Updating for RBAC permissions

Author: whhender

articles/data-factory/enable-customer-managed-key.md

@@ -45,12 +45,12 @@ If you are creating a new Azure Key Vault through Azure portal, __Soft Delete__
 
 ### Grant Data Factory access to Azure Key Vault
 
-Make sure Azure Key Vault and Azure Data Factory are in the same Microsoft Entra tenant and in the _same region_. From Azure Key Vault access control, grant data factory following permissions: _Get_, _Unwrap Key_, and _Wrap Key_. These permissions are required to enable customer-managed keys in Data Factory.
+Make sure Azure Key Vault and Azure Data Factory are in the same Microsoft Entra tenant and in the _same region_. You can use either access policies or access control permissions:
+    1. _Access policy_ - In your key vault select **Access policies** -> **Add access Policy** -> search for your Azure Data Factory managed identity and grant _Get_, _Unwrap Key_, and _Wrap Key_ permissions in the Secret permissions dropdown.
+    1. _Access control_ - Your managed identity will need two roles in Access control: [**Key Vault Crypto Service Encryption User**](/azure/role-based-access-control/built-in-roles/security#key-vault-crypto-service-encryption-user) and [**Key Vault Secrets User**](/azure/role-based-access-control/built-in-roles/security#key-vault-secrets-user). In your key vault select **Access control (IAM)** -> **+ Add** -> **Add role assignment**. Select one of the roles, and then select **Next**. Under **Members** select **Managed identity** then **Select members** and search for your Azure Data Factory managed identity. Then select **Review + assign**. Repeat for the second role.
 
-* If you want to add customer managed key encryption [after factory creation in Data Factory UI](#post-factory-creation-in-data-factory-ui), ensure data factory's managed service identity (MSI) has the three permissions to Key Vault
-* If you want to add customer managed key encryption [during factory creation time in Azure portal](#during-factory-creation-in-azure-portal), ensure the user-assigned managed identity (UA-MI) has the three permissions to Key Vault
-
-  :::image type="content" source="media/enable-customer-managed-key/02-access-policy-factory-managed-identities.png" alt-text="Screenshot showing how to enable Data Factory Access to Key Vault.":::
+* If you want to add customer managed key encryption [after factory creation in Data Factory UI](#post-factory-creation-in-data-factory-ui), ensure data factory's managed service identity (MSI) has the correct permissions to Key Vault
+* If you want to add customer managed key encryption [during factory creation time in Azure portal](#during-factory-creation-in-azure-portal), ensure the user-assigned managed identity (UA-MI) has the correct permissions to Key Vault
 
 ### Generate or upload customer-managed key to Azure Key Vault