Feedback

roygara · roygara · commit 8cd018fa6cf1 · 2020-02-21T08:55:07.000-08:00
diff --git a/articles/storage/common/storage-auth.md b/articles/storage/common/storage-auth.md
@@ -31,9 +31,9 @@ Each authorization option is briefly described below:
 
 - **Azure Active Directory (Azure AD) integration** for blobs, and queues. Azure AD provides role-based access control (RBAC) for fine-grained control over a client's access to resources in a storage account. For more information regarding Azure AD integration for blobs and queues, see [Authorize access to Azure blobs and queues using Azure Active Directory](storage-auth-aad.md).
 
-- **Azure AD Domain Services (DS) integration (preview)** for files. Azure Files supports identity-based authorization over Server Message Block (SMB) through Azure AD DS. You can use RBAC for fine-grained control over a client's access to Azure Files resources in a storage account. For more information regarding Azure AD integration for files using domain services, see [Overview of Azure Files Azure Active Directory Domain Service (AAD DS) Authentication Support for SMB Access (preview)](../files/storage-files-active-directory-overview.md).
+- **Azure Active Directory Domain Services (AD DS) integration** for files. Azure Files supports identity-based authorization over Server Message Block (SMB) through Azure AD DS. You can use RBAC for fine-grained control over a client's access to Azure Files resources in a storage account. For more information regarding Azure AD integration for files using domain services, see [Overview of Azure Files identity-based authentication support for SMB access](../files/storage-files-active-directory-overview.md).
 
-- **Active Directory (AD) Authentication** for files. Azure Files supports identity-based authorization over SMB through AD. Your AD domain service can be hosted on on-premises machines or in Azure VMs. SMB access to Files is supported using AD credentials from domain joined machines, either on-premises or in Azure. You can use RBAC for share level access control and NTFS DACLs for directory/file level permission enforcement. For more information regarding Azure Files authentication using domain services, refer to our [overview](../files/storage-files-active-directory-overview.md).
+- **Active Directory (AD) Authentication (preview)** for files. Azure Files supports identity-based authorization over SMB through AD. Your AD domain service can be hosted on on-premises machines or in Azure VMs. SMB access to Files is supported using AD credentials from domain joined machines, either on-premises or in Azure. You can use RBAC for share level access control and NTFS DACLs for directory/file level permission enforcement. For more information regarding Azure Files authentication using domain services, refer to our [overview](../files/storage-files-active-directory-overview.md).
 
 - **Shared Key authorization** for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key/).
 - **Shared access signatures** for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account. Adding constraints on the time interval for which the signature is valid or on permissions it grants provides flexibility in managing access. For more information, see [Using shared access signatures (SAS)](storage-sas-overview.md).
diff --git a/articles/storage/files/storage-files-active-directory-domain-services-enable.md b/articles/storage/files/storage-files-active-directory-domain-services-enable.md
@@ -8,7 +8,7 @@ ms.date: 02/21/2020
 ms.author: rogarana
 ---
 
-# Enable Active Directory over SMB for Azure file shares
+# Enable Active Directory authentication over SMB for Azure file shares
 
 [Azure Files](storage-files-introduction.md) supports identity-based authentication over Server Message Block (SMB) through two types of Domain Services: Azure Active Directory Domain Services (Azure AD DS) (GA) and Active Directory (AD) (preview). This article focuses on the newly introduced (preview) support of leveraging Active Directory Domain Service for authentication to Azure file shares. If you are interested in enabling Azure AD DS (GA) authentication for Azure file shares refer to [our article on the subject](storage-files-active-directory-enable.md). 
 
@@ -98,17 +98,17 @@ You can use the following script to perform the registration and enable the feat
 
 ### Script prerequisites
 
-- [Download the AzureFilesActiveDirectoryUtilities.psm1 module](https://github.com/Azure-Samples/azure-files-samples)
+- [Download the AzFilesHybrid.psm1 module](https://github.com/Azure-Samples/azure-files-samples)
 - Install and execute the module in a device that is domain joined to AD with AD credentials that have permissions to create a service logon account or a computer account in the target AD.
 -  Run the script using an AD credential that is synced to your Azure AD. The AD credential must have either the storage account owner or the contributor RBAC role permissions.
 - Make sure your storage account is in a [supported region](#regional-availability).
 
 ```PowerShell 
-#Change the execution policy to unblock importing AzureFilesActiveDirectoryUtilities.psm1 module
+#Change the execution policy to unblock importing AzFilesHybrid.psm1 module
 Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser
 
 #Import AzureFilesActiveDirectoryUtilities module, it includes Az.Storage 1.8.2-preview version
-Import-module -name .\AzureFilesActiveDirectoryUtilities.psm1 -ArgumentList Verbose
+Import-module -name .\AzFilesHybrid.psm1 -ArgumentList Verbose
 
 #Login with an Azure AD credential that has either storage account owner or contributer RBAC assignment
 connect-AzAccount
@@ -169,13 +169,13 @@ You've now successfully enabled the feature on your storage account. Even though
 
 [!INCLUDE [storage-files-aad-permissions-and-mounting](../../../includes/storage-files-aad-permissions-and-mounting.md)]
 
-You have now successfully enabled Azure AD authentication over SMB and assigned a custom role that provides access to an Azure file share with an Azure AD identity. To grant additional users access to your file share, follow the instructions in the [Assign access permissions](#assign-access-permissions-to-an-identity) to use an identity and [Configure NTFS permissions over SMB sections](#configure-ntfs-permissions-over-smb)
+You have now successfully enabled Azure AD authentication over SMB and assigned a custom role that provides access to an Azure file share with an AD identity. To grant additional users access to your file share, follow the instructions in the [Assign access permissions](#assign-access-permissions-to-an-identity) to use an identity and [Configure NTFS permissions over SMB sections](#configure-ntfs-permissions-over-smb)
 
 ## Update AD account password
 
 If you registered the AD account representing your storage account under an OU that enforces password expiration time, you must rotate the password before the maximum password age. Failing to update the password of the AD account will result in authentication failures to access Azure file shares.  
 
-To trigger password rotation, you can run the `Update-AzStorageAccountADObjectPassword` command from the AzureFilesActiveDirectoryUtilities.psm1. The cmdlet performs actions similar to storage account key rotation. It gets the second kerberos key of the storage account and uses it to update the password of the registered account in AD. Then it regenerates the target kerberos key of the storage account and updates the password of the registered account in AD. You must run this cmdlet in an AD domain joined environment.
+To trigger password rotation, you can run the `Update-AzStorageAccountADObjectPassword` command from the AzFilesHybrid.psm1. The cmdlet performs actions similar to storage account key rotation. It gets the second kerberos key of the storage account and uses it to update the password of the registered account in AD. Then it regenerates the target kerberos key of the storage account and updates the password of the registered account in AD. You must run this cmdlet in an AD domain joined environment.
 
 ```PowerShell
 #Update the password of the AD account registered for the storage account
diff --git a/articles/storage/files/storage-files-active-directory-overview.md b/articles/storage/files/storage-files-active-directory-overview.md
@@ -8,11 +8,13 @@ ms.date: 02/21/2020
 ms.author: rogarana
 ---
 
-# Overview of Azure Files Azure Active Directory Domain Service (Azure AD DS) Authentication Support for SMB Access
+# Overview of Azure Files identity-based authentication support for SMB access
 [!INCLUDE [storage-files-aad-auth-include](../../../includes/storage-files-aad-auth-include.md)]
 
 To learn how to enable Azure AD DS authentication for Azure file shares, see [Enable Azure Active Directory Domain Service Authentication over SMB for Azure Files](storage-files-active-directory-enable.md).
 
+To learn how to enable AD authentication for Azure file shares, see [Enable Active Directory authentication over SMB for Azure file shares](storage-files-active-directory-domain-services-enable.md).
+
 ## Glossary 
 It's helpful to understand some key terms relating to Azure AD Domain Service authentication over SMB for Azure file shares:
 
diff --git a/articles/storage/files/storage-files-faq.md b/articles/storage/files/storage-files-faq.md
@@ -156,7 +156,7 @@ This article answers common questions about Azure Files features and functionali
 * <a id="ad-support"></a>
 **Is identity-based authentication and access control supported by Azure Files?**  
     
-    Yes, Azure Files supports identity-based authentication and access control. You can choose one of two ways to use identity-based access control: Azure Active Directory Domain Services (Azure AD DS) (GA) or active directory (AD) (preview). Azure AD DS authentication over SMB for Azure Files enables Azure AD DS domain-joined Windows VMs to access shares, directories, and files using Azure AD credentials. AD supports authentication using AD domain joined machines, either on-premises or in Azure, to access Azure file shares over SMB. For more details, see [Overview of Azure Files authentication support for SMB access](storage-files-active-directory-overview.md). 
+    Yes, Azure Files supports identity-based authentication and access control. You can choose one of two ways to use identity-based access control: Azure Active Directory Domain Services (Azure AD DS) (GA) or Active Directory (AD) (preview). Azure AD DS authentication over SMB for Azure Files enables Azure AD DS domain-joined Windows VMs to access shares, directories, and files using Azure AD credentials. AD supports authentication using AD domain joined machines, either on-premises or in Azure, to access Azure file shares over SMB. For more details, see [Overview of Azure Files authentication support for SMB access](storage-files-active-directory-overview.md). 
 
     Azure Files offers two additional ways to manage access control:
 
@@ -182,7 +182,7 @@ This article answers common questions about Azure Files features and functionali
     If the subscription under which the file share is deployed is associated with the same Azure AD tenant as the Azure AD Domain Services deployment to which the VM is domain-joined, then you can then access Azure Files using the same Azure AD credentials. The limitation is imposed not on the subscription but on the associated Azure AD tenant.    
     
 * <a id="ad-support-subscription"></a>
-**Can I enable either Azure Files Azure AD DS or AD authentication with an Azure AD tenant that is different from the primary tenant with which the file share is associated?**
+**Can I enable either Azure Files Azure AD DS or AD authentication with an Azure AD tenant that is different from the primary tenant which the file share is associated with?**
 
     No, Azure Files only supports Azure AD DS or AD integration with an Azure AD tenant that resides in the same subscription as the file share. Only one subscription can be associated with an Azure AD tenant. This limitation applies to both Azure AD DS and AD authentication methods. When using AD for authentication, the AD credential must be synced to the Azure AD that the storage account is associated with.
 
@@ -199,7 +199,7 @@ This article answers common questions about Azure Files features and functionali
     Consult your domain administrator to see if any update to your DNS routing policy is required to enable multiple forest authentication.
 
 * <a id="ad-aad-smb-afs"></a>
-**Can I leverage Azure Files Azure AD DS authentication or active directory (AD) authentication (preview) on file shares managed by Azure File Sync?**
+**Can I leverage Azure Files Azure AD DS authentication or Active Directory (AD) authentication (preview) on file shares managed by Azure File Sync?**
 
     Yes, you can enable Azure AD DS or AD authentication on a file share managed by Azure file sync. Changes to the directory/file NTFS ACLs on local file servers will be tiered to Azure Files and vice-versa.
 
diff --git a/includes/storage-files-aad-auth-include.md b/includes/storage-files-aad-auth-include.md
@@ -15,8 +15,3 @@
 Azure Files enforces authorization on the user access to both the share and the directory/file level. Share-level permission assignment can be assigned to Azure AD users or groups managed through the typical [role-based access control (RBAC)](../articles/role-based-access-control/overview.md) model. With RBAC, the credentials you use for file access should be available or synced to Azure AD. You can assign built-in RBAC roles like Storage File Data SMB Share Reader to users or groups in Azure AD to grant read access to an Azure file share.
 
 At the directory/file level, Azure Files supports preserving, inheriting, and enforcing [NTFS DACLs](https://technet.microsoft.com/library/2006.01.howitworksntfs.aspx) just like any Windows file servers. If you copy data over SMB from a file share to Azure Files, or vice versa, you can choose to keep NTFS DACLs. Whether you plan to enforce authorization or not, you can leverage Azure Files to backup ACLs along with your data. 
-
-
-> [!NOTE]
-> - Azure AD DS authentication for SMB access is not supported for Active Directory domain-joined machines. In the interim, consider using [Azure File Sync](https://docs.microsoft.com/azure/storage/files/storage-sync-files-planning) to start migrating your data to Azure Files and to continue enforcing access control by using Active Directory credentials from your on-premises Active Directory domain-joined machines. 
-> - Azure AD DS authentication for SMB access is available only for storage accounts created after September 24, 2018.
