clarified wording

Author: JnHs

articles/lighthouse/concepts/tenants-users-roles.md

@@ -43,7 +43,7 @@ All [built-in roles](../../role-based-access-control/built-in-roles.md) are curr
 In some cases, a role that had previously been supported with Azure Lighthouse may become unavailable. For example, if the [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission is added to a role that previously didn't have that permission, that role can no longer be used when onboarding new delegations. Users who had already been assigned the role will still be able to work on previously delegated resources, but they won't be able to perform tasks that use the [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission.
 
 > [!IMPORTANT]
-> When assigning roles, be sure to review the [actions](../../role-based-access-control/role-definitions.md) specified for each role. In some cases, even though roles with [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission are not supported, the actions included in a role may allow some access to data. For example, the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles) role includes the `Microsoft.Storage/storageAccounts/listKeys/action` action, which returns storage account access keys that could be used to retrieve certain customer data.
+> When assigning roles, be sure to review the [actions](../../role-based-access-control/role-definitions.md) specified for each role. In some cases, even though roles with [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission are not supported, the actions included in a role may allow access to data, where data is exposed through access keys and not accessed via the user's identity. For example, the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles) role includes the `Microsoft.Storage/storageAccounts/listKeys/action` action, which returns storage account access keys that could be used to retrieve certain customer data.
 
 > [!NOTE]
 > As soon as a new applicable built-in role is added to Azure, it can be assigned when [onboarding a customer using Azure Resource Manager templates](../how-to/onboard-customer.md). There may be a delay before the newly-added role becomes available in Partner Center when [publishing a managed service offer](../how-to/publish-managed-services-offers.md). Similarly, if a role becomes unavailable, you may still see it in Partner Center for a period of time; however, you won't be able to publish new offers using such roles.