Merge pull request #259603 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Saisang

articles/ai-services/document-intelligence/faq.yml

@@ -447,9 +447,9 @@ sections:
 
           - You need an active [Azure account](https://azure.microsoft.com/free/cognitive-services/) and subscription with at least a **Reader** role to access Document Intelligence Studio.
 
-          - For **document analysis and prebuilt models**, you need full access—**Contributor** role—to at least one [Document Intelligence](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [multi-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource to enter the analyze page. Once you access the model analyze page, you can change the endpoint and key to access other resources, if needed.
+          - For **document analysis and prebuilt models**, you need full access—**Cognitive Services User** role—to at least one [Document Intelligence](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [multi-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource to enter the analyze page. Once you access the model analyze page, you can change the endpoint and key to access other resources, if needed.
 
-          - For **custom models**, you can either use a **Contributor** role, or use the endpoint and key of a [Document Intelligence](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [multi-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource to create a project. You also need to have **Contributor** role to access to at least one blob storage account.
+          - For **custom models**, you can either use a **Cognitive Services User** role, or use the endpoint and key of a [Document Intelligence](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [multi-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource to create a project. You also need to have **Storage Blob Data Contributor** role to access to at least one blob storage account.
 
           - For more information, *see* [Microsoft Entra built-in roles](../../role-based-access-control/built-in-roles.md).
 
@@ -468,10 +468,16 @@ sections:
           - Switching subscriptions or resources can be done under Settings -> Resource tab.
 
       - question: |
-          Why am I receiving an AuthorizationFailure error on Project Sharing, Auto Label, or OCR Upgrade when my Document Intelligence or Storage Account resource is configured with a firewall?
+          Why am I receiving a Storage error on Project Sharing, Auto Label, or OCR Upgrade when my Storage Account resource is configured with a firewall or virtual network?
         answer: |
 
-          Add our website IP address, 20.3.165.95, to the firewall allowlist for both Document Intelligence and Storage Account resources. This unique address is Document Intelligence Studio's dedicated IP address and can be safely allowed.
+          Please refer to [Managed identities for Document Intelligence](managed-identities.md) to set up up your Azure resources.
+
+      - question: |
+          Why am I receiving 'Access denied due to Virtual Network/Firewall rules' on Auto Label or OCR Upgrading when my Document Intelligence resource is configured with a firewall or virtual network?
+        answer: |
+
+          Add our website IP address, 20.3.165.95, to the firewall allowlist for Document Intelligence resource. This is Document Intelligence Studio's dedicated IP address and can be safely allowed.
 
       - question: |
           Can I reuse or customize the labeling experience from Studio and build it into my own application?

articles/ai-services/document-intelligence/managed-identities.md

@@ -95,7 +95,7 @@ In the following steps, we enable a system-assigned managed identity and grant D
 
 ## Grant access to your storage account
 
-You need to grant Document Intelligence access to your storage account before it can create, read, or delete blobs. Now that you've enabled Document Intelligence with a system-assigned managed identity, you can use Azure role-based access control (Azure RBAC), to give Document Intelligence access to Azure storage. The **Storage Blob Data Reader** role gives Document Intelligence (represented by the system-assigned managed identity) read and list access to the blob container and data.
+You need to grant Document Intelligence access to your storage account before it can read blobs. Now that you've enabled Document Intelligence with a system-assigned managed identity, you can use Azure role-based access control (Azure RBAC), to give Document Intelligence access to Azure storage. The **Storage Blob Data Reader** role gives Document Intelligence (represented by the system-assigned managed identity) read and list access to the blob container and data.
 
 1. Under **Permissions** select **Azure role assignments**:
 
@@ -130,6 +130,10 @@ You need to grant Document Intelligence access to your storage account before it
 
  That's it! You've completed the steps to enable a system-assigned managed identity. With managed identity and Azure RBAC, you granted Document Intelligence specific access rights to your storage resource without having to manage credentials such as SAS tokens.
 
+### Additional role assignment for Document Intelligence Studio
+
+If you are going to use Document Intelligence Studio and your storage account is configured with network restriction such as firewall or virtual network, an additional role, **Storage Blob Data Contributor**, needs to be assigned to your Document Intelligence service. Document Intelligence Studio requires this role to write blobs to your storage account when you perform Auto label, OCR upgrade, Human in the loop, or Project sharing operations.
+
 ## Next steps
 > [!div class="nextstepaction"]
 > [Configure secure access with managed identities and private endpoints](managed-identities-secured-access.md)

articles/ai-services/document-intelligence/quickstarts/try-document-intelligence-studio.md

@@ -32,6 +32,14 @@ monikerRange: '>=doc-intel-3.0.0'
 > [!TIP]
 > Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll  need a single-service resource if you intend to use [Microsoft Entra authentication](../../../active-directory/authentication/overview-authentication.md).
 
+#### Azure role assignments
+
+For document analysis and prebuilt models, following role assignments are required for different scenarios.
+* Basic
+  * **Cognitive Services User**: you need this role to Document Intelligence or Azure AI services resource to enter the analyze page.
+* Advanced
+  * **Contributor**: you need this role to create resource group, Document Intelligence service, or Azure AI services resource.
+
 ## Models
 
 Prebuilt models help you add Document Intelligence features to your apps without having to build, train, and publish your own models. You can choose from several prebuilt models, each of which has its own set of supported data fields. The choice of model to use for the analyze operation depends on the type of document to be analyzed. Document Intelligence currently supports the following prebuilt models:
@@ -81,6 +89,17 @@ A **standard performance** [**Azure Blob Storage account**](https://portal.azure
 * [**Create a storage account**](../../../storage/common/storage-account-create.md). When creating your storage account, make sure to select **Standard** performance in the **Instance details → Performance** field.
 * [**Create a container**](../../../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container). When creating your container, set the **Public access level** field to **Container** (anonymous read access for containers and blobs) in the **New Container** window.
 
+### Azure role assignments
+
+For custom projects, the following role assignments are required for different scenarios.
+
+* Basic
+  * **Cognitive Services User**: You need this role for Document Intelligence or Azure AI services resource to train the custom model or do analysis with trained models.
+  * **Storage Blob Data Contributor**: You need this role for the Storage Account to create a project and label data.
+* Advanced
+  * **Storage Account Contributor**: You need this role for the Storage Account to set up CORS settings (this is a one-time effort if the same storage account is reused).
+  * **Contributor**: You need this role to create a resource group and resources.
+
 ### Configure CORS
 
 [CORS (Cross Origin Resource Sharing)](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services) needs to be configured on your Azure storage account for it to be accessible from the Document Intelligence Studio. To configure CORS in the Azure portal, you need access to the CORS tab of your storage account.