Merge pull request #285716 from pauljewellmsft/rbac-scope

Add note about assigning roles to management scope

Author: prmerger-automator[bot]

articles/storage/blobs/assign-azure-role-data-access.md

@@ -6,7 +6,7 @@ author: pauljewellmsft
 ms.author: pauljewell
 ms.service: azure-blob-storage
 ms.topic: how-to
-ms.date: 02/16/2024
+ms.date: 08/28/2024
 ms.reviewer: dineshm
 ms.devlang: powershell
 # ms.devlang: powershell, azurecli
@@ -177,6 +177,7 @@ Keep in mind the following points about Azure role assignments in Azure Storage:
 
 - When you create an Azure Storage account, you aren't automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or container.
 - When you assign roles or remove role assignments, it can take up to 10 minutes for changes to take effect.
+- Built-in roles with data actions can be assigned at management group [scope](/azure/role-based-access-control/scope-overview#scope-levels). However, in rare scenarios there might be a significant delay (up to 12 hours) before data action permissions are effective for certain resource types. Permissions will eventually be applied. For built-in roles with data actions, adding or removing role assignments at management group scope is not recommended for scenarios where timely permission activation or revocation, such as Microsoft Entra Privileged Identity Management (PIM), is required.
 - If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure roles that are scoped to the storage account or a container.
 - If you set the appropriate allow permissions to access data via Microsoft Entra ID and are unable to access the data, for example you're getting an "AuthorizationPermissionMismatch" error. Be sure to allow enough time for the permissions changes you made in Microsoft Entra ID to replicate, and be sure that you don't have any deny assignments that block your access, see [Understand Azure deny assignments](../../role-based-access-control/deny-assignments.md).
 

articles/storage/queues/assign-azure-role-data-access.md

@@ -7,7 +7,7 @@ author: akashdubey-ms
 
 ms.service: azure-queue-storage
 ms.topic: how-to
-ms.date: 07/13/2021
+ms.date: 08/28/2024
 ms.author: akashdubey
 ms.reviewer: dineshm
 ms.custom: devx-track-azurepowershell, devx-track-azurecli 
@@ -99,6 +99,8 @@ To learn how to use an Azure Resource Manager template to assign an Azure role,
 Keep in mind the following points about Azure role assignments in Azure Storage:
 
 - When you create an Azure Storage account, you are not automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or queue.
+- When you assign roles or remove role assignments, it can take up to 10 minutes for changes to take effect.
+- Built-in roles with data actions can be assigned at management group [scope](/azure/role-based-access-control/scope-overview#scope-levels). However, in rare scenarios there might be a significant delay (up to 12 hours) before data action permissions are effective for certain resource types. Permissions will eventually be applied. For built-in roles with data actions, adding or removing role assignments at management group scope is not recommended for scenarios where timely permission activation or revocation, such as Microsoft Entra Privileged Identity Management (PIM), is required.
 - If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure roles that are scoped to the storage account or a queue.
 
 ## Next steps

articles/storage/tables/assign-azure-role-data-access.md

@@ -7,7 +7,7 @@ author: akashdubey-ms
 
 ms.service: azure-table-storage
 ms.topic: how-to
-ms.date: 03/03/2022
+ms.date: 08/28/2024
 ms.author: akashdubey
 ms.reviewer: nachakra
 ms.custom: devx-track-azurepowershell, devx-track-azurecli 
@@ -81,6 +81,8 @@ To learn how to use an Azure Resource Manager template to assign an Azure role,
 Keep in mind the following points about Azure role assignments in Azure Storage:
 
 - When you create an Azure Storage account, you are not automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or table.
+- When you assign roles or remove role assignments, it can take up to 10 minutes for changes to take effect.
+- Built-in roles with data actions can be assigned at management group [scope](/azure/role-based-access-control/scope-overview#scope-levels). However, in rare scenarios there might be a significant delay (up to 12 hours) before data action permissions are effective for certain resource types. Permissions will eventually be applied. For built-in roles with data actions, adding or removing role assignments at management group scope is not recommended for scenarios where timely permission activation or revocation, such as Microsoft Entra Privileged Identity Management (PIM), is required.
 - If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure roles that are scoped to the storage account or a table.
 
 ## Next steps