Merge pull request #231758 from khdownie/kendownie032223-2

American-Dipper · web-flow · commit c761e84fb202 · 2023-03-22T16:50:29.000-07:00
files revisions for account keys
diff --git a/articles/storage/common/storage-account-keys-manage.md b/articles/storage/common/storage-account-keys-manage.md
@@ -7,14 +7,15 @@ author: jimmart-dev
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 04/14/2022
+ms.date: 03/22/2023
 ms.author: jammart
 ms.reviewer: nachakra 
+ms.custom: engagement-fy23
 ---
 
 # Manage storage account access keys
 
-When you create a storage account, Azure generates two 512-bit storage account access keys for that account. These keys can be used to authorize access to data in your storage account via Shared Key authorization.
+When you create a storage account, Azure generates two 512-bit storage account access keys for that account. These keys can be used to authorize access to data in your storage account via Shared Key authorization, or via SAS tokens that are signed with the shared key.
 
 Microsoft recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and regenerate your keys. Using Azure Key Vault makes it easy to rotate your keys without interruption to your applications. You can also manually rotate your keys.
 
diff --git a/includes/storage-account-key-note-include.md b/includes/storage-account-key-note-include.md
@@ -5,19 +5,19 @@ services: storage
 author: tamram
 ms.service: storage
 ms.topic: "include"
-ms.date: 01/24/2023
+ms.date: 03/22/2023
 ms.author: tamram
-ms.custom: "include file"
+ms.custom: "include file", engagement-fy23
 ---
 
 ## Protect your access keys
 
-Your storage account access keys are similar to a root password for your storage account. Always be careful to protect your access keys. Use Azure Key Vault to manage and rotate your keys securely. Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they may have been compromised.
+Storage account access keys provide full access to the configuration of a storage account, as well as the data. Always be careful to protect your access keys. Use Azure Key Vault to manage and rotate your keys securely. Access to the shared key grants a user full access to a storage account’s configuration and its data. Access to shared keys should be carefully limited and monitored. Use SAS tokens with limited scope of access in scenarios where Azure AD based authorization can't be used. Avoid hard-coding access keys or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they might have been compromised.
 
 > [!IMPORTANT]
-> Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob, queue, and table data if possible, rather than using the account keys (Shared Key authorization). Authorization with Azure AD provides superior security and ease of use over Shared Key authorization. For more information about using Azure AD authorization from your applications, see [How to authenticate .NET applications with Azure services](/dotnet/azure/sdk/authentication).
+> Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob, queue, and table data if possible, rather than using the account keys (Shared Key authorization). Authorization with Azure AD provides superior security and ease of use over Shared Key authorization. For more information about using Azure AD authorization from your applications, see [How to authenticate .NET applications with Azure services](/dotnet/azure/sdk/authentication). For SMB Azure file shares, Microsoft recommends using on-premises Active Directory Domain Services (AD DS) integration or Azure AD Kerberos authentication.
 >
-> To prevent users from accessing data in your storage account with Shared Key, you can disallow Shared Key authorization for the storage account. Disallowing Shared Key access is recommended as a security best practice. For more information, see [Prevent Shared Key authorization for an Azure Storage account](../articles/storage/common/shared-key-authorization-prevent.md).
+> To prevent users from accessing data in your storage account with Shared Key, you can disallow Shared Key authorization for the storage account. Granular access to data with least privileges necessary is recommended as a security best practice. Azure AD based authorization should be used for scenarios that support OAuth. Kerberos or SMTP should be used for Azure Files over SMB. For Azure Files over REST, SAS tokens can be used. Shared key access should be disabled if not required to prevent its inadvertent use. For more information, see [Prevent Shared Key authorization for an Azure Storage account](../articles/storage/common/shared-key-authorization-prevent.md).
 >
 > To protect an Azure Storage account with Azure AD Conditional Access policies, you must disallow Shared Key authorization for the storage account.
 > 
