Merge pull request #295326 from asudbring/sfi-ropc-remediation

SFI ROPC remediation items for virtual network

Author: prmerger-automator[bot]

articles/virtual-network/tutorial-restrict-network-access-to-resources.md

@@ -519,11 +519,7 @@ The steps required to restrict network access to resources created through Azure
     }
     $storageAcctKey = (Get-AzStorageAccountKey @storagekey).Value[0]
     ```
-
-    For the purposes of this tutorial, the connection string is used to connect to the storage account. Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
-
-    For more information about connecting to a storage account using a managed identity, see [Use a managed identity to access Azure Storage](/entra/identity/managed-identities-azure-resources/tutorial-linux-managed-identities-vm-access?pivots=identity-linux-mi-vm-access-storage).
-
+    
     The key is used to create a file share in a later step. Enter `$storageAcctKey` and note the value. You manually enter it in a later step when you map the file share to a drive in a virtual machine.
 
 ### [CLI](#tab/cli)
@@ -546,10 +542,6 @@ The steps necessary to restrict network access to resources created through Azur
 
 1. After the storage account is created, retrieve the connection string for the storage account into a variable with [az storage account show-connection-string](/cli/azure/storage/account). The connection string is used to create a file share in a later step.
 
-    For the purposes of this tutorial, the connection string is used to connect to the storage account. Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
-
-    For more information about connecting to a storage account using a managed identity, see [Use a managed identity to access Azure Storage](/entra/identity/managed-identities-azure-resources/tutorial-linux-managed-identities-vm-access?pivots=identity-linux-mi-vm-access-storage).
-
     ```azurecli-interactive
     saConnectionString=$(az storage account show-connection-string \
       --name $storageAcctName \
@@ -560,6 +552,11 @@ The steps necessary to restrict network access to resources created through Azur
 
 ---
 
+> [!IMPORTANT]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
+For more information about connecting to a storage account using a managed identity, see [Use a managed identity to access Azure Storage](/entra/identity/managed-identities-azure-resources/tutorial-linux-managed-identities-vm-access?pivots=identity-linux-mi-vm-access-storage).
+
 ### Create a file share in the storage account
 
 ### [Portal](#tab/portal)

articles/virtual-network/virtual-network-service-endpoint-policies.md

@@ -592,6 +592,9 @@ az storage share create \
 
 ---
 
+> [!IMPORTANT]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
 ### Deny all network access to storage accounts
 
 By default, storage accounts accept network connections from clients in any network. To restrict network access to the storage accounts, you can configure the storage account to accept connections only from specific networks. In this example, you configure the storage account to accept connections only from the virtual network subnet you created earlier.