MicrosoftDocs
diff --git a/‎articles/app-service/configure-connect-to-azure-storage.md
Lines changed: 1 addition & 1 deletion b/‎articles/app-service/configure-connect-to-azure-storage.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/app-service/includes/configure-azure-storage/azure-storage-linux-container-pivot.md
Lines changed: 125 additions & 12 deletions b/‎articles/app-service/includes/configure-azure-storage/azure-storage-linux-container-pivot.md
Lines changed: 125 additions & 12 deletions
@@ -4,7 +4,7 @@ description: Learn how to attach custom network share  in Azure App Service. Sha
 author: msangapu-msft
 
 ms.topic: article
-ms.date: 8/4/2023
+ms.date: 8/24/2023
 ms.author: msangapu
 zone_pivot_groups: app-service-containers-code
 ---
 
@@ -2,10 +2,14 @@
 author: msangapu-msft
 ms.service: app-service
 ms.topic: include
-ms.date: 08/04/2023
+ms.date: 08/24/2023
 ms.author: msangapu
 ---
 
+> [!NOTE]
+> Azure Key Vault support for Azure Storage is in preview.
+>
+
 This guide shows how to mount Azure Storage as a network share in a built-in Linux container or a custom Linux container in App Service. See the video [how to mount Azure Storage as a local share](https://www.youtube.com/watch?v=OJkvpWYr57Y). For using Azure Storage in an ARM template, see [Bring your own storage](https://github.com/Azure/app-service-linux-docs/blob/master/BringYourOwnStorage/BYOS_azureFiles.json). Azure Storage is non-default storage for App Service and billed separately.
 
 The benefits of custom-mounted storage include:
@@ -19,11 +23,49 @@ The following features are supported for Linux containers:
 - Azure Blobs (read-only).
 - Up to five mount points per app.
 
+This article covers three options for mounting your storage account:
+
+### [Basic](#tab/basic)
+
+Choose this option when mounting storage using the Azure portal. You can use the basic option as long as the storage account isn't using [service endpoints](../../../storage/common/storage-network-security.md#grant-access-from-a-virtual-network), [private endpoints](../../../storage/common/storage-private-endpoints.md), or [Azure Key Vault](../../../key-vault/general/overview.md). In this case, the portal gets and stores the access key for you. 
+
+If you plan to mount storage using the Azure CLI, you need to obtain an access key. 
+
+### [Access Key](#tab/access-key)
+
+Choose this option storage account isn't using [service endpoints](../../../storage/common/storage-network-security.md#grant-access-from-a-virtual-network), [private endpoints](../../../storage/common/storage-private-endpoints.md), or [Azure Key Vault](../../../key-vault/general/overview.md). 
+
+Also use this option when you plan to mount storage using the Azure CLI, which requires the access key. 
+
+### [Key Vault](#tab/key-vault)
+
+Choose this option when using Azure Key Vault to securely store and retrieve access keys. [Azure Key Vault](../../../key-vault/general/overview.md) has the benefits of storing application secrets centrally and securely with the ability to monitor, administer, and integrate with other Azure services like Azure App Service.
+
+---
+
+
 ## Prerequisites
 
+### [Basic](#tab/basic)
+
+- An existing [App Service on Linux app](../../index.yml).
+- An [Azure Storage account](../../../storage/common/storage-account-create.md?tabs=azure-cli).
+- An [Azure file share and directory](../../../storage/files/storage-how-to-use-files-portal.md). 
+
+### [Access Key](#tab/access-key)
+
 - An existing [App Service on Linux app](../../index.yml).
-- An [Azure Storage Account](../../../storage/common/storage-account-create.md?tabs=azure-cli).
-- An [Azure file share and directory](../../../storage/files/storage-how-to-use-files-portal.md).
+- An [Azure Storage account](../../../storage/common/storage-account-create.md?tabs=azure-cli).
+- An [Azure file share and directory](../../../storage/files/storage-how-to-use-files-portal.md). 
+
+### [Key Vault](#tab/key-vault)
+
+- An existing [App Service on Linux app](../../index.yml).
+- An [Azure Storage account](../../../storage/common/storage-account-create.md?tabs=azure-cli).
+- An [Azure file share and directory](../../../storage/files/storage-how-to-use-files-portal.md). 
+- An [Azure Key Vault](../../../key-vault/general/overview.md) instance using the [vault access policy](../../../key-vault/general/assign-access-policy.md?WT.mc_id=Portal-Microsoft_Azure_KeyVault&tabs=azure-portal) and a [secret](../../../key-vault/secrets/quick-create-portal.md), which is required to configure the Key Vault with Azure Storage.
+
+---
 
 ## Limitations
 
@@ -33,13 +75,75 @@ The following features are supported for Linux containers:
 - Mapping `/` or `/home` to custom-mounted storage isn't supported.
 - Don't map the storage mount to `/tmp` or its subdirectories as this action may cause a timeout during app startup.
 - Azure Storage isn't supported with [Docker Compose](../../configure-custom-container.md?pivots=container-linux#docker-compose-options) scenarios.
-- Storage mounts aren't included in [backups](../../manage-backup.md). Be sure to follow best practices to backup the Azure Storage accounts.
+- Storage mounts aren't included in [backups](../../manage-backup.md). Be sure to follow best practices to back up the Azure Storage accounts.
 - Azure Files [NFS](../../../storage/files/files-nfs-protocol.md) is currently unsupported for App Service on Linux. Only Azure Files [SMB](../../../storage/files/files-smb-protocol.md) are supported.
-- With VNET integration on your app, the mounted drive will use an RC1918 IP address and not an IP address from your VNET.
+- With VNET integration on your app, the mounted drive uses an RFC1918 IP address and not an IP address from your VNET.
+
+## Prepare for mounting
+
+
+### [Basic](#tab/basic)
+
+No extra steps are required because the portal gets and stores the access key for you. 
+
+### [Access Key](#tab/access-key)
+
+You need to obtain the access key from your storage account. <!--link or instructions? -->
+
+### [Key Vault](#tab/key-vault)
+
+Before you can mount storage using Key Vault access, you need to get the Key Vault secret and add it as an application setting in your app.  
+
+1. In the portal, browse to your Key Vault secret and copy the **Secret Identifier** into your clipboard.
+:::image type="content" source="../../media/configure-azure-storage/key-vault-secret-identifier.png" alt-text="Screenshot of Key Vault secret identifier.":::
+
+1. Back in your app, create an [**application setting**](../../configure-common.md?tabs=portal#configure-app-settings) and paste the Key Vault **Secret Identifier** into **Value**.
+:::image type="content" source="../../media/configure-azure-storage/secret-identifier-application-setting.png" alt-text="Screenshot of Secret Identifier application setting.":::
+
+Now you're ready to use Key Vault to access your storage account.
+
+---
+
 
 ## Mount storage to Linux container
 
-# [Azure portal](#tab/portal)
+The way that you mount storage depends on your storage access option and whether you are using the portal or the Azure CLI.
+
+# [Azure portal](#tab/portal/basic)
+
+1. In the [Azure portal](https://portal.azure.com), navigate to the app.
+1. From the left navigation, click **Configuration** > **Path Mappings** > **New Azure Storage Mount**. 
+1. Configure the storage mount according to the following table. When finished, click **OK**.
+
+    | Setting | Description |
+    |-|-|
+    | **Name** | Name of the mount configuration. Spaces aren't allowed. |
+    | **Configuration options** | Select **Basic**. if the storage account isn't using [service endpoints](../../../storage/common/storage-network-security.md#grant-access-from-a-virtual-network), [private endpoints](../../../storage/common/storage-private-endpoints.md), or [Azure Key Vault](../../../key-vault/general/overview.md). Otherwise, select **Advanced**. |
+    | **Storage accounts** | Azure Storage account. |
+    | **Storage type** | Select the type based on the storage you want to mount. Azure Blobs only supports read-only access. |
+    | **Storage container** or **Share name** | Files share or Blobs container to mount. |
+    | **Mount path** | Directory inside the Linux container to mount to Azure Storage. Don't use `/` or `/home`.|
+    | **Deployment slot setting** | When checked, the storage mount settings also apply to deployment slots.|
+
+# [Azure portal](#tab/portal/access-key)
+
+1. In the [Azure portal](https://portal.azure.com), navigate to the app.
+1. From the left navigation, click **Configuration** > **Path Mappings** > **New Azure Storage Mount**. 
+1. Configure the storage mount according to the following table. When finished, click **OK**.
+
+    | Setting | Description |
+    |-|-|
+    | **Name** | Name of the mount configuration. Spaces aren't allowed. |
+    | **Configuration options** | Select  **Advanced**. |
+    | **Storage accounts** | Azure Storage account. |
+    | **Storage type** | Select the type based on the storage you want to mount. Azure Blobs only supports read-only access. |
+    | **Storage container** or **Share name** | Files share or Blobs container to mount. |
+    | **Storage access** | Select **Manual input**. |
+    | **Access key** | Enter the [access key](../../../storage/common/storage-account-keys-manage.md) for your storage account. |
+    | **Mount path** | Directory inside the Linux container to mount to Azure Storage. Don't use `/` or `/home`.|
+    | **Deployment slot setting** | When checked, the storage mount settings also apply to deployment slots.|
+
+# [Azure portal](#tab/portal/key-vault)
 
 1. In the [Azure portal](https://portal.azure.com), navigate to the app.
 1. From the left navigation, click **Configuration** > **Path Mappings** > **New Azure Storage Mount**. 
@@ -48,15 +152,22 @@ The following features are supported for Linux containers:
     | Setting | Description |
     |-|-|
     | **Name** | Name of the mount configuration. Spaces aren't allowed. |
-    | **Configuration options** | Select **Basic** if the storage account isn't using [service endpoints](../../../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) or [private endpoints](../../../storage/common/storage-private-endpoints.md). Otherwise, select **Advanced**. |
+    | **Configuration options** | Select **Advanced**. |
     | **Storage accounts** | Azure Storage account. |
     | **Storage type** | Select the type based on the storage you want to mount. Azure Blobs only supports read-only access. |
     | **Storage container** or **Share name** | Files share or Blobs container to mount. |
-    | **Access key** (Advanced only) | [Access key](../../../storage/common/storage-account-keys-manage.md) for your storage account. |
+    | **Storage access** | Select **Key vault reference**. |
+    | **Application settings**| Select the existing app setting that's configured with the Azure Key Vault secret.|
     | **Mount path** | Directory inside the Linux container to mount to Azure Storage. Don't use `/` or `/home`.|
     | **Deployment slot setting** | When checked, the storage mount settings also apply to deployment slots.|
 
-# [Azure CLI](#tab/cli)
+1. [Grant your app access to the Key Vault](../../app-service-key-vault-references.md?#grant-your-app-access-to-a-key-vault) to access the storage mount.
+
+# [Azure CLI](#tab/cli/basic)
+
+Using Azure CLI to mount storage requires you to provide the storage access key.
+
+# [Azure CLI](#tab/cli/access-key)
 
 Use the [`az webapp config storage-account add`](/cli/azure/webapp/config/storage-account#az-webapp-config-storage-account-add) command. For example:
 
@@ -73,6 +184,10 @@ Verify your storage is mounted by running the following command:
 az webapp config storage-account list --resource-group <resource-group> --name <app-name>
 ```
 
+# [Azure CLI](#tab/cli/key-vault)
+
+Mounting storage with Key Vault access isn't currently supported by the Azure CLI. Use the portal instead.
+
 ---
 
 > [!NOTE]
@@ -98,12 +213,10 @@ To validate that the Azure Storage is mounted successfully for the app:
 
 ## Best practices
 
-- To avoid latency issues, place the app and the Azure Storage account in the same region. Note that if you grant access from App Service IP addresses in the [Azure Storage firewall configuration](../../../storage/common/storage-network-security.md) when the app and Azure Storage account are in the same region, then these IP restrictions aren't honored.
+- To avoid latency issues, place the app and the Azure Storage account in the same region. If you grant access from App Service IP addresses in the [Azure Storage firewall configuration](../../../storage/common/storage-network-security.md) when the app and Azure Storage account are in the same region, then these IP restrictions aren't honored.
 
 - The mount directory in the custom container should be empty. Any content stored at this path is deleted when the Azure Storage is mounted (if you specify a directory under `/home`, for example). If you are migrating files for an existing app, make a backup of the app and its content before you begin.
 
-- Mounting the storage to `/home` isn't recommended because it may result in performance bottlenecks for the app.
-
 - In the Azure Storage account, avoid [regenerating the access key](../../../storage/common/storage-account-keys-manage.md) that's used to mount the storage in the app. The storage account contains two different keys. Azure App Services stores Azure storage account key. Use a stepwise approach to ensure that the storage mount remains available to the app during key regeneration. For example, assuming that you used **key1** to configure storage mount in your app:
 
     1. Regenerate **key2**.