Merge pull request #271677 from jlichwa/patch-108

Update troubleshooting-access-issues.md

Author: prmerger-automator[bot]

articles/key-vault/general/troubleshooting-access-issues.md

@@ -38,11 +38,9 @@ There are two reasons why you may see an access policy in the Unknown section:
 
 ### How can I assign access control per key vault object?
 
-Key Vault RBAC permission model allows per object permission. Individual keys, secrets, and certificates permissions should be used
-only for specific scenarios:
+Assigning roles on individual keys, secrets and certificates should be avoided. Exceptions to general guidance:
 
-- Multi-layer applications that need to separate access control between layers
-- Sharing individual secret between multiple applications
+Scenarios where individual secrets must be shared between multiple applications, for example, one application needs to access data from the other application
 
 ### How can I provide key vault authenticate using access control policy?
 
@@ -53,7 +51,7 @@ If you're creating an on-premises application, doing local development, or other
 
 Give the AD group permissions to your key vault using the Azure CLI `az keyvault set-policy` command, or the Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet. See [Assign an access policy - CLI](assign-access-policy-cli.md) and [Assign an access policy - PowerShell](assign-access-policy-powershell.md).
 
-The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. Otherwise it will not be able to log in and will fail with insufficient rights to access the subscription. Microsoft Entra groups with Managed Identities may require up to eight hours to refresh tokens and become effective.
+The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. Otherwise it will not be able to log in and will fail with insufficient rights to access the subscription. Microsoft Entra groups with Managed Identities may require several hours to refresh tokens and become effective. See [Limitation of using managed identities for authorization](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations#limitation-of-using-managed-identities-for-authorization)
 
 ### How can I redeploy Key Vault with ARM template without deleting existing access policies?