Address feedback

Author: dominicbetts

articles/iot-central/core/howto-manage-iot-central-from-cli.md

@@ -1,6 +1,6 @@
 ---
 title: Manage IoT Central from Azure CLI or PowerShell | Microsoft Docs
-description: This article describes how to create and manage your IoT Central application using the Azure CLI or PowerShell. You can view, modify, and remove the application using these tools. You can also configure managed identities.
+description: This article describes how to create and manage your IoT Central application using the Azure CLI or PowerShell. You can view, modify, and remove the application using these tools. You can also configure a managed system identity that can you can use to setup secure data export.
 services: iot-central
 ms.service: iot-central
 author: dominicbetts
@@ -178,7 +178,11 @@ Remove-AzIotCentralApp -ResourceGroupName "MyIoTCentralResourceGroup" `
 
 An IoT Central application can use a system assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) to secure the connection to a [data export destination](howto-export-data.md#connection-options).
 
-To enable the managed identity, use either the [Azure portal - Configure a managed identity](howto-manage-iot-central-from-portal.md#configure-a-managed-identity) or the [REST API](howto-manage-iot-central-with-rest-api.md). After you enable the managed identity, you can use the CLI to configure the role assignments.
+To enable the managed identity, use either the [Azure portal - Configure a managed identity](howto-manage-iot-central-from-portal.md#configure-a-managed-identity) or the [REST API](howto-manage-iot-central-with-rest-api.md):
+
+:::image type="content" source="media/howto-manage-iot-central-from-cli/managed-identity.png" alt-text="Screenshot showing managed identity in Azure portal.":::
+
+After you enable the managed identity, you can use the CLI to configure the role assignments.
 
 Use the [az role assignment create](/cli/azure/role/assignment#az_role_assignment_create) command to create a role assignment. For example, the following commands first retrieve the principal ID of the managed identity. The second command assigns the `Azure Event Hubs Data Sender` role to the principal ID in the scope of the `MyIoTCentralResourceGroup` resource group:
 
@@ -188,6 +192,12 @@ az role assignment create --assignee $spID --role "Azure Event Hubs Data Sender"
   --scope /subscriptions/<your subscription id>/resourceGroups/MyIoTCentralResourceGroup
 ```
 
+To learn more about the role assignments, see:
+
+- [Built-in roles for Azure Event Hubs](../../event-hubs/authenticate-application.md#built-in-roles-for-azure-event-hubs)
+- [Built-in roles for Azure Service Bus](../../service-bus-messaging/authenticate-application.md#azure-built-in-roles-for-azure-service-bus)
+- [Built-in roles for Azure Storage Services](/rest/api/storageservices/authorize-with-azure-active-directory#manage-access-rights-with-rbac)
+
 ## Next steps
 
 Now that you've learned how to manage Azure IoT Central applications from Azure CLI or PowerShell, here is the suggested next step:

articles/iot-central/core/howto-manage-iot-central-from-portal.md

@@ -69,7 +69,10 @@ To move the application to a different subscription, select  **change** beside t
 
 ## Configure a managed identity
 
-When you configure a data export in your IoT Central application, you can choose to configure the connection to the destination with a *connection string* or a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md). Using a managed identity is more secure because you don't need to store the credentials for the destination in your IoT Central application. IoT Central currently uses [system-assigned managed identities](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types). To create the managed identity for your application, you use either the Azure portal or the REST API .
+When you configure a data export in your IoT Central application, you can choose to configure the connection to the destination with a *connection string* or a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md). Using a managed identity is more secure because you don't need to store the credentials for the destination in your IoT Central application. IoT Central currently uses [system-assigned managed identities](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types). To create the managed identity for your application, you use either the Azure portal or the REST API.
+
+> [!NOTE]
+> You can only add a managed identity to an IoT Central application that was created in a region. All new applications are created in a region. To learn more, see [Updates](https://azure.microsoft.com/updates/azure-iot-central-new-and-updated-features-august-2021/).
 
 When you configure a managed identity, the configuration includes a *scope* and a *role*:
 

articles/iot-central/core/howto-manage-iot-central-with-rest-api.md

@@ -87,6 +87,9 @@ Use the following payload to change the display name and enable the system assig
 }
 ```
 
+> [!NOTE]
+> You can only add a managed identity to an IoT Central application that was created in a region. All new applications are created in a region. To learn more, see [Updates](https://azure.microsoft.com/updates/azure-iot-central-new-and-updated-features-august-2021/).
+
 ## Delete an IoT Central application
 
 To delete an IoT Central application, use: