From 0473e86b473ac129c6c65b05bdec78506104fbbb Mon Sep 17 00:00:00 2001
From: Jan Stienstra <73657829+st-jan@users.noreply.github.com>
Date: Fri, 7 Nov 2025 10:36:30 +0100
Subject: [PATCH] Update CREDENTIAL documentation for Fabric COPY INTO

Clarified authentication requirements for storage accounts without public access.
---
 docs/t-sql/statements/copy-into-transact-sql.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/t-sql/statements/copy-into-transact-sql.md b/docs/t-sql/statements/copy-into-transact-sql.md
index 4c21b09f926..3b0940d4bf3 100644
--- a/docs/t-sql/statements/copy-into-transact-sql.md
+++ b/docs/t-sql/statements/copy-into-transact-sql.md
@@ -698,6 +698,10 @@ The user's EntraID authentication is default. No credential needs to be specifie
   - *IDENTITY: A constant with a value of 'Storage Account Key'*
 - *SECRET: Storage account key*
 
+> [!NOTE]
+> When using a storage account without public network access, the use of a Shared Access Signature or Storage Account Key is not supported.
+> EntraID authentication is the only supported mechanism for these accounts.
+
 #### *ERRORFILE = Directory Location*
 
 *ERRORFILE* only applies to CSV. Specifies the directory where the rejected rows and the corresponding error file should be written. The full path from the storage account can be specified or the path relative to the container can be specified. If the specified path doesn't exist, one is created on your behalf. A child directory is created with the name `_rejectedrows`. The `_` character ensures that the directory is escaped for other data processing unless explicitly named in the location parameter.