Merge pull request #204936 from khdownie/kendownie071522-2

PRMerger9 · web-flow · commit 7eb4cb1cad0c · 2022-07-15T14:45:00.000-07:00
Moving ABE from FAQ to DFS-N page
diff --git a/articles/storage/files/files-manage-namespaces.md b/articles/storage/files/files-manage-namespaces.md
@@ -209,6 +209,23 @@ New-DfsnFolder -Path $sharePath -TargetPath $targetUNC
 
 Now that you have created a namespace, a folder, and a folder target, you should be able to mount your file share through DFS Namespaces. If you are using a domain-based namespace, the full path for your share should be `\\<domain-name>\<namespace>\<share>`. If you are using a standalone namespace, the full path for your share should be `\\<DFS-server>\<namespace>\<share>`. If you are using a standalone namespace with root consolidation, you can access directly through your old server name, such as `\\<old-server>\<share>`.
 
+## Access-Based Enumeration (ABE)
+
+Using ABE to control the visibility of the files and folders in SMB Azure file shares isn't currently a supported scenario. ABE is a feature of DFS-N, so it's possible to configure identity-based authentication and enable the ABE feature. However, this only applies to the DFS-N folder targets; it doesn't retroactively apply to the targeted file shares themselves. This is because DFS-N works by referral, rather than as a proxy in front of the folder target.
+
+For example, if the user types in the path \\mydfsnserver\share, the SMB client gets the referral of \\mydfsnserver\share => \\server123\share and makes the mount against the latter.
+
+Because of this, ABE will only work in cases where the DFS-N server is hosting the list of usernames before the redirection:
+
+  \\DFSServer\users\contosouser1 => \\SA.file.core.windows.net\contosouser1
+  \\DFSServer\users\contosouser1 => \\SA.file.core.windows.net\users\contosouser1
+
+(Where **contosouser1** is a subfolder of the **users** share)
+
+If each user is a subfolder *after* the redirection, ABE won't work:
+
+  \\DFSServer\SomePath\users --> \\SA.file.core.windows.net\users
+
 ## See also
 - Deploying an Azure file share: [Planning for an Azure Files deployment](storage-files-planning.md) and [How to create an file share](storage-how-to-create-file-share.md).
 - Configuring file share access: [Identity-based authentication](storage-files-active-directory-overview.md) and [Networking considerations for direct access](storage-files-networking-overview.md).
diff --git a/articles/storage/files/storage-files-faq.md b/articles/storage/files/storage-files-faq.md
@@ -85,22 +85,9 @@ ms.topic: conceptual
   - If users are accessing the Azure file share via a Windows Server that has the Azure File Sync agent installed, use an [audit policy](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder) or third-party product to track file changes and user access on the Windows Server. 
 
 * <a id="access-based-enumeration"></a>
-**Does Azure Files support using Access-Based Enumeration (ABE) to control the visibility of the files and folders in SMB Azure file shares? Can I use DFS Namespaces (DFS-N) as a workaround to use ABE with Azure Files?**
+**Does Azure Files support using Access-Based Enumeration (ABE) to control the visibility of the files and folders in SMB Azure file shares?**
 
-  Using ABE with Azure Files isn't currently a supported scenario, but you can [use DFS-N with SMB Azure file shares](files-manage-namespaces.md). ABE is a feature of DFS-N, so it's possible to configure identity-based authentication and enable the ABE feature. However, this only applies to the DFS-N folder targets; it doesn't retroactively apply to the targeted file shares themselves. This is because DFS-N works by referral, rather than as a proxy in front of the folder target.
-
-  For example, if the user types in the path \\mydfsnserver\share, the SMB client gets the referral of \\mydfsnserver\share => \\server123\share and makes the mount against the latter.
-
-  Because of this, ABE will only work in cases where the DFS-N server is hosting the list of usernames before the redirection:
-
-  \\DFSServer\users\contosouser1 => \\SA.file.core.windows.net\contosouser1
-  \\DFSServer\users\contosouser1 => \\SA.file.core.windows.net\users\contosouser1
-
-  (Where **contosouser1** is a subfolder of the **users** share)
-
-  If each user is a subfolder *after* the redirection, ABE won't work:
-
-  \\DFSServer\SomePath\users --> \\SA.file.core.windows.net\users
+  Using ABE with Azure Files isn't currently supported, but you can [use DFS-N with SMB Azure file shares](files-manage-namespaces.md#access-based-enumeration-abe).
    
 ### AD DS & Azure AD DS Authentication
 * <a id="ad-support-devices"></a>
