Merge branch 'patch-7' of https://github.com/GeorgeH-MS/azure-docs-pr into v-loberner-ase-msi-changes-from-293593

Author: LouisBerner

articles/databox-online/azure-stack-edge-alerts.md

@@ -150,6 +150,8 @@ The following alerts are for issues that occur when accessing or uploading data
 |Could not connect to the storage account '{0}'.<sup>*</sup> |Critical |This may be due to Internet connectivity issues. The device is not able to communicate with the storage account service. In the local web UI of the device, go to **Troubleshooting** > **Diagnostic tests** and click **Run diagnostic tests**. Resolve the reported issues. |
 |The device has {0} files. A maximum of {1} files are supported. |Critical |Consider deleting some files from the device. |
 |Low throughput to and from Azure Storage detected. |Warning  |In the local web UI of the device, go to **Troubleshooting** > **Diagnostic tests** and click **Run diagnostic tests**. Resolve the reported issues. If the issue persists, [contact Microsoft Support](azure-stack-edge-contact-microsoft-support.md). |
+|File share creation fails with insufficient permissions for cloud storage gateway. |Critical |This could happen when the Azure Storage account does not have appropriate permissions assigned for the Azure Stack Edge managed identity for the data tiering.<br>You can manually assign the following roles to the Managed identities for Azure Stack Edge resource:<ol><li>Storage Blob Data Contributor</li><li>Storage File Data Privileged Contributor</li><li>Contributor</li></ol>For more information, see [Assign an Azure role for access to blob data](../storage/blobs/assign-azure-role-data-access.md?tabs=portal#assign-an-azure-role) |
+|Storage account creation fails with insufficient permissions for cloud storage gateway. |Critical |This could happen when the Azure Storage account does not have appropriate permissions assigned for the Azure Stack Edge managed identity for the data tiering.<br>You can manually assign the following roles to the Managed identities for Azure Stack Edge resource:<ol><li>Storage Blob Data Contributor</li><li>Storage File Data Privileged Contributor</li><li>Contributor</li></ol>For more information, see [Assign an Azure role for access to blob data](../storage/blobs/assign-azure-role-data-access.md?tabs=portal#assign-an-azure-role) |
 
 <sup>*</sup> This alert is triggered by more than one event type, with different recommended actions.
 

articles/databox-online/azure-stack-edge-gpu-deploy-add-shares.md

@@ -55,6 +55,15 @@ To create a share, do the following procedure:
     Depending upon whether you choose SMB or NFS shares, the rest of the options vary slightly. 
 
     c. Provide a storage account where the share will reside.
+   
+   > [!IMPORTANT]
+   > Tiering data from an Azure Stack Edge Pro or Data Box Gateway device to the mapped Azure Storage account uses Managed Service Identity to authorize the data access. Make sure that the Azure Storage account that you use has the following roles being assigned to the Managed identities for Azure Stack Edge resource:
+   >
+   > * Storage Blob Data Contributor
+   > * Storage File Data Privileged Contributor
+   > * Contributor
+   > 
+   > For more information, see [Assign an Azure role for access to blob data](../storage/blobs/assign-azure-role-data-access.md?tabs=portal#assign-an-azure-role).
 
     d. In the **Storage service** drop-down list, select **Block Blob**, **Page Blob**, or **Files**.  
     The type of service you select depends on which format you want the data to use in Azure. In this example, because we want to store the data as block blobs in Azure, we select **Block Blob**. If you select **Page Blob**, make sure that your data is 512 bytes aligned. For example, a VHDX is always 512 bytes aligned.

articles/databox-online/azure-stack-edge-gpu-install-update.md

@@ -119,6 +119,13 @@ We recommend that you install updates through Azure portal. The device automatic
 
 > [!NOTE]
 > - Make sure that the device is healthy and status shows as **Your device is running fine!** before you proceed to install the updates.
+> - Tiering data from an Azure Stack Edge Pro or Data Box Gateway device to the mapped Azure Storage account uses Managed Service Identity to authorize the data access. Make sure that the Azure Storage account that you use has the following roles being assigned to the Managed identities for Azure Stack Edge resource:
+> 
+>   - Storage Blob Data Contributor
+>   - Storage File Data Privileged Contributor
+>   - Contributor
+> 
+>    For more information, see [Assign an Azure role for access to blob data](../storage/blobs/assign-azure-role-data-access.md?tabs=portal#assign-an-azure-role).
 
 Depending on the software version that you're running, install process might differ slightly. 
 

articles/databox-online/azure-stack-edge-gpu-manage-storage-accounts.md

@@ -88,6 +88,9 @@ You can now select a container from this list and select **+ Delete container**
 
 Each Azure Storage account has two 512-bit storage access keys that are used for authentication when the storage account is accessed. One of these two keys must be supplied when your Azure Stack Edge device accesses your cloud storage service provider (in this case, Azure).
 
+> [!NOTE]
+> Access your Azure Storage Account with storage access keys from Azure Stack Edge Pro or Data Box Gateway device has been deprecated in 2501. Tiering data from an Azure Stack Edge Pro or Data Box Gateway device to the mapped Azure Storage account uses Managed Service Identity to authorize the data access from 2501. For more information, see [Assign an Azure role for access to blob data](../storage/blobs/assign-azure-role-data-access.md?tabs=portal#assign-an-azure-role).
+
 An Azure administrator can regenerate or change the access key by directly accessing the storage account (via the Azure Storage service). The Azure Stack Edge service and the device do not see this change automatically.
 
 To inform Azure Stack Edge of the change, you will need to access the Azure Stack Edge service, access the storage account, and then synchronize the access key. The service then gets the latest key, encrypts the keys, and sends the encrypted key to the device. When the device gets the new key, it can continue to transfer data to the Azure Storage account. 

includes/azure-stack-edge-gateway-add-storage-account.md

@@ -19,6 +19,14 @@ ms.author: alkohli
     2. Provide an optional description for the information on the data the storage account is holding.  
 
     3. By default, the Edge storage account is mapped to an Azure Storage account in the cloud, and the data from the storage account is automatically pushed to the cloud. Specify the Azure storage account that your Edge storage account is mapped to.
+   > [!IMPORTANT]
+   > Tiering data from an Azure Stack Edge Pro or Data Box Gateway device to the mapped Azure Storage account uses Managed Service Identity to authorize the data access. Make sure that the Azure Storage account that you use has the following roles being assigned to the Managed identities for Azure Stack Edge resource:
+   >
+   > * Storage Blob Data Contributor
+   > * Storage File Data Privileged Contributor
+   > * Contributor
+   > 
+   > For more information, see [Assign an Azure role for access to blob data](../storage/blobs/assign-azure-role-data-access.md?tabs=portal#assign-an-azure-role).
 
     4. Create a new container, or select from an existing container in the Azure storage account. Any data from the device that is written to the Edge storage account is automatically uploaded to the selected storage container in the mapped Azure Storage account.
 
@@ -30,4 +38,4 @@ ms.author: alkohli
 
     ![Add a storage account 2](media/azure-stack-edge-gateway-add-storage-account/add-storage-account-4.png)
 
-    You get the access keys by [Connecting to the device local APIs using Azure Resource Manager](../articles/databox-online/azure-stack-edge-gpu-connect-resource-manager.md).
+    You get the access keys by [Connecting to the device local APIs using Azure Resource Manager](../articles/databox-online/azure-stack-edge-gpu-connect-resource-manager.md).