Merge pull request #244883 from khdownie/kendownie0723-oauth-ga

prmerger-automator[bot] · web-flow · commit 92adb0df7c38 · 2023-07-13T17:07:49.000Z
oauth over rest GA
diff --git a/articles/storage/common/authorize-data-access.md b/articles/storage/common/authorize-data-access.md
@@ -25,7 +25,7 @@ The following table describes the options that Azure Storage offers for authoriz
 |--|--|--|--|--|--|--|
 | Azure Blobs | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../blobs/authorize-access-azure-active-directory.md) | Not supported | [Supported but not recommended](../blobs/anonymous-read-access-overview.md) | [Supported, only for SFTP](../blobs/secure-file-transfer-protocol-support-how-to.md) |
 | Azure Files (SMB) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | Not supported | Supported, only with [Azure AD Domain Services](../files/storage-files-identity-auth-active-directory-domain-service-enable.md) for cloud-only or [Azure AD Kerberos](../files/storage-files-identity-auth-azure-active-directory-enable.md) for hybrid identities | [Supported, credentials must be synced to Azure AD](../files/storage-files-active-directory-overview.md) | Not supported | Not supported |
-| Azure Files (REST) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported (preview)](../files/authorize-oauth-rest.md) | Not supported | Not supported | Not supported |
+| Azure Files (REST) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../files/authorize-oauth-rest.md) | Not supported | Not supported | Not supported |
 | Azure Queues | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../queues/authorize-access-azure-active-directory.md) | Not Supported | Not supported | Not supported |
 | Azure Tables | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../tables/authorize-access-azure-active-directory.md) | Not supported | Not supported | Not supported |
 
diff --git a/articles/storage/files/authorize-data-operations-portal.md b/articles/storage/files/authorize-data-operations-portal.md
@@ -31,7 +31,10 @@ There are two new built-in roles that have the required permissions to access fi
 - [Storage File Data Privileged Reader](../../role-based-access-control/built-in-roles.md#storage-file-data-privileged-reader)
 - [Storage File Data Privileged Contributor](../../role-based-access-control/built-in-roles.md#storage-file-data-privileged-contributor)
 
-For information about the built-in roles that support access to file data, see [Access Azure file shares using Azure Active Directory with Azure Files OAuth over REST (preview)](authorize-oauth-rest.md).
+For information about the built-in roles that support access to file data, see [Access Azure file shares using Azure Active Directory with Azure Files OAuth over REST](authorize-oauth-rest.md).
+
+> [!NOTE]
+> The **Storage File Data Privileged Contributor** role has permissions to read, write, delete, and modify ACLs/NTFS permissions on files/directories in Azure file shares. Modifying ACLs/NTFS permissions isn't supported via the Azure portal.
 
 Custom roles can support different combinations of the same permissions provided by the built-in roles. For more information about creating Azure custom roles, see [Azure custom roles](../../role-based-access-control/custom-roles.md) and [Understand role definitions for Azure resources](../../role-based-access-control/role-definitions.md).
 
@@ -100,5 +103,5 @@ To update this setting for an existing storage account, follow these steps:
 
 ## See also
 
-- [Access Azure file shares using Azure AD with Azure Files OAuth over REST (preview)](authorize-oauth-rest.md)
+- [Access Azure file shares using Azure AD with Azure Files OAuth over REST](authorize-oauth-rest.md)
 - [Authorize access to data in Azure Storage](../common/authorize-data-access.md)
diff --git a/articles/storage/files/authorize-oauth-rest.md b/articles/storage/files/authorize-oauth-rest.md
@@ -1,24 +1,24 @@
 ---
-title: Enable admin-level read and write access to Azure file shares using Azure Active Directory with Azure Files OAuth over REST (preview)
+title: Enable admin-level read and write access to Azure file shares using Azure Active Directory with Azure Files OAuth over REST
 description: Authorize access to Azure file shares and directories via the OAuth authentication protocol over REST APIs using Azure Active Directory (Azure AD). Assign Azure roles for access rights. Access files with an Azure AD account.
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: conceptual
-ms.date: 05/11/2023
+ms.date: 07/13/2023
 ms.author: kendownie
 ms.custom: devx-track-azurepowershell
 ---
 
-# Access Azure file shares using Azure Active Directory with Azure Files OAuth over REST (preview)
+# Access Azure file shares using Azure Active Directory with Azure Files OAuth over REST
 
-Azure Files OAuth over REST (preview) enables admin-level read and write access to Azure file shares for users and applications via the [OAuth](https://oauth.net/) authentication protocol, using Azure Active Directory (Azure AD) for REST API based access. Users, groups, first-party services such as Azure portal, and third-party services and applications using REST interfaces can now use OAuth authentication and authorization with an Azure AD account to access data in Azure file shares. PowerShell cmdlets and Azure CLI commands that call REST APIs can also use OAuth to access Azure file shares.
+Azure Files OAuth over REST enables admin-level read and write access to Azure file shares for users and applications via the [OAuth](https://oauth.net/) authentication protocol, using Azure Active Directory (Azure AD) for REST API based access. Users, groups, first-party services such as Azure portal, and third-party services and applications using REST interfaces can now use OAuth authentication and authorization with an Azure AD account to access data in Azure file shares. PowerShell cmdlets and Azure CLI commands that call REST APIs can also use OAuth to access Azure file shares.
 
 > [!IMPORTANT]
 > You must call the REST API using an explicit header to indicate your intent to use the additional privilege. This is also true for Azure PowerShell and Azure CLI access.
 
 ## Limitations
 
-Azure Files OAuth over REST (preview) only supports the FileREST Data APIs that support operations on files and directories. OAuth isn't supported on FilesREST data plane APIs that manage FileService and FileShare resources. These management APIs are called using the Storage Account Key or SAS token, and are exposed through the data plane for legacy reasons. We recommend using the control plane APIs (the storage resource provider - Microsoft.Storage) that support OAuth for all management activities related to FileService and FileShare resources.
+Azure Files OAuth over REST only supports the FileREST Data APIs that support operations on files and directories. OAuth isn't supported on FilesREST data plane APIs that manage FileService and FileShare resources. These management APIs are called using the Storage Account Key or SAS token, and are exposed through the data plane for legacy reasons. We recommend using the control plane APIs (the storage resource provider - Microsoft.Storage) that support OAuth for all management activities related to FileService and FileShare resources.
 
 Authorizing file data operations with Azure AD is supported only for REST API versions 2022-11-02 and later. See [Versioning for Azure Storage](/rest/api/storageservices/versioning-for-the-azure-storage-services).
 
@@ -52,7 +52,7 @@ To use the Azure Files OAuth over REST feature, there are additional permissions
 
 Users, groups, or service principals that call the REST API with OAuth must have either the `readFileBackupSemantics` or `writeFileBackupSemantics` action assigned to the role that allows data access. This is a requirement to use this feature. For details on the permissions required to call specific File service operations, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations).
 
-This preview provides two new built-in roles that include these new actions.  
+This feature provides two new built-in roles that include these new actions.  
 
 | **Role** | **Data actions** |
 |----------|------------------|
