Merge pull request #215587 from NDVALPHA/NDVALPHA-ROLES-TOJOIN-STRGACC-TOADDS

prmerger-automator[bot] · web-flow · commit afad6c061eb5 · 2022-10-24T15:14:40.000Z
NDVALPHA-ROLES-TOJOIN-STRGACC-TOADDS
diff --git a/articles/storage/files/storage-files-identity-ad-ds-enable.md b/articles/storage/files/storage-files-identity-ad-ds-enable.md
@@ -46,7 +46,12 @@ The AD DS account created by the cmdlet represents the storage account. If the A
 > The `Join-AzStorageAccount` cmdlet will create an AD account to represent the storage account (file share) in AD. You can choose to register as a computer account or service logon account, see [FAQ](./storage-files-faq.md#security-authentication-and-access-control) for details. Service logon account passwords can expire in AD if they have a default password expiration age set on the AD domain or OU. Because computer account password changes are driven by the client machine and not AD, they don't expire in AD, although client computers change their passwords by default every 30 days.
 > For both account types, we recommend you check the password expiration age configured and plan to [update the password of your storage account identity](storage-files-identity-ad-ds-update-password.md) of the AD account before the maximum password age. You can consider [creating a new AD Organizational Unit in AD](/powershell/module/activedirectory/new-adorganizationalunit) and disabling password expiration policy on [computer accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852252(v=ws.11)) or service logon accounts accordingly.
 
-You must run the script below in PowerShell 5.1 on a device that's domain joined to your on-premises AD DS, using an on-premises AD DS credential that's synced to your Azure AD. The on-premises AD DS credential must have either **Owner** or **Contributor** Azure role on the storage account and have permissions to create a service logon account or computer account in the target AD. Replace the placeholder values with your own before executing the script.
+You must run the script below in PowerShell 5.1 on a device that's domain joined to your on-premises AD DS, using an on-premises AD DS credential that's synced to your Azure AD. To follow the [Least privilege principle](/articles/role-based-access-control/best-practices.md), the on-premises AD DS credential must have the following Azure roles:
+
+ - **Reader** on the `Resource group` where the target storage account is located.
+ - **Contributor** on the `Storage account` to be joined to AD DS.
+ 
+ The AD DS credential must also have permissions to create a service logon account or computer account in the target AD. Replace the placeholder values with your own before executing the script.
 
 ```PowerShell
 # Change the execution policy to unblock importing AzFilesHybrid.psm1 module
