diff --git a/docs/auditor/10.9/configuration/azurefiles/stateintime.md b/docs/auditor/10.9/configuration/azurefiles/stateintime.md
index 3d4eb7b9d9..339843aebe 100644
--- a/docs/auditor/10.9/configuration/azurefiles/stateintime.md
+++ b/docs/auditor/10.9/configuration/azurefiles/stateintime.md
@@ -2,6 +2,13 @@
 
 This topic describes how to enable State-in-Time data collection for an Azure Files monitoring plan in Netwrix Auditor, configure the monitoring scope using omit lists, and set up optional Azure diagnostic settings for activity-based reports.
 
+> **Note:** When Azure file shares use on-premises Active Directory (AD DS) authentication, the following limitations apply to State-in-Time permission reports:
+>
+> - **Group expansion is unavailable for on-premises AD groups that are not synced to Microsoft Entra ID.** If access to a file or folder is granted through such a group, the report does not list individual group members.
+> - **SID resolution is unavailable for on-premises AD groups and accounts that are not synced to Microsoft Entra ID.** These objects appear as unresolved SIDs instead of display names in permission reports.
+>
+> These limitations do not affect environments that use Microsoft Entra ID-only identities or fully synced hybrid identities.
+
 ## Prerequisites
 
 - An Azure Files monitoring plan must already exist in Netwrix Auditor [Azure Files Configuration Overview](/docs/auditor/10_8/configuration/azurefiles/overview)