Merge pull request #281022 from roygara/sasBk

Jill Grant · web-flow · commit 7d38b913310f · 2024-08-15T16:52:54.000-06:00
Staging draft.
diff --git a/articles/virtual-machines/includes/disks-sas-change.md b/articles/virtual-machines/includes/disks-sas-change.md
@@ -0,0 +1,18 @@
+---
+ title: include file
+ description: include file
+ author: roygara
+ ms.service: azure-disk-storage
+ ms.topic: include
+ ms.date: 08/15/2024
+ ms.author: rogarana
+ ms.custom: include file
+---
+> [!IMPORTANT]
+> On February 15th, 2025, the Shared Access Signature (SAS) access time for disks and snapshots will be limited to a maximum of 60 days. Trying to generate a SAS with an expiration longer than 60 days results in an error. Any existing disk or snapshot SAS created with an expiration longer than 60 days may stop working 60 days after the date of creation and will result in a 403 error during authorization.
+
+If a managed disk or snapshot SAS's expiration is longer than 60 days, revoke its access, and generate a new SAS that requests access for 60 days (5,184,000 seconds) or less. Improve your overall security by using SAS with shorter expiration dates. Make these changes before February 15, 2025 to prevent service interruption. The following links can be used to find, revoke, and request a new SAS.
+
+- To check if a disk has an active SAS, you can either use the [REST API](/rest/api/compute/disks/get?view=rest-compute-2024-03-01&tabs=HTTP#diskstate), the [Azure CLI](/cli/azure/disk?view=azure-cli-latest#az-disk-show), or the [Azure PowerShell module](/powershell/module/az.compute/get-azdisk?view=azps-12.0.0), and examine the **DiskState** property.
+- To revoke a SAS, you can use either the [REST API](/rest/api/compute/disks/revoke-access?view=rest-compute-2024-03-01&tabs=HTTP), the [Azure CLI](/cli/azure/disk?view=azure-cli-latest#az-disk-revoke-access), or the [Azure PowerShell module](/powershell/module/az.compute/revoke-azdiskaccess?view=azps-12.0.0).
+- To create a SAS, you can use either the [REST API](/rest/api/compute/disks/grant-access?view=rest-compute-2024-03-01&tabs=HTTP), the [Azure CLI](/cli/azure/disk?view=azure-cli-latest), or the [Azure PowerShell module](/powershell/module/az.compute/grant-azdiskaccess?view=azps-12.2.0&viewFallbackFrom=azps-12.0.0), and set the access duration to 5,184,000 seconds or less.
diff --git a/articles/virtual-machines/linux/disks-upload-vhd-to-managed-disk-cli.md b/articles/virtual-machines/linux/disks-upload-vhd-to-managed-disk-cli.md
@@ -4,7 +4,7 @@ description: Learn how to upload a VHD to an Azure managed disk and copy a manag
 services: "virtual-machines,storage"
 author: roygara
 ms.author: rogarana
-ms.date: 10/17/2023
+ms.date: 08/15/2024
 ms.topic: how-to
 ms.service: azure-disk-storage
 ms.custom: devx-track-azurecli, linux-related-content
@@ -54,7 +54,7 @@ If you'd prefer to upload disks through a GUI, you can do so using Azure Storage
 - If you intend to upload a VHD from on-premises: A fixed size VHD that [has been prepared for Azure](../windows/prepare-for-upload-vhd-image.md), stored locally.
 - Or, a managed disk in Azure, if you intend to perform a copy action.
 
-To upload your VHD to Azure, you'll need to create an empty managed disk that is configured for this upload process. Before you create one, there's some additional information you should know about these disks.
+To upload your VHD to Azure, you need to create an empty managed disk that is configured for this upload process. Before you create one, there's some additional information you should know about these disks.
 
 This kind of managed disk has two unique states:
 
@@ -66,7 +66,7 @@ This kind of managed disk has two unique states:
 
 ## Create an empty managed disk
 
-Before you can create an empty standard HDD for uploading, you'll need the file size of the VHD you want to upload, in bytes. To get that, you can use either `wc -c <yourFileName>.vhd` or `ls -al <yourFileName>.vhd`. This value is used when specifying the **--upload-size-bytes** parameter.
+Before you can create an empty standard HDD for uploading, you need the file size of the VHD you want to upload, in bytes. To get that, you can use either `wc -c <yourFileName>.vhd` or `ls -al <yourFileName>.vhd`. This value is used when specifying the **--upload-size-bytes** parameter.
 
 Create an empty standard HDD for uploading by specifying both the **-–for-upload** parameter and the **--upload-size-bytes** parameter in a [disk create](/cli/azure/disk#az-disk-create) cmdlet:
 
@@ -90,7 +90,7 @@ If you would like to upload a different disk type, replace **standard_lrs** with
 
 ### (Optional) Grant access to the disk
 
-If you're using Microsoft Entra ID to secure uploads, you'll need to [assign RBAC permissions](../../role-based-access-control/role-assignments-cli.md) to grant access to the disk and generate a writeable SAS.
+If you're using Microsoft Entra ID to secure uploads, you need to [assign RBAC permissions](../../role-based-access-control/role-assignments-cli.md) to grant access to the disk and generate a writeable SAS.
 
 ```azurecli
 az role assignment create --assignee "{assignee}" \
@@ -100,9 +100,11 @@ az role assignment create --assignee "{assignee}" \
 
 ### Generate writeable SAS
 
-Now that you've created an empty managed disk that is configured for the upload process, you can upload a VHD to it. To upload a VHD to the disk, you'll need a writeable SAS, so that you can reference it as the destination for your upload.
+Now that you've created an empty managed disk that is configured for the upload process, you can upload a VHD to it. To upload a VHD to the disk, you need a writeable SAS, so that you can reference it as the destination for your upload.
 
-To generate a writable SAS of your empty managed disk, replace `<yourdiskname>`and `<yourresourcegroupname>`, then use the following command:
+[!INCLUDE [disks-sas-change](../includes/disks-sas-change.md)]
+
+To generate a writable SAS of your empty managed disk, replace `<yourdiskname>` and `<yourresourcegroupname>`, then use the following command:
 
 ```azurecli
 az disk grant-access -n <yourdiskname> -g <yourresourcegroupname> --access-level Write --duration-in-seconds 86400
@@ -122,13 +124,13 @@ Now that you have a SAS for your empty managed disk, you can use it to set your
 
 Use AzCopy v10 to upload your local VHD or VHDX file to a managed disk by specifying the SAS URI you generated.
 
-This upload has the same throughput as the equivalent [standard HDD](../disks-types.md#standard-hdds). For example, if you have a size that equates to S4, you will have a throughput of up to 60 MiB/s. But, if you have a size that equates to S70, you will have a throughput of up to 500 MiB/s.
+This upload has the same throughput as the equivalent [standard HDD](../disks-types.md#standard-hdds). For example, if you have a size that equates to S4, you'll have a throughput of up to 60 MiB/s. But, if you have a size that equates to S70, you'll have a throughput of up to 500 MiB/s.
 
 ```bash
 AzCopy.exe copy "c:\somewhere\mydisk.vhd" "sas-URI" --blob-type PageBlob
 ```
 
-After the upload is complete, and you no longer need to write any more data to the disk, revoke the SAS. Revoking the SAS will change the state of the managed disk and allow you to attach the disk to a VM.
+After the upload is complete, and you no longer need to write any more data to the disk, revoke the SAS. Revoking the SAS changes the state of the managed disk and allow you to attach the disk to a VM.
 
 Replace `<yourdiskname>`and `<yourresourcegroupname>`, then use the following command to make the disk usable:
 
@@ -140,7 +142,7 @@ az disk revoke-access -n <yourdiskname> -g <yourresourcegroupname>
 
 Direct upload also simplifies the process of copying a managed disk. You can either copy within the same region or cross-region (to another region).
 
-The following script will do this for you, the process is similar to the steps described earlier, with some differences since you're working with an existing disk.
+The following script does this for you. The process is similar to the steps described earlier, with some differences since you're working with an existing disk.
 
 > [!IMPORTANT]
 > You need to add an offset of 512 when you're providing the disk size in bytes of a managed disk from Azure. This is because Azure omits the footer when returning the disk size. The copy will fail if you don't do this. The following script already does this for you.
@@ -178,4 +180,4 @@ az disk revoke-access -n $targetDiskName -g $targetRG
 
 Now that you've successfully uploaded a VHD to a managed disk, you can attach the disk as a [data disk to an existing VM](add-disk.md) or [attach the disk to a VM as an OS disk](upload-vhd.md#create-the-vm), to create a new VM.
 
-If you've additional questions, see the [uploading a managed disk](../faq-for-disks.yml#uploading-to-a-managed-disk) section in the FAQ.
+If you've more questions, see the [uploading a managed disk](../faq-for-disks.yml#uploading-to-a-managed-disk) section in the FAQ.
diff --git a/articles/virtual-machines/linux/download-vhd.md b/articles/virtual-machines/linux/download-vhd.md
@@ -7,7 +7,7 @@ ms.service: azure-disk-storage
 ms.custom: devx-track-azurecli, linux-related-content
 ms.collection: linux
 ms.topic: how-to
-ms.date: 10/17/2023
+ms.date: 07/16/2024
 ---
 
 # Download a Linux VHD from Azure
@@ -57,6 +57,8 @@ Your snapshot will be created shortly, and can then be used to download or creat
 
 To download the VHD file, you need to generate a [shared access signature (SAS)](../../storage/common/storage-sas-overview.md?toc=/azure/virtual-machines/windows/toc.json) URL. When the URL is generated, an expiration time is assigned to the URL.
 
+[!INCLUDE [disks-sas-change](../includes/disks-sas-change.md)]
+
 # [Portal](#tab/azure-portal)
 
 1. On the menu of the page for the VM, select **Disks**.
diff --git a/articles/virtual-machines/windows/disks-upload-vhd-to-managed-disk-powershell.md b/articles/virtual-machines/windows/disks-upload-vhd-to-managed-disk-powershell.md
@@ -3,7 +3,7 @@ title: Upload a VHD to Azure or copy a disk across regions - Azure PowerShell
 description: Learn how to upload a VHD to an Azure managed disk and copy a managed disk across regions, using Azure PowerShell, via direct upload.    
 author: roygara
 ms.author: rogarana
-ms.date: 10/17/2023
+ms.date: 08/15/2024
 ms.topic: how-to
 ms.service: azure-disk-storage
 ms.tgt_pltfrm: linux
@@ -145,7 +145,9 @@ If you would like to upload a different disk type, replace **Standard_LRS** with
 
 Now that you've created an empty managed disk that is configured for the upload process, you can upload a VHD to it. To upload a VHD to the disk, you'll need a writeable SAS, so that you can reference it as the destination for your upload.
 
-To generate a writable SAS of your empty managed disk, replace `<yourdiskname>`and `<yourresourcegroupname>`, then use the following commands:
+[!INCLUDE [disks-sas-change](../includes/disks-sas-change.md)]
+
+To generate a writable SAS of your empty managed disk, replace `<yourdiskname>` and `<yourresourcegroupname>`, then use the following commands:
 
 ```powershell
 $diskSas = Grant-AzDiskAccess -ResourceGroupName '<yourresourcegroupname>' -DiskName '<yourdiskname>' -DurationInSecond 86400 -Access 'Write'
diff --git a/articles/virtual-machines/windows/download-vhd.md b/articles/virtual-machines/windows/download-vhd.md
@@ -5,7 +5,7 @@ author: roygara
 ms.author: rogarana
 ms.service: azure-disk-storage
 ms.topic: how-to
-ms.date: 10/17/2023
+ms.date: 08/15/2024
 ---
 
 # Download a Windows VHD from Azure
@@ -66,6 +66,8 @@ Your snapshot will be created shortly, and can then be used to download or creat
 
 To download the VHD file, you need to generate a [shared access signature (SAS)](../../storage/common/storage-sas-overview.md?toc=/azure/virtual-machines/windows/toc.json) URL. When the URL is generated, an expiration time is assigned to the URL.
 
+[!INCLUDE [disks-sas-change](../includes/disks-sas-change.md)]
+
 # [Portal](#tab/azure-portal)
 
 1. On the page for the VM, click **Disks** in the left menu.
