Merge pull request #297057 from khdownie/kendownie032625

prmerger-automator[bot] · web-flow · commit db35acb07399 · 2025-03-28T15:22:22.000Z
clarify fileshares vs shares for data plane
diff --git a/articles/storage/files/authorize-oauth-rest.md b/articles/storage/files/authorize-oauth-rest.md
@@ -4,7 +4,7 @@ description: Authorize admin-level read and write access to Azure file shares an
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: conceptual
-ms.date: 03/25/2025
+ms.date: 03/26/2025
 ms.author: kendownie
 ms.custom: devx-track-azurepowershell
 ---
@@ -93,6 +93,10 @@ With the new roles and data actions, this feature will provide storage account-w
 
 There are many [built-in roles](../../role-based-access-control/built-in-roles.md) that provide access to management services. You can also [create custom roles](../../role-based-access-control/custom-roles.md) with the appropriate permissions. To learn more about role-based access control, see [Azure RBAC](../../role-based-access-control/overview.md). For more information about how built-in roles are defined, see [Understand role definitions](../../role-based-access-control/role-definitions.md).
 
+Keep in mind that for the file share resource type, the corresponding RBAC scope uses `shares` in the control plane (management operations), but uses `fileshares` in the data plane (data operations). If you try to use a file share resource ID that contains `shares` in RBAC scope or data action strings, it won't work. You must use `fileshares` in the scope of RBAC assignments, for example:
+
+- `/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Storage/storageAccounts/<storage-account-name>/fileServices/default/fileshares/<share-name>`
+
 > [!IMPORTANT]
 > Any wildcard use cases defined for the path `Microsoft.Storage/storageAccounts/fileServices/*` or higher scope will automatically inherit the additional access and permissions granted through this new data action. To prevent unintended or over-privileged access to Azure Files, we've implemented additional checks that require users and applications to explicitly indicate their intent to use the additional privilege. Furthermore, we strongly recommend that customers review their user RBAC role assignments and replace any wildcard usage with explicit permissions to ensure proper data access management.
 
@@ -164,7 +168,7 @@ namespace FilesOAuthSample
 
 ## Authorize access using FileREST data plane API
 
-You can also authorize access to file data using the Azure portal or Azure PowerShell.
+You can also authorize access to file data using the Azure portal, Azure PowerShell, or Azure CLI.
 
 # [Azure portal](#tab/portal)
 
