Merge pull request #217820 from khdownie/kendownie110922

AD DS docs reorg

Author: v-stsavell

articles/storage/files/media/storage-files-aad-permissions-and-mounting/azure-active-directory-authentication-dialog.png

@@ -1,17 +1,17 @@
 ---
 title: Control access to Azure file shares - on-premises AD DS authentication
-description: Learn how to assign permissions to an Active Directory Domain Services identity that represents your Azure storage account. This allows you to control access with identity-based authentication.
+description: Learn how to assign permissions to an Active Directory Domain Services identity that represents your Azure storage account. This allows you to control user access with identity-based authentication.
 author: khdownie
 ms.service: storage
 ms.subservice: files
 ms.topic: how-to
-ms.date: 11/03/2022
+ms.date: 11/09/2022
 ms.author: kendownie 
-ms.custom: devx-track-azurepowershell, subject-rbac-steps, devx-track-azurecli 
+ms.custom: devx-track-azurepowershell, subject-rbac-steps, devx-track-azurecli, engagement-fy23
 ms.devlang: azurecli
 ---
 
-# Part two: assign share-level permissions to an identity
+# Assign share-level permissions to an identity
 
 Once you've enabled an Active Directory (AD) source for your storage account, you must configure share-level permissions in order to get access to your file share. There are two ways you can assign share-level permissions. You can assign them to [specific Azure AD users/groups](#share-level-permissions-for-specific-azure-ad-users-or-groups), and you can assign them to all authenticated identities as a [default share-level permission](#share-level-permissions-for-all-authenticated-identities).
 
@@ -67,7 +67,7 @@ Share-level permissions must be assigned to the Azure AD identity representing t
 > [!TIP]
 > Optional: Customers who want to migrate SMB server share-level permissions to RBAC permissions can use the `Move-OnPremSharePermissionsToAzureFileShare` PowerShell cmdlet to migrate directory and file-level permissions from on-premises to Azure. This cmdlet evaluates the groups of a particular on-premises file share, then writes the appropriate users and groups to the Azure file share using the three RBAC roles. You provide the information for the on-premises share and the Azure file share when invoking the cmdlet.
 
-You can use the Azure portal, Azure PowerShell module, or Azure CLI to assign the built-in roles to the Azure AD identity of a user for granting share-level permissions.
+You can use the Azure portal, Azure PowerShell, or Azure CLI to assign the built-in roles to the Azure AD identity of a user for granting share-level permissions.
 
 > [!IMPORTANT]
 > The share-level permissions will take up to three hours to take effect once completed. Please wait for the permissions to sync before connecting to your file share using your credentials.
@@ -168,6 +168,4 @@ You could also assign permissions to all authenticated Azure AD users and specif
 
 ## Next steps
 
-Now that you've assigned share-level permissions, you must configure directory and file-level permissions. Continue to the next article.
-
-[Part three: configure directory and file-level permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md)
+Now that you've assigned share-level permissions, you must [configure directory and file-level permissions](storage-files-identity-ad-ds-configure-permissions.md).

articles/storage/files/storage-files-identity-ad-ds-assign-permissions.md

@@ -1,21 +1,22 @@
 ---
 title: Control what a user can do at the directory and file level - Azure Files
-description: Learn how to configure Windows ACLs for directory and file level permissions for AD DS authentication to Azure file shares, allowing you to take advantage of granular access control.
+description: Learn how to configure Windows ACLs for directory and file level permissions for Active Directory authentication to Azure file shares, allowing you to take advantage of granular access control.
 author: khdownie
 ms.service: storage
 ms.subservice: files
 ms.topic: how-to
-ms.date: 11/08/2022
+ms.date: 11/09/2022
 ms.author: kendownie
+ms.custom: engagement-fy23
 ---
 
-# Part three: configure directory and file level permissions over SMB
+# Configure directory and file-level permissions over SMB
 
-Before you begin this article, make sure you've completed the previous article, [Assign share-level permissions to an identity](storage-files-identity-ad-ds-assign-permissions.md), to ensure that your share-level permissions are in place with Azure role-based access control (RBAC).
+Before you begin this article, make sure you've read [Assign share-level permissions to an identity](storage-files-identity-ad-ds-assign-permissions.md) to ensure that your share-level permissions are in place with Azure role-based access control (RBAC).
 
 After you assign share-level permissions, you must first connect to the Azure file share using the storage account key and then configure Windows access control lists (ACLs), also known as NTFS permissions, at the root, directory, or file level. While share-level permissions act as a high-level gatekeeper that determines whether a user can access the share, Windows ACLs operate at a more granular level to control what operations the user can do at the directory or file level.
 
-Both share-level and file/directory level permissions are enforced when a user attempts to access a file/directory, so if there's a difference between either of them, only the most restrictive one will be applied. For example, if a user has read/write access at the file level, but only read at a share level, then they can only read that file. The same would be true if it was reversed: if a user had read/write access at the share-level, but only read at the file-level, they can still only read the file.
+Both share-level and file/directory-level permissions are enforced when a user attempts to access a file/directory, so if there's a difference between either of them, only the most restrictive one will be applied. For example, if a user has read/write access at the file level, but only read at a share level, then they can only read that file. The same would be true if it was reversed: if a user had read/write access at the share-level, but only read at the file-level, they can still only read the file.
 
 ## Applies to
 | File share type | SMB | NFS |
@@ -111,6 +112,4 @@ Use Windows File Explorer to grant full permission to all directories and files
 
 ## Next steps
 
-Now that the feature is enabled and configured, continue to the next article to learn how to mount your Azure file share from a domain-joined VM.
-
-[Part four: mount a file share from a domain-joined VM](storage-files-identity-ad-ds-mount-file-share.md)
+Now that the feature is enabled and configured, you can [mount a file share from a domain-joined VM](storage-files-identity-ad-ds-mount-file-share.md).

articles/storage/files/storage-files-identity-ad-ds-configure-permissions.md

@@ -1,16 +1,16 @@
 ---
-title: Enable AD DS authentication to Azure file shares
+title: Enable AD DS authentication for Azure file shares
 description: Learn how to enable Active Directory Domain Services authentication over SMB for Azure file shares. Your domain-joined Windows virtual machines can then access Azure file shares by using AD DS credentials. 
 author: khdownie
 ms.service: storage
 ms.subservice: files
 ms.topic: how-to
-ms.date: 10/24/2022
+ms.date: 11/09/2022
 ms.author: kendownie 
 ms.custom: devx-track-azurepowershell
 ---
 
-# Part one: enable AD DS authentication for your Azure file shares
+# Enable AD DS authentication for Azure file shares
 
 This article describes the process for enabling Active Directory Domain Services (AD DS) authentication on your storage account. After enabling the feature, you must configure your storage account and your AD DS, to use AD DS credentials for authenticating to your Azure file share. 
 
@@ -248,6 +248,4 @@ AzureStorageID:<yourStorageSIDHere>
 
 ## Next steps
 
-You've now successfully enabled the feature on your storage account. To use the feature, you must assign share-level permissions for users and groups. Continue to the next section.
-
-[Part two: assign share-level permissions to an identity](storage-files-identity-ad-ds-assign-permissions.md)
+You've now successfully enabled the feature on your storage account. To use the feature, you must [assign share-level permissions to an identity](storage-files-identity-ad-ds-assign-permissions.md).

articles/storage/files/storage-files-identity-ad-ds-enable.md

@@ -5,19 +5,18 @@ author: khdownie
 ms.service: storage
 ms.subservice: files
 ms.topic: how-to
-ms.date: 09/27/2022
+ms.date: 11/09/2022
 ms.author: kendownie
+ms.custom: engagement-fy23
 ---
 
-# Part four: mount a file share from a domain-joined VM
+# Mount a file share from a domain-joined VM
 
-Before you begin this article, make sure you complete the previous article, [configure directory and file level permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md).
+Before you begin this article, make sure you've read [configure directory and file-level permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md).
 
-The process described in this article verifies that your SMB file share and access permissions are set up correctly and that you can access an Azure file share from a domain-joined VM. Share-level role assignment can take some time to take effect.
+The process described in this article verifies that your SMB file share and access permissions are set up correctly and that you can access an Azure file share from a domain-joined VM. Remember that share-level role assignment can take some time to take effect.
 
-Sign in to the client by using the credentials that you granted permissions to, as shown in the following image.
-
-![Screenshot showing Azure AD sign-in screen for user authentication](media/storage-files-aad-permissions-and-mounting/azure-active-directory-authentication-dialog.png)
+Sign in to the client using the credentials of the identity that you granted permissions to.
 
 ## Applies to
 | File share type | SMB | NFS |
@@ -51,10 +50,6 @@ if ($connectTestResult.TcpTestSucceeded) {
 
 If you run into issues mounting with AD DS credentials, refer to [Unable to mount Azure Files with AD credentials](storage-troubleshoot-windows-file-connection-problems.md#unable-to-mount-azure-files-with-ad-credentials) for guidance.
 
-If mounting your file share succeeded, then you've successfully enabled and configured on-premises AD DS authentication for your Azure file share.
-
 ## Next steps
 
-If the identity you created in AD DS to represent the storage account is in a domain or OU that enforces password rotation, continue to the next article for instructions on updating your password:
-
-[Update the password of your storage account identity in AD DS](storage-files-identity-ad-ds-update-password.md)
+If the identity you created in AD DS to represent the storage account is in a domain or OU that enforces password rotation, you might need to [update the password of your storage account identity in AD DS](storage-files-identity-ad-ds-update-password.md).

articles/storage/files/storage-files-identity-ad-ds-mount-file-share.md

@@ -78,13 +78,13 @@ Enabling AD DS authentication for your Azure file shares allows you to authentic
 
 Follow these steps to set up Azure Files for AD DS authentication: 
 
-1. [Part one: enable AD DS authentication on your storage account](storage-files-identity-ad-ds-enable.md)
+1. [Enable AD DS authentication on your storage account](storage-files-identity-ad-ds-enable.md)
 
-1. [Part two: assign share-level permissions to the Azure AD identity (a user, group, or service principal) that is in sync with the target AD identity](storage-files-identity-ad-ds-assign-permissions.md)
+1. [Assign share-level permissions to the Azure AD identity (a user, group, or service principal) that is in sync with the target AD identity](storage-files-identity-ad-ds-assign-permissions.md)
 
-1. [Part three: configure Windows ACLs over SMB for directories and files](storage-files-identity-ad-ds-configure-permissions.md)
+1. [Configure Windows ACLs over SMB for directories and files](storage-files-identity-ad-ds-configure-permissions.md)
 
-1. [Part four: mount an Azure file share to a VM joined to your AD DS](storage-files-identity-ad-ds-mount-file-share.md)
+1. [Mount an Azure file share to a VM joined to your AD DS](storage-files-identity-ad-ds-mount-file-share.md)
 
 1. [Update the password of your storage account identity in AD DS](storage-files-identity-ad-ds-update-password.md)
 
@@ -96,6 +96,4 @@ Identities used to access Azure file shares must be synced to Azure AD to enforc
 
 ## Next steps
 
-To enable on-premises AD DS authentication for your Azure file share, continue to the next article:
-
-[Part one: enable AD DS authentication for your account](storage-files-identity-ad-ds-enable.md)
+To get started, you must [enable AD DS authentication for your storage account](storage-files-identity-ad-ds-enable.md).