Merge pull request #220272 from khdownie/kendownie120222

prmerger-automator[bot] · web-flow · commit 42774710888c · 2022-12-02T21:09:48.000Z
adding MFA links
diff --git a/articles/storage/files/storage-files-identity-auth-azure-active-directory-enable.md b/articles/storage/files/storage-files-identity-auth-azure-active-directory-enable.md
@@ -4,7 +4,7 @@ description: Learn how to enable identity-based Kerberos authentication for hybr
 author: khdownie
 ms.service: storage
 ms.topic: how-to
-ms.date: 11/29/2022
+ms.date: 12/02/2022
 ms.author: kendownie
 ms.subservice: files
 ms.custom: engagement-fy23
@@ -154,11 +154,16 @@ After enabling Azure AD Kerberos authentication, you'll need to explicitly grant
 
 ## Disable multi-factor authentication on the storage account
 
-Azure AD Kerberos doesn't support using MFA to access Azure file shares configured with Azure AD Kerberos. You must exclude the Azure AD app representing your storage account from your MFA conditional access policies if they apply to all apps. The storage account app should have the same name as the storage account in the conditional access exclusion list.
+Azure AD Kerberos doesn't support using MFA to access Azure file shares configured with Azure AD Kerberos. You must exclude the Azure AD app representing your storage account from your MFA conditional access policies if they apply to all apps. The storage account app should have the same name as the storage account in the conditional access exclusion list, for example **[Storage Account] $storageAccountName.file.core.windows.net**.
 
   > [!IMPORTANT]
   > If you don't exclude MFA policies from the storage account app, you won't be able to access the file share. Trying to map the file share using `net use` will result in an error message that says "System error 1327: Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced."
 
+For guidance on disabling MFA, see the following:
+
+- [Add exclusions for service principals of Azure resources](../../active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md#user-exclusions)
+- [Create a conditional access policy](../../active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md#create-a-conditional-access-policy)
+
 ## Assign share-level permissions
 
 When you enable identity-based access, you can set for each share which users and groups have access to that particular share. Once a user is allowed into a share, Windows ACLs (also called NTFS permissions) on individual files and directories take over. This allows for fine-grained control over permissions, similar to an SMB share on a Windows server.
