Merge pull request #294075 from sdwheeler/sdw-w368950-vnet-roles

denrea · web-flow · commit ee6c627ace4f · 2025-02-05T12:59:50.000-08:00
Add new article about supporting multiple users in a VNet deployment
diff --git a/articles/cloud-shell/TOC.yml b/articles/cloud-shell/TOC.yml
@@ -7,7 +7,7 @@ items:
         href: features.md
       - name: Release notes
         href: release-notes.md
-  - name: Get started with Cloud Shell
+  - name: Get started with Azure Cloud Shell
     items:
       - name: Get started (Classic)
         href: get-started/classic.md
@@ -17,7 +17,7 @@ items:
         href: get-started/new-storage.md
       - name: Get started with existing storage account (New UI)
         href: get-started/existing-storage.md
-  - name: How to use Cloud Shell
+  - name: How to use Azure Cloud Shell
     items:
       - name: Use the window (Classic UI)
         href: using-the-shell-window.md
@@ -31,7 +31,7 @@ items:
         href: cloud-shell-predictive-intellisense.md
       - name: FAQ & Troubleshooting
         href: faq-troubleshooting.md
-  - name: Deploy Cloud Shell in a virtual network
+  - name: Deploy Azure Cloud Shell in a virtual network
     items:
       - name: Overview
         href: vnet/overview.md
@@ -41,16 +41,18 @@ items:
         href: vnet/how-to-use-private-endpoint-storage.md
       - name: Troubleshoot Azure Cloud Shell in a virtual network
         href: vnet/troubleshooting.md
+  - name: Security
+    items:
+      - name: Allow multiple users to use a single storage account and file share
+        href: security/how-to-support-multiple-users.md
+      - name: Security baseline
+        href: /security/benchmark/azure/baselines/cloud-shell-security-baseline?bc=%2fazure%2fbread%2ftoc.json&toc=%2fazure%2fcloud-shell%2ftoc.json
   - name: Pricing
     items:
-      - name: Cloud Shell pricing
+      - name: Azure Cloud Shell pricing
         href: pricing.md
       - name: Pricing calculator
         href: https://azure.microsoft.com/pricing/calculator/
-  - name: Security
-    items:
-      - name: Security baseline
-        href: /security/benchmark/azure/baselines/cloud-shell-security-baseline?bc=%2fazure%2fbread%2ftoc.json&toc=%2fazure%2fcloud-shell%2ftoc.json
   - name: Reference
     items:
       - name: Azure CLI
diff --git a/articles/cloud-shell/security/how-to-support-multiple-users.md b/articles/cloud-shell/security/how-to-support-multiple-users.md
@@ -0,0 +1,83 @@
+---
+title: Allow multiple users to use a single storage account and file share
+description: This article explains changes required to allow multiple Azure Cloud Shell users to use a single storage account and file share.
+ms.topic: how-to
+ms.date: 02/04/2025
+---
+# Allow multiple users to use a single storage account and file share
+
+By default, the storage resources created by Azure Cloud Shell are intended for a single user. A
+single-user deployment is the most secure configuration because each user can only access their own
+file share. However, you might have a need to allow multiple users access to a single deployment. To
+support access for multiple users, you need to make the following changes:
+
+- Increase the Azure File share quota
+- Assign roles to the users that allow access to the storage resources
+
+> [!WARNING]
+> Using the configuration steps in this article grants each user you configure access to the all the
+> files in the file share. For the best security, create separate storage accounts and file shares
+> for each user.
+
+## Increase File Share quota
+
+The file share created by Cloud Shell has a 6-GiB quota limit. When a new user starts their first
+session, Cloud Shell creates a 5-GiB image (`*.img`) file in the file share. The first user uses up
+the quota limit. When a second user starts their session, they receive the 'ephemeral storage' error
+message because Cloud Shell is unable to create another 5-GiB image (`*.img`) file. Also, notice
+that Cloud Shell created a 0-byte image (`*.img`) file for the failed attempt.
+
+To support multiple users, you need to increase the file share quota to accommodate the number of
+users that share the same storage account. Increase the quota by 5-GiB per user.
+
+Use the following steps to change the file share quota:
+
+1. Sign in to the Azure portal.
+1. Use the search bar to find your storage accounts
+1. On the **Storage accounts** page, select the storage account that you're using for the Azure
+   Cloud Shell environment and view the details.
+1. From the left-hand menu, expand **Data storage** and select **File shares**.
+1. Locate the file share that you're using for the Azure Cloud Shell environment.
+1. On the file share for Cloud Shell, select the triple-dot menu.
+1. Select **Edit quota** from the menu.
+1. Change the **Quota** amount to the desired size.
+1. Select **OK** to save the change.
+
+> [!NOTE]
+> There's a 100-TiB size limit for the file share.
+
+## Assign roles to the users that allow access to the storage resources
+
+To access the storage account and file share, each user needs to have the following role
+assignments:
+
+- **Reader and Data Access** or **Storage Account Contributor**
+- **Storage File Data Privileged Contributor**
+
+Apply the roles on the storage account. The file share inherits the role assignments from the
+storage account.
+
+Use the following steps to assign roles:
+
+1. Sign in to the Azure portal.
+1. Use the search bar to find your storage accounts
+1. On the **Storage accounts** page, select the storage account that you're using for the Azure
+   Cloud Shell environment and view the details.
+1. From the left-hand menu, select **Access Control (IAM)**.
+1. In the details pane, select the **Role assignments** tab.
+1. In the header menu, select **+ Add** then select **Add role assignment** from the dropdown menu.
+1. Use the search field to search for **Reader and Data Access** and select it from the search
+   results.
+1. Select **Next** on the bottom of the page to get to the **Members** tab.
+1. To add users to the role:
+   1. Select **+ Select members**.
+   1. In the **Select members** pane, search for the user
+   1. Select the user then use **Select** button at the bottom to add the user.
+   1. Repeat the process for each user.
+1. After adding the users, select **Next** to go to the **Review + assign** tab.
+1. Repeat the process for the **Storage File Data Privileged Contributor** role.
+
+## Summary
+
+In this article, you learned how to increase storage quotas for a file share and how to assign roles
+to users to allow access to storage resources in Azure.
diff --git a/articles/cloud-shell/vnet/deployment.md b/articles/cloud-shell/vnet/deployment.md
@@ -1,17 +1,17 @@
 ---
 description: This article provides step-by-step instructions to deploy Azure Cloud Shell in a private virtual network.
 ms.contributor: jahelmic
-ms.date: 01/28/2025
+ms.date: 02/05/2025
 ms.topic: how-to
 ms.custom: devx-track-arm-template
 title: Deploy Azure Cloud Shell in a virtual network with quickstart templates
 ---
 
-# Deploy Cloud Shell in a virtual network by using quickstart templates
+# Deploy Azure Cloud Shell in a virtual network by using quickstart templates
 
 Before you run quickstart templates to deploy Azure Cloud Shell in a virtual network (VNet), there
 are several prerequisites to complete. You must have the **Owner** role assignment on the
-subscription. To view and assign roles, see [List Owners of a Subscription][10].
+subscription. To view and assign roles, see [List Owners of a Subscription][05].
 
 This article walks you through the following steps to configure and deploy Cloud Shell in a virtual
 network:
@@ -37,7 +37,7 @@ Depending on when your tenant was created, some of these providers might already
 
 To see all resource providers and the registration status for your subscription:
 
-1. Sign in to the [Azure portal][11].
+1. Sign in to the [Azure portal][14].
 1. On the Azure portal menu, search for **Subscriptions**. Select it from the available options.
 1. Select the subscription that you want to view.
 1. On the left menu, under **Settings**, select **Resource providers**.
@@ -80,57 +80,61 @@ Fill in the following values:
 You can create the resource group by using the Azure portal, the Azure CLI, or Azure PowerShell. For
 more information, see the following articles:
 
-- [Manage Azure resource groups by using the Azure portal][02]
-- [Manage Azure resource groups by using Azure CLI][01]
-- [Manage Azure resource groups by using Azure PowerShell][03]
+- [Manage Azure resource groups by using the Azure portal][03]
+- [Manage Azure resource groups by using Azure CLI][02]
+- [Manage Azure resource groups by using Azure PowerShell][04]
 
 ### Create a virtual network
 
 You can create the virtual network by using the Azure portal, the Azure CLI, or Azure PowerShell.
 For more information, see the following articles:
 
-- [Use the Azure portal to create a virtual network][05]
-- [Use Azure PowerShell to create a virtual network][06]
-- [Use Azure CLI to create a virtual network][04]
+- [Use the Azure portal to create a virtual network][07]
+- [Use Azure PowerShell to create a virtual network][08]
+- [Use Azure CLI to create a virtual network][06]
 
 > [!NOTE]
 > When you're setting the container subnet address prefix for the Cloud Shell subnet, it's important
 > to consider the number of Cloud Shell sessions that you need to run concurrently. If the number of
 > Cloud Shell sessions exceeds the available IP addresses in the container subnet, users of those
 > sessions can't connect to Cloud Shell. Increase the container subnet range to accommodate your
 > specific needs. For more information, see the "Change subnet settings" section of
-> [Add, change, or delete a virtual network subnet][07].
+> [Add, change, or delete a virtual network subnet][09].
 
 ### Get the Azure container instance ID
 
 The Azure container instance ID is a unique value for every tenant. You use this identifier in the
-[quickstart templates][08] to configure a virtual network for Cloud Shell. To get the Id from the
-command line, see [Alternate way to get the Azure Container Instance ID][12].
+[quickstart templates][12] to configure a virtual network for Cloud Shell. To get the ID from the
+command line, see [Alternate way to get the Azure Container Instance ID][10].
 
-1. Sign in to the [Azure portal][11]. From the home page, select **Microsoft Entra ID**. If the icon
+1. Sign in to the [Azure portal][14]. From the home page, select **Microsoft Entra ID**. If the icon
    isn't displayed, enter `Microsoft Entra ID` in the top search bar.
 1. On the left menu, select **Overview**. Then enter `azure container instance service` in the
    search bar.
 
    [![Screenshot of searching for Azure Container Instance Service.][95a]][95b]
 
 1. In the results, under **Enterprise applications**, select **Azure Container Instance Service**.
-1. On the **Overview** page for **Azure Container Instance Service**, find the **Object ID** value
-   that's listed as a property.
+1. On the **Overview** page for **Azure Container Instance Service**, locate the **Object ID** value
+   listed under **Properties**.
 
    You use this ID in the quickstart template for the virtual network.
 
    [![Screenshot of Azure Container Instance Service details.][96a]][96b]
 
 ## 3. Create the required network resources by using the ARM template
 
-Use the [Azure Cloud Shell - VNet][08] template to create Cloud Shell resources in a virtual
-network. The template creates three subnets under the virtual network that you created earlier. You
-might choose to change the supplied names of the subnets or use the defaults.
+To create Cloud Shell resources in a virtual network, use the ARM template named
+[Azure Cloud Shell - VNet][12]. The template creates three subnets under the virtual network that
+you created earlier. You might choose to change the supplied names of the subnets or use the
+defaults.
 
-The virtual network, along with the subnets, requires valid IP address assignments. You need at
-least one IP address for the Relay subnet and enough IP addresses in the container subnet to support
-the number of concurrent sessions that you expect to use.
+The virtual network and the subnets require valid IP address assignments. You need enough addresses
+to support the following resources:
+
+- At least one IP address for the Relay subnet
+- Enough IP addresses in the container subnet to support the number of concurrent sessions that you
+  expect to use
 
 The ARM template requires specific information about the resources that you created earlier, along
 with naming information for new resources. This information is filled out along with the prefilled
@@ -176,8 +180,9 @@ subscription.
 
 ## 4. Create the virtual network storage by using the ARM template
 
-Use the [Azure Cloud Shell - VNet storage][09] template to create Cloud Shell resources in a virtual
-network. The template creates the storage account and assigns it to the private virtual network.
+To create Cloud Shell resources in a virtual network, use the ARM template named
+[Azure Cloud Shell - VNet storage][13]. The template creates the storage account and assigns it to
+the private virtual network.
 
 The ARM template requires specific information about the resources that you created earlier, along
 with naming information for new resources.
@@ -275,21 +280,29 @@ az ad sp list --display-name 'Azure Container Instance' --query "[].id"
 ## Next steps
 
 You must complete the Cloud Shell configuration steps for each user who needs to use the new private
-Cloud Shell instance.
+Cloud Shell instance. Alternatively, you can configure your Cloud Shell instance to allow multiple
+users to use the same storage resources. For more information, see
+[Allow multiple users to use a single storage account and file share][01].
+
+For improved security, you can configure your storage account to use a private endpoint. For more
+information, see [Connect to a storage account using an Azure private endpoint][11].
 
 <!-- link references -->
-[01]: /azure/azure-resource-manager/management/manage-resource-groups-cli
-[02]: /azure/azure-resource-manager/management/manage-resource-groups-portal
-[03]: /azure/azure-resource-manager/management/manage-resource-groups-powershell
-[04]: /azure/virtual-network/quick-create-cli
-[05]: /azure/virtual-network/quick-create-portal
-[06]: /azure/virtual-network/quick-create-powershell
-[07]: /azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal#change-subnet-settings
-[08]: https://aka.ms/cloudshell/docs/vnet/template
-[09]: https://azure.microsoft.com/resources/templates/cloud-shell-vnet-storage/
-[10]: /azure/role-based-access-control/role-assignments-list-portal#list-owners-of-a-subscription
-[11]: https://portal.azure.com
-[12]: #alternate-way-to-get-the-azure-container-instance-id
+[01]: ../security/how-to-support-multiple-users.md
+[02]: /azure/azure-resource-manager/management/manage-resource-groups-cli
+[03]: /azure/azure-resource-manager/management/manage-resource-groups-portal
+[04]: /azure/azure-resource-manager/management/manage-resource-groups-powershell
+[05]: /azure/role-based-access-control/role-assignments-list-portal#list-owners-of-a-subscription
+[06]: /azure/virtual-network/quick-create-cli
+[07]: /azure/virtual-network/quick-create-portal
+[08]: /azure/virtual-network/quick-create-powershell
+[09]: /azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal#change-subnet-settings
+[10]: #alternate-way-to-get-the-azure-container-instance-id
+[11]: how-to-use-private-endpoint-storage.md
+[12]: https://aka.ms/cloudshell/docs/vnet/template
+[13]: https://azure.microsoft.com/resources/templates/cloud-shell-vnet-storage/
+[14]: https://portal.azure.com
+
 [95a]: media/deployment/container-service-search.png
 [95b]: media/deployment/container-service-search.png#lightbox
 [96a]: media/deployment/container-service-details.png
