16/2021
+ms.date: 04/14/2022
 ms.author: tamram
+ms.reviewer: nachakra
 ms.subservice: common
 ---
 
 # Authorize access to data in Azure Storage
 
-Each time you access data in your storage account, your client application makes a request over HTTP/HTTPS to Azure Storage. By default, every resource in Azure Storage is secured, and every request to a secure resource must be authorized. Authorization ensures that the client application has the appropriate permissions to access data in your storage account.
+Each time you access data in your storage account, your client application makes a request over HTTP/HTTPS to Azure Storage. By default, every resource in Azure Storage is secured, and every request to a secure resource must be authorized. Authorization ensures that the client application has the appropriate permissions to access a particular resource in your storage account.
+
+## Understand authorization for data operations
 
 The following table describes the options that Azure Storage offers for authorizing access to data:
 
@@ -38,19 +41,20 @@ Each authorization option is briefly described below:
 
 - **Shared Key authorization** for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key/).
 
-    You can disallow Shared Key authorization for a storage account. When Shared Key authorization is disallowed, clients must use Azure AD to authorize requests for data in that storage account. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md).
+    Microsoft recommends that you disallow Shared Key authorization for your storage account. When Shared Key authorization is disallowed, clients must use Azure AD or a user delegation SAS to authorize requests for data in that storage account. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md).
 
-- **Shared access signatures** for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account. Adding constraints on the time interval for which the signature is valid or on permissions it grants provides flexibility in managing access. For more information, see [Using shared access signatures (SAS)](storage-sas-overview.md).
+- **Shared access signatures** for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account via a signed URL. The signed URL specifies the permissions granted to the resource and the interval over which the signature is valid. A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Azure AD credentials and applies to blobs only. For more information, see [Using shared access signatures (SAS)](storage-sas-overview.md).
 
 - **Anonymous public read access** for containers and blobs. When anonymous access is configured, then clients can read blob data without authorization. For more information, see [Manage anonymous read access to containers and blobs](../blobs/anonymous-read-access-configure.md).
 
     You can disallow anonymous public read access for a storage account. When anonymous public read access is disallowed, then users cannot configure containers to enable anonymous access, and all requests must be authorized. For more information, see [Prevent anonymous public read access to containers and blobs](../blobs/anonymous-read-access-prevent.md).
-    
+
 - **Storage Local Users** can be used to access blobs with SFTP or files with SMB. Storage Local Users support container level permissions for authorization. See [Connect to Azure Blob Storage by using the SSH File Transfer Protocol (SFTP)](../blobs/secure-file-transfer-protocol-support-how-to.md) for more information on how Storage Local Users can be used with SFTP.
 
+[!INCLUDE [storage-account-key-note-include](../../../includes/storage-account-key-note-include.md)]
+
 ## Next steps
 
 - Authorize access with Azure Active Directory to either [blob](../blobs/authorize-access-azure-active-directory.md), [queue](../queues/authorize-access-azure-active-directory.md), or [table](../tables/authorize-access-azure-active-directory.md) resources.
 - [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key/)
 - [Grant limited access to Azure Storage resources using shared access signatures (SAS)](storage-sas-overview.md)
-        

articles/storage/common/shared-key-authorization-prevent.md

@@ -9,7 +9,7 @@ ms.service: storage
 ms.topic: how-to
 ms.date: 04/01/2022
 ms.author: tamram
-ms.reviewer: fryu 
+ms.reviewer: nachakra 
 ms.custom: devx-track-azurepowershell, devx-track-azurecli 
 ms.devlang: azurecli
 ---

articles/storage/common/storage-account-keys-manage.md

@@ -7,8 +7,9 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 01/25/2022
-ms.author: tamram 
+ms.date: 04/14/2022
+ms.author: tamram
+ms.reviewer: nachakra 
 ms.custom: devx-track-azurepowershell
 ---
 
@@ -287,3 +288,4 @@ To bring a storage account into compliance, rotate the account access keys.
 
 - [Azure storage account overview](storage-account-overview.md)
 - [Create a storage account](storage-account-create.md)
+- [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md)

articles/storage/common/storage-configure-connection-string.md

@@ -7,9 +7,9 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 10/14/2020
+ms.date: 04/14/2022
 ms.author: tamram
-ms.reviewer: ozgun
+ms.reviewer: nachakra
 ms.subservice: common
 ---
 

includes/storage-account-key-note-include.md

@@ -5,7 +5,7 @@ services: storage
 author: tamram
 ms.service: storage
 ms.topic: "include"
-ms.date: 12/09/2021
+ms.date: 04/14/2022
 ms.author: tamram
 ms.custom: "include file"
 ---
@@ -15,4 +15,6 @@ ms.custom: "include file"
 Your storage account access keys are similar to a root password for your storage account. Always be careful to protect your access keys. Use Azure Key Vault to manage and rotate your keys securely. Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they may have been compromised.
 
 > [!NOTE]
-> Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and queue data if possible, instead of Shared Key. Azure AD provides superior security and ease of use over Shared Key.
+> Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and queue data if possible, rather than using the account keys (Shared Key authorization). Authorization with Azure AD provides superior security and ease of use over Shared Key authorization.
+>
+> To protect an Azure Storage account with Azure AD Conditional Access policies, you must disallow Shared Key authorization for the storage account. For more information about how to disallow Shared Key authorization, see [Prevent Shared Key authorization for an Azure Storage account](../articles/storage/common/shared-key-authorization-prevent.md).