Add security warning and move article to security folder and TOC

Author: sdwheeler

articles/cloud-shell/TOC.yml

@@ -7,7 +7,7 @@ items:
         href: features.md
       - name: Release notes
         href: release-notes.md
-  - name: Get started with Cloud Shell
+  - name: Get started with Azure Cloud Shell
     items:
       - name: Get started (Classic)
         href: get-started/classic.md
@@ -17,7 +17,7 @@ items:
         href: get-started/new-storage.md
       - name: Get started with existing storage account (New UI)
         href: get-started/existing-storage.md
-  - name: How to use Cloud Shell
+  - name: How to use Azure Cloud Shell
     items:
       - name: Use the window (Classic UI)
         href: using-the-shell-window.md
@@ -31,28 +31,28 @@ items:
         href: cloud-shell-predictive-intellisense.md
       - name: FAQ & Troubleshooting
         href: faq-troubleshooting.md
-  - name: Deploy Cloud Shell in a virtual network
+  - name: Deploy Azure Cloud Shell in a virtual network
     items:
       - name: Overview
         href: vnet/overview.md
       - name: Deploy using quickstart templates
         href: vnet/deployment.md
       - name: Connect to storage using a private endpoint
         href: vnet/how-to-use-private-endpoint-storage.md
-      - name: Support multiple users of Cloud Shell in a private virtual network
-        href: vnet/how-to-support-multiple-users.md
       - name: Troubleshoot Azure Cloud Shell in a virtual network
         href: vnet/troubleshooting.md
+  - name: Security
+    items:
+      - name: Allow multiple users to use a single storage account and file share
+        href: security/how-to-support-multiple-users.md
+      - name: Security baseline
+        href: /security/benchmark/azure/baselines/cloud-shell-security-baseline?bc=%2fazure%2fbread%2ftoc.json&toc=%2fazure%2fcloud-shell%2ftoc.json
   - name: Pricing
     items:
-      - name: Cloud Shell pricing
+      - name: Azure Cloud Shell pricing
         href: pricing.md
       - name: Pricing calculator
         href: https://azure.microsoft.com/pricing/calculator/
-  - name: Security
-    items:
-      - name: Security baseline
-        href: /security/benchmark/azure/baselines/cloud-shell-security-baseline?bc=%2fazure%2fbread%2ftoc.json&toc=%2fazure%2fcloud-shell%2ftoc.json
   - name: Reference
     items:
       - name: Azure CLI

articles/cloud-shell/vnet/how-to-support-multiple-users.md renamed to articles/cloud-shell/security/how-to-support-multiple-users.md

@@ -1,27 +1,32 @@
 ---
-title: Support multiple users of Cloud Shell in a private virtual network
-description: This article explains changes required to support multiple users for a Cloud Shell instance deployed in a private virtual network.
+title: Allow multiple users to use a single storage account and file share
+description: This article explains changes required to allow multiple Azure Cloud Shell users to use a single storage account and file share.
 ms.topic: how-to
 ms.date: 02/04/2025
 ---
-# Support multiple users of Cloud Shell in a private virtual network
+# Allow multiple users to use a single storage account and file share
 
-The instructions and ARM templates used to deploy Cloud Shell in a private virtual network create an
-environment designed to be used by a single user. A single-user deployment is the most secure
-configuration because each user can only access their own file share. However, you might have a need
-to allow multiple users access to a single deployment. To support access for multiple users, you
-need to make the following changes:
+By default, the storage resources created by Azure Cloud Shell are designed to be used by a single
+user. A single-user deployment is the most secure configuration because each user can only access
+their own file share. However, you might have a need to allow multiple users access to a single
+deployment. To support access for multiple users, you need to make the following changes:
 
 - Increase File Share quota
 - Assign roles to the users that allow access to the storage resources
 
+> [!WARNING]
+> While it's possible to allow multiple users to share a single storage account and file share, it's
+> not recommended. Using the configuration steps in this article grants each of the configured users
+> access to the all the files in the file share. If you need to support multiple users, consider
+> creating a separate storage account and file share for each user.
+
 ## Increase File Share quota
 
-The initial deployment of Cloud Shell in a private virtual network creates a file share with a 6-GiB
-quota limit. When a new user starts their first session, Cloud Shell creates a 5-GiB image file in
-the file share. The first user uses up the quota limit. When a second user starts their session,
-they receive the 'ephemeral storage' error message because Cloud Shell is unable to create another
-5-GiB image file. Also, notice that Cloud Shell created a 0-byte image file for the failed attempt.
+The file share created by Cloud Shell has a 6-GiB quota limit. When a new user starts their first
+session, Cloud Shell creates a 5-GiB image (`*.img`) file in the file share. The first user uses up
+the quota limit. When a second user starts their session, they receive the 'ephemeral storage' error
+message because Cloud Shell is unable to create another 5-GiB image (`*.img`) file. Also, notice
+that Cloud Shell created a 0-byte image (`*.img`) file for the failed attempt.
 
 To support multiple users, you need to increase the file share quota to accommodate the number of
 users that share the same storage account. Increase the quota by 5-GiB per user.

articles/cloud-shell/vnet/deployment.md

@@ -1,17 +1,17 @@
 ---
 description: This article provides step-by-step instructions to deploy Azure Cloud Shell in a private virtual network.
 ms.contributor: jahelmic
-ms.date: 01/28/2025
+ms.date: 02/05/2025
 ms.topic: how-to
 ms.custom: devx-track-arm-template
 title: Deploy Azure Cloud Shell in a virtual network with quickstart templates
 ---
 
-# Deploy Cloud Shell in a virtual network by using quickstart templates
+# Deploy Azure Cloud Shell in a virtual network by using quickstart templates
 
 Before you run quickstart templates to deploy Azure Cloud Shell in a virtual network (VNet), there
 are several prerequisites to complete. You must have the **Owner** role assignment on the
-subscription. To view and assign roles, see [List Owners of a Subscription][10].
+subscription. To view and assign roles, see [List Owners of a Subscription][05].
 
 This article walks you through the following steps to configure and deploy Cloud Shell in a virtual
 network:
@@ -37,7 +37,7 @@ Depending on when your tenant was created, some of these providers might already
 
 To see all resource providers and the registration status for your subscription:
 
-1. Sign in to the [Azure portal][11].
+1. Sign in to the [Azure portal][14].
 1. On the Azure portal menu, search for **Subscriptions**. Select it from the available options.
 1. Select the subscription that you want to view.
 1. On the left menu, under **Settings**, select **Resource providers**.
@@ -80,34 +80,34 @@ Fill in the following values:
 You can create the resource group by using the Azure portal, the Azure CLI, or Azure PowerShell. For
 more information, see the following articles:
 
-- [Manage Azure resource groups by using the Azure portal][02]
-- [Manage Azure resource groups by using Azure CLI][01]
-- [Manage Azure resource groups by using Azure PowerShell][03]
+- [Manage Azure resource groups by using the Azure portal][03]
+- [Manage Azure resource groups by using Azure CLI][02]
+- [Manage Azure resource groups by using Azure PowerShell][04]
 
 ### Create a virtual network
 
 You can create the virtual network by using the Azure portal, the Azure CLI, or Azure PowerShell.
 For more information, see the following articles:
 
-- [Use the Azure portal to create a virtual network][05]
-- [Use Azure PowerShell to create a virtual network][06]
-- [Use Azure CLI to create a virtual network][04]
+- [Use the Azure portal to create a virtual network][07]
+- [Use Azure PowerShell to create a virtual network][08]
+- [Use Azure CLI to create a virtual network][06]
 
 > [!NOTE]
 > When you're setting the container subnet address prefix for the Cloud Shell subnet, it's important
 > to consider the number of Cloud Shell sessions that you need to run concurrently. If the number of
 > Cloud Shell sessions exceeds the available IP addresses in the container subnet, users of those
 > sessions can't connect to Cloud Shell. Increase the container subnet range to accommodate your
 > specific needs. For more information, see the "Change subnet settings" section of
-> [Add, change, or delete a virtual network subnet][07].
+> [Add, change, or delete a virtual network subnet][09].
 
 ### Get the Azure container instance ID
 
 The Azure container instance ID is a unique value for every tenant. You use this identifier in the
-[quickstart templates][08] to configure a virtual network for Cloud Shell. To get the Id from the
-command line, see [Alternate way to get the Azure Container Instance ID][12].
+[quickstart templates][12] to configure a virtual network for Cloud Shell. To get the Id from the
+command line, see [Alternate way to get the Azure Container Instance ID][10].
 
-1. Sign in to the [Azure portal][11]. From the home page, select **Microsoft Entra ID**. If the icon
+1. Sign in to the [Azure portal][14]. From the home page, select **Microsoft Entra ID**. If the icon
    isn't displayed, enter `Microsoft Entra ID` in the top search bar.
 1. On the left menu, select **Overview**. Then enter `azure container instance service` in the
    search bar.
@@ -124,7 +124,7 @@ command line, see [Alternate way to get the Azure Container Instance ID][12].
 
 ## 3. Create the required network resources by using the ARM template
 
-Use the [Azure Cloud Shell - VNet][08] template to create Cloud Shell resources in a virtual
+Use the [Azure Cloud Shell - VNet][12] template to create Cloud Shell resources in a virtual
 network. The template creates three subnets under the virtual network that you created earlier. You
 might choose to change the supplied names of the subnets or use the defaults.
 
@@ -176,7 +176,7 @@ subscription.
 
 ## 4. Create the virtual network storage by using the ARM template
 
-Use the [Azure Cloud Shell - VNet storage][09] template to create Cloud Shell resources in a virtual
+Use the [Azure Cloud Shell - VNet storage][13] template to create Cloud Shell resources in a virtual
 network. The template creates the storage account and assigns it to the private virtual network.
 
 The ARM template requires specific information about the resources that you created earlier, along
@@ -275,21 +275,29 @@ az ad sp list --display-name 'Azure Container Instance' --query "[].id"
 ## Next steps
 
 You must complete the Cloud Shell configuration steps for each user who needs to use the new private
-Cloud Shell instance.
+Cloud Shell instance. Alternatively, you can configure your Cloud Shell instance to allow multiple
+users to use the same storage resources. For more information, see
+[Allow multiple users to use a single storage account and file share][01].
+
+For improved security, you can configure your storage account to use a private endpoint. For more
+information, see [Connect to a storage account using an Azure private endpoint][11].
 
 <!-- link references -->
-[01]: /azure/azure-resource-manager/management/manage-resource-groups-cli
-[02]: /azure/azure-resource-manager/management/manage-resource-groups-portal
-[03]: /azure/azure-resource-manager/management/manage-resource-groups-powershell
-[04]: /azure/virtual-network/quick-create-cli
-[05]: /azure/virtual-network/quick-create-portal
-[06]: /azure/virtual-network/quick-create-powershell
-[07]: /azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal#change-subnet-settings
-[08]: https://aka.ms/cloudshell/docs/vnet/template
-[09]: https://azure.microsoft.com/resources/templates/cloud-shell-vnet-storage/
-[10]: /azure/role-based-access-control/role-assignments-list-portal#list-owners-of-a-subscription
-[11]: https://portal.azure.com
-[12]: #alternate-way-to-get-the-azure-container-instance-id
+[01]: ../security/how-to-support-multiple-users.md
+[02]: /azure/azure-resource-manager/management/manage-resource-groups-cli
+[03]: /azure/azure-resource-manager/management/manage-resource-groups-portal
+[04]: /azure/azure-resource-manager/management/manage-resource-groups-powershell
+[05]: /azure/role-based-access-control/role-assignments-list-portal#list-owners-of-a-subscription
+[06]: /azure/virtual-network/quick-create-cli
+[07]: /azure/virtual-network/quick-create-portal
+[08]: /azure/virtual-network/quick-create-powershell
+[09]: /azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal#change-subnet-settings
+[10]: #alternate-way-to-get-the-azure-container-instance-id
+[11]: how-to-use-private-endpoint-storage.md
+[12]: https://aka.ms/cloudshell/docs/vnet/template
+[13]: https://azure.microsoft.com/resources/templates/cloud-shell-vnet-storage/
+[14]: https://portal.azure.com
+
 [95a]: media/deployment/container-service-search.png
 [95b]: media/deployment/container-service-search.png#lightbox
 [96a]: media/deployment/container-service-details.png