adding links

Author: SoniaLopezBravo

articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md

@@ -146,6 +146,13 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
    az extension add --upgrade --name azure-iot-ops
    ```
 
+    > [!IMPORTANT]
+    > For preview releases, you need to append the `--allow-preview` flag to the `az extension add` command to install the [preview version](./howto-upgrade.md#upgrade-to-preview-version) of the Azure IoT Operations CLI extension.
+    >
+    > ```azurecli
+    > az extension add --upgrade --name azure-iot-ops --allow-preview
+    > ```
+
 1. Copy and run the provided [az iot ops schema registry create](/cli/azure/iot/ops/schema/registry#az-iot-ops-schema-registry-create) command to create a schema registry which is used by Azure IoT Operations components. If you chose to use an existing schema registry, this command isn't displayed on the **Automation** tab.
 
    > [!NOTE]
@@ -184,6 +191,9 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
       --feature connectors.settings.preview=Enabled
       ```
 
+    > [!NOTE]
+    > The `--feature` configuration parameter isn't available in 2507 preview release.
+
     * If you followed the optional prerequisites to set up your own certificate authority issuer, add the `--trust-settings` parameters to the `create` command:
 
     ```bash

articles/iot-operations/deploy-iot-ops/howto-deploy-iot-test-operations.md

@@ -132,6 +132,14 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
     az extension add --upgrade --name azure-iot-ops
     ```
 
+
+    > [!IMPORTANT]
+    > For preview releases, you need to append the `--allow-preview` flag to the `az extension add` command to install the [preview version](./howto-upgrade.md#upgrade-to-preview-version) of the Azure IoT Operations CLI extension.
+    >
+    > ```azurecli
+    > az extension add --upgrade --name azure-iot-ops --allow-preview
+    > ```
+
 1. Copy and run the provided [az iot ops schema registry create](/cli/azure/iot/ops/schema/registry#az-iot-ops-schema-registry-create) command to create a schema registry which is used by Azure IoT Operations components. If you chose to use an existing schema registry, this command isn't displayed on the **Automation** tab.
 
 1. Azure IoT Operations uses *namespaces* to organize assets and devices. Each Azure IoT Operations instance uses a single namespace for its assets and devices. You can use an existing namespace or run the `az iot ops ns create` command to create an Azure Device Registry namespace. Replace `<my namespace name>` with a unique name for your namespace.
@@ -167,6 +175,9 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
     --feature connectors.settings.preview=Enabled
     ```
 
+    > [!NOTE]
+    > The `--feature` configuration parameter isn't available in 2507 preview release.
+
 1. Once all of the Azure CLI commands complete successfully, you can close the **Install Azure IoT Operations** wizard.
 
 Once the `create` command completes successfully, you have a working Azure IoT Operations instance running on your cluster. At this point, your instance is configured for most testing and evaluation scenarios.

articles/iot-operations/deploy-iot-ops/overview-deploy.md

@@ -74,12 +74,12 @@ The following table describes Azure IoT Operations deployment and management tas
 | ---- | ------------------- | -------- |
 | Deploy Azure IoT Operations | [Azure IoT Operations Onboarding role](../secure-iot-ops/built-in-rbac.md#azure-iot-operations-onboarding-role) | This role has all required permissions to read and write Azure IoT operations and Azure Device Registry resources. This role has `Microsoft.Authorization/roleAssignments/write` permissions.|
 | Register resource providers | [Contributor role](/azure/role-based-access-control/built-in-roles/privileged#contributor) at subscription level| Only required to do once per subscription. You need to register the following resource providers: `Microsoft.ExtendedLocation`, `Microsoft.SecretSyncController`, `Microsoft.Kubernetes`, `Microsoft.KubernetesConfiguration`, `Microsoft.IoTOperations`, and `Microsoft.DeviceRegistry`. |
-| Create secrets in Key Vault | [Key Vault Secrets Officer role](/azure/role-based-access-control/built-in-roles/security#key-vault-secrets-officer) at the resource level | Only required for secure settings deployment. |
-| Create and manage storage accounts | Storage Account Contributor role | Required for Azure IoT Operations deployment. |
+| Create secrets in Key Vault | [Key Vault Secrets Officer role](/azure/role-based-access-control/built-in-roles/security#key-vault-secrets-officer) at the resource level | Only required for secure settings deployment to synchronize secrets from Azure Key Vault. |
+| Create and manage storage accounts | [Storage Account Contributor role](/azure/role-based-access-control/built-in-roles/storage#storage-account-contributor) | Required for Azure IoT Operations deployment. |
 | Create a resource group | Resource Group Contributor role | Required to create a resource group for storing Azure IoT Operations resources. |
-| Onboard a cluster to Azure Arc | Kubernetes Cluster Azure Arc Onboarding role | Arc-enabled clusters are required to deploy Azure IoT Operations. |
-| Manage deployment of Azure resource bridge| Azure Resource Bridge Deployment role | Required to deploy Azure IoT Operations. |
-| Provide permissions to deployment| Azure Arc Enabled Kubernetes Cluster User role | Required to grant permission of deployment to the Azure Arc-enabled Kubernetes cluster. |
+| Onboard a cluster to Azure Arc | [Kubernetes Cluster - Azure Arc Onboarding role](/azure/role-based-access-control/built-in-roles/containers#kubernetes-cluster---azure-arc-onboarding) | Arc-enabled clusters are required to deploy Azure IoT Operations. |
+| Manage deployment of Azure resource bridge| [Azure Resource Bridge Deployment role](/azure/role-based-access-control/built-in-roles/hybrid-multicloud#azure-resource-bridge-deployment-role) | Required to deploy Azure IoT Operations. |
+| Provide permissions to deployment| [Azure Arc Enabled Kubernetes Cluster User role](/azure/role-based-access-control/built-in-roles/containers#azure-arc-enabled-kubernetes-cluster-user-role) | Required to grant permission of deployment to the Azure Arc-enabled Kubernetes cluster. |
 
 > [!TIP]
 > You must enable resource sync rules on the Azure IoT Operations instance to use the automatic asset discovery capabilities of the Akri services. To learn more, see [What is OPC UA asset discovery (preview)?](../discover-manage-assets/overview-akri.md).

articles/iot-operations/reference/custom-rbac.md

@@ -1,5 +1,5 @@
 ---
-title: Custom RBAC for Your Resources
+title: Custom RBAC Roles
 description: Use the Azure portal to secure access to Azure IoT Operations resources such as data flows and assets by using Azure role-based access control.
 author: dominicbetts
 ms.author: dobett
@@ -9,22 +9,21 @@ ms.date: 04/16/2025
 #CustomerIntent: As an IT administrator, I want configure Azure RBAC custom roles on resources in my Azure IoT Operations instance to control access to them.
 ---
 
-# Custom RBAC for your Azure IoT Operations resources
+# Custom RBAC roles for your Azure IoT Operations resources
 
-To define custom roles that grant specific permissions to users, you can use Azure RBAC. This article includes a list of example that you can download and use in your environment. These custom roles are JSON files that list the specific permissions and scope for the role.
+To define custom roles that grant specific permissions to users, you can use Azure RBAC. This article includes a list of example that you can download and use as reference to build your custom roles. 
 
 To learn more about custom roles in Azure RBAC, see [Azure custom roles](/azure/role-based-access-control/custom-roles).
 
 Azure IoT operations also offers built-in roles designed to simplify and secure access management for Azure IoT Operations resources. For more information, see [Built-in RBAC roles for IoT Operations](../secure-iot-ops/built-in-rbac.md).
 
 ## Examples of custom roles
 
-The following sections list the example Azure IoT Operations custom roles you can download and use.
+The following sections list the example Azure IoT Operations custom roles you can download and use as reference. These custom roles are JSON files that list the specific permissions and scope for the role, which you should use as a starting point to create your own custom roles.
 
 > [!NOTE]
 > The following custom roles are examples only. You need to review and modify the permissions in the JSON files to suit your specific requirements.
 
-
 ### Onboarding roles
 
 You can define an *Onboarding* role that grants sufficient permissions to a user to complete the Azure Arc connect process and deploy Azure IoT Operations securely.

articles/iot-operations/secure-iot-ops/built-in-rbac.md

@@ -1,5 +1,5 @@
 ---
-title: Built-in RBAC Roles for IoT Operations
+title: Built-in RBAC Roles 
 description: Learn about the built-in RBAC roles for Azure IoT Operations and how to use them to control access to resources.
 author: SoniaLopezBravo
 ms.author: sonialopez
@@ -20,28 +20,28 @@ Azure IoT Operations (AIO) offers two built-in roles designed to simplify and se
 
 The Azure IoT Operations Administrator role provides comprehensive permissions to manage and operate all Azure IoT Operations components. Assign this role to users who need full access to use AIO resources. To support deployment and ongoing management of AIO, users require additional permissions. If a user only needs to use AIO, you can assign the Administrator role alone.
 
-When assigning this built-in role, you need to ensure that users have the following permissions:
+When assigning this built-in role, you need to ensure that the following roles are also assigned to the user:
 
-- Azure Edge Hardware Center Administrator: This role grants access to manage and take action as an edge order administrator. It is used for ordering and managing Azure Stack Edge devices. 
-- Azure Arc Enabled Kubernetes Cluster User Role: This role is used to manage Azure Arc-enabled Kubernetes clusters by providing permission to write deployments, manage subscriptions, and handle connected clusters and extensions. 
-- Key Vault Administrator: This role allows the user to manage all aspects of Azure Key Vaults, including creating, maintaining, viewing, and deleting keys, certificates, and secrets. 
-- Kubernetes Extension Contributor: This role allows users to manage Kubernetes extensions, including creating, updating, and deleting extensions. 
-- Managed Identity Contributor: This role allows the user to manage managed identities, including creating, updating, and deleting user-assigned managed identities.
-- Monitoring Contributor: This role allows the user to read all monitoring data and update monitoring settings.
-- Resource Group Contributor: This role grants permissions to manage resources within a resource group, including creating, updating, and deleting resources.
-- Secrets Store Extension Owner: This role allows the user to manage the Secrets Store extension, which synchronizes secrets from Azure Key Vault to Kubernetes clusters.
-- Storage Account Contributor: This role allows the user to manage storage accounts, including creating, updating, and deleting storage accounts, as well as managing access keys and other settings.
+- Azure Edge Hardware Center Administrator role: This role grants access to manage and take action as an edge order administrator. It is used for ordering and managing Azure Stack Edge devices. 
+- [Azure Arc Enabled Kubernetes Cluster User role:](/azure/role-based-access-control/built-in-roles/containers#azure-arc-enabled-kubernetes-cluster-user-role) This role is used to manage Azure Arc-enabled Kubernetes clusters by providing permission to write deployments, manage subscriptions, and handle connected clusters and extensions. 
+- [Key Vault Administrator role:](/azure/role-based-access-control/built-in-roles/security#key-vault-administrator) This role allows the user to manage all aspects of Azure Key Vaults, including creating, maintaining, viewing, and deleting keys, certificates, and secrets. 
+- [Kubernetes Extension Contributor role:](/azure/role-based-access-control/built-in-roles/containers#kubernetes-extension-contributor) This role allows users to manage Kubernetes extensions, including creating, updating, and deleting extensions. 
+- [Managed Identity Contributor role:](/azure/role-based-access-control/built-in-roles/identity#managed-identity-contributor) This role allows the user to manage managed identities, including creating, updating, and deleting user-assigned managed identities.
+- [Monitoring Contributor role:](/azure/role-based-access-control/built-in-roles/monitor#monitoring-contributor) This role allows the user to read all monitoring data and update monitoring settings.
+- Resource Group Contributor role: This role grants permissions to manage resources within a resource group, including creating, updating, and deleting resources.
+- Secrets Store Extension Owner role: This role allows the user to manage the Secrets Store extension, which synchronizes secrets from Azure Key Vault to Kubernetes clusters.
+- [Storage Account Contributor role:](/azure/role-based-access-control/built-in-roles/storage#storage-account-contributor) This role allows the user to manage storage accounts, including creating, updating, and deleting storage accounts, as well as managing access keys and other settings.
 
 ## Azure IoT Operations Onboarding role
 
 AIO Onboarding is a specialized role that provides the necessary permissions to deploy Azure IoT Operations components.
 
-When assigning this built-in role, you need to ensure that users have the following permissions:
+When assigning this built-in role, you need to ensure that the following roles are also assigned to the user:
 
-- Azure Resource Bridge Deployment Role: This role is used to manage the deployment of the Azure Resource Bridge. It includes permissions to read, write, and delete various resources related to the Resource Bridge, such as appliances, locations, and telemetry configurations. 
-- Kubernetes Cluster – Azure Arc Onboarding: This role is used for onboarding Kubernetes clusters to Azure Arc.
-- Storage Account Contributor: This role allows the user to manage storage accounts, including creating, updating, and deleting storage accounts, as well as managing access keys and other settings.
-- Resource Group Contributor Role: This role grants permissions to manage resources within a resource group, including creating, updating, and deleting resources.
-- Azure Arc Enabled Kubernetes Cluster User Role: This role is used to manage Azure Arc-enabled Kubernetes clusters by providing permission to write deployments, manage subscriptions, and handle connected clusters and extensions.
+- [Azure Resource Bridge Deployment role:](/azure/role-based-access-control/built-in-roles/hybrid-multicloud#azure-resource-bridge-deployment-role) This role is used to manage the deployment of the Azure Resource Bridge. It includes permissions to read, write, and delete various resources related to the Resource Bridge, such as appliances, locations, and telemetry configurations. 
+- [Kubernetes Cluster – Azure Arc Onboarding role:](/azure/role-based-access-control/built-in-roles/containers#kubernetes-cluster---azure-arc-onboarding) This role is used for onboarding Kubernetes clusters to Azure Arc.
+-  [Storage Account Contributor role:](/azure/role-based-access-control/built-in-roles/storage#storage-account-contributor) This role allows the user to manage storage accounts, including creating, updating, and deleting storage accounts, as well as managing access keys and other settings.
+- Resource Group Contributor role: This role grants permissions to manage resources within a resource group, including creating, updating, and deleting resources.
+- [Azure Arc Enabled Kubernetes Cluster User role:](/azure/role-based-access-control/built-in-roles/containers#azure-arc-enabled-kubernetes-cluster-user-role) This role is used to manage Azure Arc-enabled Kubernetes clusters by providing permission to write deployments, manage subscriptions, and handle connected clusters and extensions.