fix links and add redirect

tamram · tamram · commit 4a4672665ff1 · 2020-02-28T12:29:01.000-08:00
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
@@ -25796,6 +25796,11 @@
       "redirect_url": "/azure/storage/common/storage-account-create",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/storage/common/authorize-active-directory-cli.md",
+      "redirect_url": "/azure/storage/common/authorize-data-operations-cli",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/storage/common/storage-account-manage.md",
       "redirect_url": "/azure/storage/common/storage-account-keys-manage",
diff --git a/articles/storage/blobs/TOC.yml b/articles/storage/blobs/TOC.yml
@@ -284,7 +284,7 @@
           - name: PowerShell
             href: ../common/authorize-active-directory-powershell.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
           - name: Azure CLI
-            href: ../common/authorize-active-directory-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+            href: ../common/authorize-data-operations-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
         - name: Manage access rights with RBAC
           items:
           - name: Portal
diff --git a/articles/storage/blobs/storage-quickstart-blobs-cli.md b/articles/storage/blobs/storage-quickstart-blobs-cli.md
@@ -40,7 +40,7 @@ For more information about authentication` with Azure CLI, see [Sign in with Azu
 
 You can authorize access to Blob storage from the Azure CLI either with Azure AD credentials or by using the storage account access key. Using Azure AD credentials is recommended. This article shows how to authorize Blob storage operations using Azure AD.
 
-Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to `login` to authorize with Azure AD credentials. For more information, see [Run Azure CLI commands with Azure AD credentials to access blob or queue data](../common/authorize-active-directory-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json).
+Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to `login` to authorize with Azure AD credentials. For more information, see [Authorize access to blob or queue data with Azure CLI](../common/authorize-data-operations-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json).
 
 Only Blob storage data operations support the `--auth-mode` parameter. Management operations, such as creating a resource group or storage account, automatically use Azure AD credentials for authorization.
 
diff --git a/articles/storage/common/authorize-data-operations-cli.md b/articles/storage/common/authorize-data-operations-cli.md
@@ -17,8 +17,8 @@ ms.subservice: common
 
 Azure Storage provides extensions for Azure CLI that enable you to specify how you want to authorize operations on blob or queue data. You can authorize data operations in the following ways:
 
-- By specifying Azure Active Directory (Azure AD) credentials (recommended).
-- By specifying the account access key or a shared access signature (SAS) token.
+- With an Azure Active Directory (Azure AD) security principal. Microsoft recommends using Azure AD credentials for superior security and ease of use.
+- With the account access key or a shared access signature (SAS) token.
 
 ## Specify how data operations are authorized
 
@@ -27,53 +27,30 @@ Azure CLI commands for reading and writing blob and queue data include the optio
 - Set the `--auth-mode` parameter to `login` to sign in using an Azure AD security principal.
 - Set the `--auth-mode` parameter to the legacy `key` value to attempt to query for an account key if no authentication parameters for the account are provided.
 
-## Call Azure CLI commands using Azure AD credentials
+To use the `--auth-mode` parameter, make sure that you have installed Azure CLI version 2.0.46 or later. Run `az --version` to check your installed version.
+
+## Authorize with Azure AD credentials
 
 When you sign in to Azure CLI with Azure AD credentials, an OAuth 2.0 access token is returned. That token is automatically used by Azure CLI to authorize subsequent data operations against Blob or Queue storage. For supported operations, you no longer need to pass an account key or SAS token with the command.
 
 You can assign permissions to blob and queue data to an Azure AD security principal via role-based access control (RBAC). For more information about RBAC roles in Azure Storage, see [Manage access rights to Azure Storage data with RBAC](storage-auth-aad-rbac.md).
 
-### Supported operations
+### Permissions for calling data operations
 
 The Azure Storage extensions are supported for operations on blob and queue data. Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to Azure CLI. Permissions to Azure Storage containers or queues are assigned via RBAC. For example, if you are assigned the **Blob Data Reader** role, then you can run scripting commands that read data from a container or queue. If you are assigned the **Blob Data Contributor** role, then you can run scripting commands that read, write, or delete a container or queue or the data they contain.
 
 For details about the permissions required for each Azure Storage operation on a container or queue, see [Call storage operations with OAuth tokens](/rest/api/storageservices/authorize-with-azure-active-directory#call-storage-operations-with-oauth-tokens).  
 
-### Example: Authorize with Azure AD
-
-The following example shows how to create a container in a new storage account from Azure CLI using your Azure AD credentials. Remember to replace placeholder values in angle brackets with your own values:
-
-1. Make sure that you have installed Azure CLI version 2.0.46 or later. Run `az --version` to check your installed version.
-
-1. Run `az login` and authenticate in the browser window:
+### Example: Authorize an operation to create a container with Azure AD credentials
 
-    ```azurecli
-    az login
-    ```
-
-1. Specify your desired subscription. Create a resource group using [az group create](https://docs.microsoft.com/cli/azure/group?view=azure-cli-latest#az-group-create). Create a storage account within that resource group using [az storage account create](https://docs.microsoft.com/cli/azure/storage/account?view=azure-cli-latest#az-storage-account-create):
-
-    ```azurecli
-    az account set --subscription <subscription-id>
-
-    az group create \
-        --name sample-resource-group-cli \
-        --location eastus
-
-    az storage account create \
-        --name <storage-account> \
-        --resource-group sample-resource-group-cli \
-        --location eastus \
-        --sku Standard_ZRS \
-        --encryption-services blob
-    ```
+The following example shows how to create a container from Azure CLI using your Azure AD credentials. To create the container, you'll need to log in to the Azure CLI, and you'll need a resource group and a storage account. To learn how to create these resources, see [Quickstart: Create, download, and list blobs with Azure CLI](../blobs/storage-quickstart-blobs-cli.md).
 
 1. Before you create the container, assign the [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) role to yourself. Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning RBAC roles, see [Grant access to Azure blob and queue data with RBAC in the Azure portal](storage-auth-aad-rbac.md).
 
     > [!IMPORTANT]
     > RBAC role assignments may take a few minutes to propagate.
 
-1. Call the [az storage container create](https://docs.microsoft.com/cli/azure/storage/container?view=azure-cli-latest#az-storage-container-create) command with the `--auth-mode` parameter set to `login` to create the container using your Azure AD credentials:
+1. Call the [az storage container create](/cli/azure/storage/container#az-storage-container-create) command with the `--auth-mode` parameter set to `login` to create the container using your Azure AD credentials. Remember to replace placeholder values in angle brackets with your own values:
 
     ```azurecli
     az storage container create \
@@ -82,13 +59,41 @@ The following example shows how to create a container in a new storage account f
         --auth-mode login
     ```
 
-## Call Azure CLI commands using the account access key
+## Authorize with the account access key
+
+If you possess the account key, you can call any Azure Storage data operation. In general, using the account key is less secure. If the account key is compromised, all data in your account may be compromised.
+
+The following example shows how to create a container using the account access key:
 
+```azurecli
+az storage container create \
+    --account-name <storage-account> \
+    --name sample-container \
+    --auth-mode key
+```
 
+## Authorize with a SAS token
+
+If you possess a SAS token, you can call data operations that are permitted by the SAS. The following example shows how to create a container using a SAS token:
+
+```azurecli
+az storage container create \
+    --account-name <storage-account> \
+    --name sample-container \
+    --sas-token <token>
+```
 
 ## Set environment variables for authorization parameters
 
-The environment variable associated with the `--auth-mode` parameter is `AZURE_STORAGE_AUTH_MODE`. You can specify the appropriate value in the environment variable to avoid including it on every call to an Azure Storage data operation.
+You can specify authorization parameters in environment variables to avoid including them on every call to an Azure Storage data operation. The following table describes the available environment variables.
+
+| Environment variable                  | Description                                                                                                                                                                                                                                                                                                                                                                     |
+|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|    AZURE_STORAGE_ACCOUNT              |    The storage account name. This variable must be used in conjunction with either the storage account key or a SAS token. If neither are present,   the command will attempt to query the storage account key using the authenticated Azure AD account. If a large number of storage commands are executed at one time, the API throttling limit may be reached.             |
+|    AZURE_STORAGE_KEY                  |    The storage account key. This variable must be used in conjunction with the storage account name.                                                                                                                                                                                                                                                                          |
+|    AZURE_STORAGE_CONNECTION_STRING    |    A connection string that includes the storage account key or a SAS token. This variable must be used in conjunction with the storage account   name.                                                                                                                                                                                                                       |
+|    AZURE_STORAGE_SAS_TOKEN            |    A shared access signature (SAS) token. This variable must be used in conjunction with the storage account name.                                                                                                                                                                                                                                                            |
+|    AZURE_STORAGE_AUTH_MODE            |    The authorization mode with which to run the command. Permitted values are `login` (recommended) or `key`. If you specify `login`, the Azure CLI will use your Azure AD credentials to authorize the data operation. If you specify the legacy `key` mode, the Azure CLI will attempt to query for the account access key and authorize the command with the key.    |
 
 ## Next steps
 
diff --git a/articles/storage/queues/TOC.yml b/articles/storage/queues/TOC.yml
@@ -116,7 +116,7 @@
         - name: PowerShell
           href: ../common/authorize-active-directory-powershell.md?toc=%2fazure%2fstorage%2fqueues%2ftoc.json
         - name: Azure CLI
-          href: ../common/authorize-active-directory-cli.md?toc=%2fazure%2fstorage%2fqueues%2ftoc.json
+          href: ../common/authorize-data-operations-cli.md?toc=%2fazure%2fstorage%2fqueues%2ftoc.json
       - name: Manage access rights with RBAC
         items:
         - name: Portal
