More Acrolinx fixes.

Author: wmgries

articles/storage/files/storage-files-identity-ad-ds-update-password.md

@@ -10,9 +10,9 @@ recommendations: false
 ---
 
 # Update the password of your storage account identity in AD DS
-When you domain join your storage account in your Active Directory Domain Services (AD DS), you create an AD principal (computer or service account) with a password that must be periodically rotated based on the policy of the organizational unit (OU) into which it is deployed. The password of the AD principal is one of the Kerberos keys of the storage account. To avoid authentication issues, including deletion of the AD principal representing the storage account by automated cleanup scripts, you should periodically rotate the password/storage account Kerberos keys. Failing to change the password before it expires could result in losing Kerberos authentication to your Azure file shares.
+When you domain join your storage account in your Active Directory Domain Services (AD DS), you create an AD principal, usually either a computer or service account, with a password. The password of the AD principal is one of the Kerberos keys of the storage account. Depending on the password policy of the organization unit of the AD principal, you must periodically rotate the password of the AD principal to avoid authentication issues. Failing to change the password before it expires could result in losing Kerberos authentication to your Azure file shares. Some AD environments may also delete of the AD principals with expired passwords using automated cleanup.
 
-To prevent unintended password rotation, during the onboarding of the Azure storage account in the domain, you can place the Azure storage account into a separate organizational unit in AD DS that has password rotation policies disabled using Group Policy.
+Instead of periodically rotating the password, you can also place the AD principal that represents the storage account into a dedicated organizational unit that has password rotation policies disabled using Group Policy.
 
 There are two options for triggering password rotation. You can use the `AzFilesHybrid` module or Active Directory PowerShell. Use one method, not both.
 
@@ -32,7 +32,7 @@ There are two options for triggering password rotation. You can use the `AzFiles
 
 ## Option 1: Use AzFilesHybrid module
 
-You can run the `Update-AzStorageAccountADObjectPassword` cmdlet from the [AzFilesHybrid module](https://github.com/Azure-Samples/azure-files-samples/releases). You must run this command in an on-premises AD DS-joined environment by a [hybrid identity](../../active-directory/hybrid/whatis-hybrid-identity.md) with owner permission to the storage account and AD DS permissions to change the password of the identity representing the storage account. The command performs actions similar to storage account key rotation. Specifically, it gets the second Kerberos key of the storage account and uses it to update the password of the registered account in AD DS. Then it regenerates the target Kerberos key of the storage account and updates the password of the registered account in AD DS.
+You can run the `Update-AzStorageAccountADObjectPassword` cmdlet from the [AzFilesHybrid module](https://github.com/Azure-Samples/azure-files-samples/releases). You must run this command in an on-premises AD DS-joined environment by a [hybrid identity](../../active-directory/hybrid/whatis-hybrid-identity.md) with owner permission to the storage account and AD DS permissions to change the password of the identity representing the storage account. The command performs actions similar to storage account key rotation. Specifically, it regenerates the second Kerberos key of the storage account and then uses it to update the password of the registered account in AD DS. 
 
 ```PowerShell
 # Update the password of the AD DS account registered for the storage account
@@ -43,14 +43,14 @@ Update-AzStorageAccountADObjectPassword `
         -StorageAccountName "<your-storage-account-name-here>"
 ```
 
-This action will change the password for the AD object from kerb1 to kerb2. This is intended to be a two-stage process: rotate from kerb1 to kerb2 (kerb2 will be regenerated on the storage account before being set), wait several hours, and then rotate back to kerb1 (this cmdlet will likewise regenerate kerb1).
+After you rotate to kerb2, we recommend waiting several hours and using `Update-AzStorageAccountADObjectPassword` cmdlet again regenerate and rotate back to kerb1, such that both Kerberos keys have been regenerated.
 
 ## Option 2: Use Active Directory PowerShell
 
 If you don't want to download the `AzFilesHybrid` module, you can use [Active Directory PowerShell](/powershell/module/activedirectory).
 
 > [!IMPORTANT]
-> The Windows Server Active Directory PowerShell cmdlets in this section must be run in Windows PowerShell 5.1 with elevated privileges. PowerShell 7.x and Azure Cloud Shell won't work in this scenario.
+> The Windows Server Active Directory PowerShell cmdlets in this section must be run in Windows PowerShell 5.1 with elevated privileges.
 
 Replace `<domain-object-identity>` in the following script with your value, then run the script to update your domain object password:
 

articles/storage/files/storage-files-identity-mount-file-share.md

@@ -39,7 +39,7 @@ Before you can mount the Azure file share, make sure you complete the following
 
 ## Mount the file share from a domain-joined VM
 
-Run the following PowerShell script or [use the Azure portal](storage-files-quick-create-use-windows.md#map-the-azure-file-share-to-a-windows-drive) to persistently mount the Azure file share and map it to drive Z: on Windows. If Z: is already in use, replace it with an available drive letter. Because you are already authenticated, you won't need to provide the storage account key. The script checks to see if this storage account is accessible via TCP port 445, which is the port SMB uses. Remember to replace the placeholder values with your own values. For more information, see [Use an Azure file share with Windows](storage-how-to-use-files-windows.md).
+Run the following PowerShell script or [use the Azure portal](storage-files-quick-create-use-windows.md#map-the-azure-file-share-to-a-windows-drive) to persistently mount the Azure file share and map it to drive `Z:` (or desired mount path) on Windows. Because you are already authenticated, you don't need to provide the storage account key. The script checks to see if this storage account is accessible via TCP port 445, which is the port SMB uses. Remember to replace the placeholder values with your own values. For more information, see [Use an Azure file share with Windows](storage-how-to-use-files-windows.md).
 
 Unless you're using [custom domain names](#mount-file-shares-using-custom-domain-names), you should mount Azure file shares using the suffix `file.core.windows.net`, even if you set up a private endpoint for your share.
 
@@ -63,11 +63,11 @@ If you run into issues, see [Unable to mount Azure file shares with AD credentia
 
 ## Mount the file share from a non-domain-joined VM or a VM joined to a different AD domain
 
-If your AD source is on-premises AD DS, then non-domain-joined VMs or VMs that are joined to a different AD domain than the storage account can access Azure file shares if they have unimpeded network connectivity to the AD domain controllers and provide explicit credentials (username and password). The user accessing the file share must have an identity and credentials in the AD domain that the storage account is joined to.
+If your AD source is on-premises AD DS, then non-domain-joined VMs or VMs joined to a different AD domain than the storage account can access Azure file shares if they have unimpeded network connectivity to the AD domain controllers and provide explicit credentials. The user accessing the file share must have an identity and credentials in the AD domain that the storage account is joined to.
 
-If your AD source is Microsoft Entra Domain Services, the VM must have unimpeded network connectivity to the domain controllers for Microsoft Entra Domain Services, which are located in Azure. This usually requires setting up a site-to-site or point-to-site VPN. The user accessing the file share must have an identity (a Microsoft Entra identity synced from Microsoft Entra ID to Microsoft Entra Domain Services) in the Microsoft Entra Domain Services managed domain.
+If your AD source is Microsoft Entra Domain Services, the client must have unimpeded network connectivity to the domain controllers for Microsoft Entra Domain Services, which requires setting up a site-to-site or point-to-site VPN. The user accessing the file share must have an identity (a Microsoft Entra identity synced from Microsoft Entra ID to Microsoft Entra Domain Services) in the Microsoft Entra Domain Services managed domain.
 
-To mount a file share from a non-domain-joined VM, use the notation **username@domainFQDN**, where **domainFQDN** is the fully qualified domain name. This allows the client to contact the domain controller to request and receive Kerberos tickets. You can get the value of **domainFQDN** by running `(Get-ADDomain).Dnsroot` in Active Directory PowerShell.
+To mount a file share from a non-domain-joined VM, use the notation **username@domainFQDN**, where **domainFQDN** is the fully qualified domain name, to allow the client to contact the domain controller to request and receive Kerberos tickets. You can get the value of **domainFQDN** by running `(Get-ADDomain).Dnsroot` in Active Directory PowerShell.
 
 For example:
 
@@ -94,19 +94,19 @@ If you don't want to mount Azure file shares using the suffix `file.core.windows
 
 In this example, we have the Active Directory domain *onpremad1.com*, and we have a storage account called *mystorageaccount* which contains SMB Azure file shares. First, we need to modify the SPN suffix of the storage account to map *mystorageaccount.onpremad1.com* to *mystorageaccount.file.core.windows.net*.
 
-This allows clients to mount the share with `net use \\mystorageaccount.onpremad1.com` because clients in *onpremad1* know to search *onpremad1.com* to find the proper resource for that storage account.
+You can mount the file share with `net use \\mystorageaccount.onpremad1.com` because clients in *onpremad1* know to search *onpremad1.com* to find the proper resource for that storage account.
 
 To use this method, complete the following steps:
 
-1. Make sure you set up identity-based authentication. If your AD source is AD DS or Microsoft Entra Kerberos, make sure you synced your AD user account(s) to Microsoft Entra ID.
+1. Make sure you set up identity-based authentication. If your AD source is AD DS or Microsoft Entra Kerberos, make sure you synced your AD user accounts to Microsoft Entra ID.
 
 2. Modify the SPN of the storage account using the `setspn` tool. You can find `<DomainDnsRoot>` by running the following Active Directory PowerShell command: `(Get-AdDomain).DnsRoot`
 
    ```
    setspn -s cifs/<storage-account-name>.<DomainDnsRoot> <storage-account-name>
    ```
 
-3. Add a CNAME entry using Active Directory DNS Manager and follow the steps below for each storage account in the domain that the storage account is joined to. If you're using a private endpoint, add the CNAME entry to map to the private endpoint name.
+3. Add a CNAME entry using Active Directory DNS Manager. If you're using a private endpoint, add the CNAME entry to map to the private endpoint name.
 
    1. Open Active Directory DNS Manager.
    1. Go to your domain (for example, **onpremad1.com**).
@@ -121,4 +121,4 @@ You should now be able to mount the file share using *storageaccount.domainname.
 
 ## Next step
 
-If the identity you created in AD DS to represent the storage account is in a domain or OU that enforces password rotation, you might need to [update the password of your storage account identity in AD DS](storage-files-identity-ad-ds-update-password.md).
+If the identity you created in AD DS to represent the storage account is in a domain or OU that enforces password rotation, you need to periodically [update the password of your storage account identity in AD DS](storage-files-identity-ad-ds-update-password.md).