Merge pull request #113041 from roygara/carve

Carve

Author: PRMerger9

articles/storage/files/storage-files-identity-auth-active-directory-enable.md

@@ -49,13 +49,11 @@ Before you enable AD DS authentication for Azure file shares, make sure you have
 
     To access a file share by using AD credentials from a machine or VM, your device must be domain-joined to AD DS. For information about how to domain-join, refer to [Join a Computer to a Domain](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain). 
 
-- Select or create an Azure storage account in [a supported region](#regional-availability). 
+- Select or create an Azure storage account.  For optimal performance, we recommend that you deploy the storage account in the same region as the VM from which you plan to access the share.
 
     Make sure that the storage account containing your file shares is not already configured for Azure AD DS Authentication. If Azure Files Azure AD DS authentication is enabled on the storage account, it needs to be disabled before changing to use on-premises AD DS. This implies that existing ACLs configured in Azure AD DS environment will need to be reconfigured for proper permission enforcement.
 
     For information about creating a new file share, see [Create a file share in Azure Files](storage-how-to-create-file-share.md).
-    
-    For optimal performance, we recommend that you deploy the storage account in the same region as the VM from which you plan to access the share. 
 
 - Verify connectivity by mounting Azure file shares using your storage account key. 
 
@@ -65,23 +63,23 @@ Before you enable AD DS authentication for Azure file shares, make sure you have
 
 Azure Files authentication with AD DS (preview) is available in [all Public regions and Azure Gov regions](https://azure.microsoft.com/global-infrastructure/locations/).
 
-## Workflow overview
-
-Before you enable AD DS authentication over SMB for Azure file shares, we recommend that you read and complete the [prerequisite](#prerequisites) section. The prerequisites validate that your AD, Azure AD, and Azure Storage environments are properly configured. 
+## Overview
 
 If you plan to enable any networking configurations on your file share, we recommend you to evaluate the [networking consideration](https://docs.microsoft.com/azure/storage/files/storage-files-networking-overview) and complete the related configuration first before enabling AD DS authentication.
 
-Next, follow the steps below to set up Azure Files for AD Authentication: 
+Enabling AD DS authentication for your Azure file shares allows you to authenticate to your Azure file shares with your on-prem AD DS credentials. Further, it allows you to better manage your permissions to allow granular access control. Doing this requires synching identities from on-prem AD DS to Azure AD with AD connect. You control the share level access with identities synched to Azure AD while managing file/share level access with on-prem AD DS credentials.
+
+Next, follow the steps below to set up Azure Files for AD DS Authentication: 
 
-1. Enable Azure Files AD DS authentication on your storage account. 
+1. [Enable Azure Files AD DS authentication on your storage account](#1-enable-ad-ds-authentication-for-your-account)
 
-2. Assign access permissions for a share to the Azure AD identity (a user, group, or service principal) that is in sync with the target AD identity. 
+1. [Assign access permissions for a share to the Azure AD identity (a user, group, or service principal) that is in sync with the target AD identity](#2-assign-access-permissions-to-an-identity)
 
-3. Configure ACLs over SMB for directories and files. 
+1. [Configure ACLs over SMB for directories and files](#3-configure-ntfs-permissions-over-smb)
 
-4. Mount an Azure file share to a VM joined to your AD DS. 
+1. [Mount an Azure file share to a VM joined to your AD DS](#4-mount-a-file-share-from-a-domain-joined-vm)
 
-5. Update the password of your storage account identity in AD DS.
+1. [Update the password of your storage account identity in AD DS](#5-update-the-password-of-your-storage-account-identity-in-ad-ds)
 
 The following diagram illustrates the end-to-end workflow for enabling Azure AD authentication over SMB for Azure file shares. 
 
@@ -90,7 +88,7 @@ The following diagram illustrates the end-to-end workflow for enabling Azure AD
 > [!NOTE]
 > AD DS authentication over SMB for Azure file shares is only supported on machines or VMs running on OS versions newer than Windows 7 or Windows Server 2008 R2. 
 
-## 1. Enable AD authentication for your account 
+## 1 Enable AD DS authentication for your account 
 
 To enable AD DS authentication over SMB for Azure file shares, you need to first register your storage account with AD DS and then set the required domain properties on the storage account. When the feature is enabled on the storage account, it applies to all new and existing file shares in the account. Use `join-AzStorageAccountForAuth` to enable the feature. You can find the detailed description of the end-to-end workflow in the script inside this section. 
 
@@ -215,7 +213,7 @@ You've now successfully enabled the feature on your storage account. Now that th
 
 You have now successfully enabled AD DS authentication over SMB and assigned a custom role that provides access to an Azure file share with an AD DS identity. To grant additional users access to your file share, follow the instructions in the [Assign access permissions](#2-assign-access-permissions-to-an-identity) to use an identity and [Configure NTFS permissions over SMB](#3-configure-ntfs-permissions-over-smb) sections.
 
-## 5. Update the password of your storage account identity in AD DS
+## 5 Update the password of your storage account identity in AD DS
 
 If you registered the AD DS identity/account representing your storage account under an OU that enforces password expiration time, you must rotate the password before the maximum password age. Failing to update the password of the AD DS account will result in authentication failures to access Azure file shares.  
 

includes/storage-files-aad-permissions-and-mounting.md

@@ -10,7 +10,7 @@
  ms.custom: include file
 ---
 
-## 2. Assign access permissions to an identity
+## 2 Assign access permissions to an identity
 
 To access Azure Files resources with identity based authentication, an identity (a user, group, or service principal) must have the necessary permissions at the share level. This process is similar to specifying Windows share permissions, where you specify the type of access that a particular user has to a file share. The guidance in this section demonstrates how to assign read, write, or delete permissions for a file share to an identity. 
 
@@ -65,7 +65,7 @@ Before you run the following sample script, remember to replace placeholder valu
 az role assignment create --role "<role-name>" --assignee <user-principal-name> --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/fileServices/default/fileshares/<share-name>"
 ```
 
-## 3. Configure NTFS permissions over SMB 
+## 3 Configure NTFS permissions over SMB 
 After you assign share-level permissions with RBAC, you must assign proper NTFS permissions at the root, directory, or file level. Think of share-level permissions as the high-level gatekeeper that determines whether a user can access the share. Whereas NTFS permissions act at a more granular level to determine what operations the user can do at the directory or file level.
 
 Azure Files supports the full set of NTFS basic and advanced permissions. You can view and configure NTFS permissions on directories and files in an Azure file share by mounting the share and then using Windows File Explorer or running the Windows [icacls](https://docs.microsoft.com/windows-server/administration/windows-commands/icacls) or [Set-ACL](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-acl) command. 
@@ -114,7 +114,7 @@ icacls <mounted-drive-letter>: /grant <user-email>:(f)
 
 For more information on how to use icacls to set NTFS permissions and on the different types of supported permissions, see [the command-line reference for icacls](https://docs.microsoft.com/windows-server/administration/windows-commands/icacls).
 
-## 4. Mount a file share from a domain-joined VM
+## 4 Mount a file share from a domain-joined VM
 
 The following process verifies that your file share and access permissions were set up correctly and that you can access an Azure File share from a domain-joined VM. Be aware that the share level RBAC role assignment can take some time to be in effect.