Merge pull request #295284 from rladbsal/patch-3

Update file-sync-managed-identities.md

Author: v-shils

articles/storage/file-sync/file-sync-managed-identities.md

@@ -24,18 +24,38 @@ To learn more about the benefits of using managed identities, see [Managed ident
 To configure your Azure File Sync deployment to utilize system-assigned managed identities, please follow the guidance in the subsequent sections.
 
 ## Prerequisites
-- You need to have a **Storage Sync Service** [deployed](file-sync-deployment-guide.md) with at least one **registered server**. 
-- **Azure File Sync agent version 19.1.0.0 or later** must be installed on the registered server.
-- On your **storage accounts** used by Azure File Sync:
-  - You must be a **member of the Owner management role** or have “Microsoft.Authorization/roleassignments/write” permissions.
-  - **Allow Azure services on the trusted services list to access this storage account** exception must be enabled for preview. [Learn more](file-sync-networking-endpoints.md#grant-access-to-trusted-azure-services-and-restrict-access-to-the-storage-account-public-endpoint-to-specific-virtual-networks)
+# [Portal](#tab/azure-portal) 
+- You need to have a **Storage Sync Service** [deployed](file-sync-deployment-guide.md) with at least one **registered server**.  
+
+- **Azure File Sync agent version 19.1.0.0 or later** must be installed on the registered server. 
+
+- On your **storage accounts** used by Azure File Sync: 
+
+  - You must be a **member of the Owner management role** or have “Microsoft.Authorization/roleassignments/write” permissions. 
+
+  - **Allow Azure services on the trusted services list to access this storage account** exception must be enabled for preview. [Learn more](file-sync-networking-endpoints.md#grant-access-to-trusted-azure-services-and-restrict-access-to-the-storage-account-public-endpoint-to-specific-virtual-networks) 
+
   - **Allow storage account key access** must be enabled for preview. To check this setting, navigate to your storage account and select **Configuration** under the Settings section.
--	**Az.StorageSync [PowerShell module](https://www.powershellgallery.com/packages/Az.StorageSync) version 2.2.0 or later** must be installed on the machine that will be used to configure Azure File Sync to use managed identities. To install the latest Az.StorageSync PowerShell module, run the following command from an elevated PowerShell window:
+
+# [PowerShell](#tab/azure-powershell) 
+- You need to have a **Storage Sync Service** [deployed](file-sync-deployment-guide.md) with at least one **registered server**.  
+
+- **Azure File Sync agent version 19.1.0.0 or later** must be installed on the registered server. 
+
+- On your **storage accounts** used by Azure File Sync: 
+
+  - You must be a **member of the Owner management role** or have “Microsoft.Authorization/roleassignments/write” permissions. 
+
+  - **Allow Azure services on the trusted services list to access this storage account** exception must be enabled for preview. [Learn more](file-sync-networking-endpoints.md#grant-access-to-trusted-azure-services-and-restrict-access-to-the-storage-account-public-endpoint-to-specific-virtual-networks) 
+
+  - **Allow storage account key access** must be enabled for preview. To check this setting, navigate to your storage account and select **Configuration** under the Settings section. 
+  
+  -	**Az.StorageSync [PowerShell module](https://www.powershellgallery.com/packages/Az.StorageSync) version 2.2.0 or later** must be installed on the machine that will be used to configure Azure File Sync to use managed identities. To install the latest Az.StorageSync PowerShell module, run the following command from an elevated PowerShell window:
 
     ```powershell
     Install-Module Az.StorageSync -Force
     ```
-
+---
 ## Regional availability
 
 Azure File Sync support for system-assigned managed identities (preview) is available in [all Azure Public and Gov regions](https://azure.microsoft.com/global-infrastructure/locations/) that support Azure File Sync.
@@ -52,7 +72,14 @@ To enable a system-assigned managed identity on a registered server that has the
 > - Once the Storage Sync Service is configured to use managed identities, registered servers that do not have a system-assigned managed identity will continue to use a shared key to authenticate to your Azure file shares.
  
 ### How to check if your registered servers have a system-assigned managed identity
+# [Portal](#tab/azure-portal) 
+To check if your registered servers have a system-assigned managed identity, perform the following steps using the portal:  
+
+1. Go to your **Storage Sync Service** in the Azure portal, expand **Settings** and select **Managed identity (preview)**. 
 
+2. In the Registered Servers section, click the **Ready to use Managed ID** tile. This tile displays a list of servers that have a system-assigned managed identity. If your server is not listed, perform the steps to [Enable a system-assigned managed identity on your registered servers]( #enable-a-system-assigned-managed-identity-on-your-registered-servers).  
+
+# [PowerShell](#tab/azure-powershell) 
 To check if your registered servers have a system-assigned managed identity, run the following PowerShell command:
 
 ```powershell
@@ -66,7 +93,35 @@ If the value for the **ActiveAuthType** property is **Certificate** and the **La
 > [!NOTE]
 > Once a server is configured to use the system-assigned managed identity by following the steps in the following section, the **LatestApplicationId** property is no longer used (will be empty), the **ActiveAuthType** property value will be changed to **ManagedIdentity**, and the **ApplicationId** property will have a GUID which is the system-assigned managed identity.
 
+---
 ## Configure your Azure File Sync deployment to use system-assigned managed identities
+# [Portal](#tab/azure-portal) 
+
+To configure the Storage Sync Service and registered servers to use system-assigned managed identities, perform the following steps in the portal: 
+
+1. Go to your **Storage Sync Service** in the Azure portal, expand **Settings** and select **Managed identity (preview)**. 
+
+2. Click **Turn on Managed identity** to begin setup. 
+
+The following steps are performed and will take several minutes (or longer for large topologies) to complete: 
+
+- Enables a system-assigned managed identity for Storage Sync Service resource. 
+
+- Grants the Storage Sync Service system-assigned managed identity access to your Storage Accounts (Storage Account Contributor role). 
+
+- Grants the Storage Sync Service system-assigned managed identity access to your Azure file shares (Storage File Data Privileged Contributor role). 
+
+- Grants the registered server(s) system-assigned managed identity access to the Azure file shares (Storage File Data Privileged Contributor role). 
+
+- Configures the Storage Sync Service to use system-assigned managed identity. 
+
+- Configures registered server(s) to use system-assigned managed identity.  
+
+> [!NOTE] 
+> Once the registered server(s) are configured to use a system-assigned managed identity, it can take up to one hour before the server uses the system-assigned managed identity to authenticate to the Storage Sync Service and file shares.
+
+
+# [PowerShell](#tab/azure-powershell) 
 To configure the Storage Sync Service and registered servers to use system-assigned managed identities, run the following command from an elevated PowerShell window:
 
 ```powershell
@@ -87,15 +142,37 @@ Use the **Set-AzStorageSyncServiceIdentity** cmdlet anytime you need to configur
 > [!NOTE]
 > Once the registered server(s) are configured to use a system-assigned managed identity, it can take up to one hour before the server uses the system-assigned managed identity to authenticate to the Storage Sync Service and file shares.
 
+---
 ### How to check if the Storage Sync Service is using a system-assigned managed identity
+
+# [Portal](#tab/azure-portal)  
+
+To check if the Storage Sync Service is using a system-assigned managed identity, perform the following steps in the portal: 
+
+1. Go to your **Storage Sync Service** in the Azure portal, expand **Settings** and select **Managed identity (preview)**. 
+
+2. In the Registered Servers section, if you have at least one server listed in the **Using Managed ID** tile, your service is configured to use managed identities.  
+
+# [PowerShell](#tab/azure-powershell) 
 To check if the Storage Sync Service is using a system-assigned managed identity, run the following command from an elevated PowerShell window:
 
 ```powershell
 Get-AzStorageSyncService -ResourceGroupName <string> -StorageSyncServiceName <string>
 ```
 Verify the value for the **UseIdentity** property is **True**. If the value is **False**, the Storage Sync Service is using shared keys to authenticate to the Azure file shares.
 
+---
 ### How to check if a registered server is configured to use a system-assigned managed identity
+
+# [Portal](#tab/azure-portal) 
+
+To check if a registered server is configured to use a system-assigned managed identity, perform the following steps in the portal: 
+
+1. Go to your **Storage Sync Service** in the Azure portal, expand **Settings** and select **Managed identity (preview)**. 
+
+2. In the Registered Servers section, click the **Using Managed ID** tile and verify the server is listed. 
+
+# [PowerShell](#tab/azure-powershell) 
 To check if a registered server is configured to use a system-assigned managed identity, run the following command from an elevated PowerShell window:
 
 ```powershell
@@ -106,6 +183,7 @@ Verify the **ApplicationId** property has a GUID which indicates the server is c
 > [!NOTE]
 > Once the registered server(s) are configured to use a system-assigned managed identity, it can take up to one hour before the server uses the system-assigned managed identity to authenticate to the Storage Sync Service and Azure file shares.
 
+---
 ## More information
 Once the Storage Sync Service and registered server(s) are configured to use a system-assigned managed identity:
   - New endpoints (cloud or server) that are created will use a system-assigned managed identity to authenticate to the Azure file share.