Update concept-enable-rbac.md

zhenlan · web-flow · commit 11e38a6ad6d0 · 2020-05-25T15:21:53.000-07:00
Add a note to clarify the permission required by the Azure portal and CLI.
diff --git a/articles/azure-app-configuration/concept-enable-rbac.md b/articles/azure-app-configuration/concept-enable-rbac.md
@@ -9,10 +9,10 @@ ms.service: azure-app-configuration
 
 ---
 # Authorize access to Azure App Configuration using Azure Active Directory
-Azure App Configuration supports using Azure Active Directory (Azure AD) to authorize requests to App Configuration instances.  Azure AD allows you to use role-based access control (RBAC) to grant permissions to a security principal.  A security principal may be a user, or an [application service principal](../active-directory/develop/app-objects-and-service-principals.md).  To learn more about roles and role assignments, see [Understanding different roles](../role-based-access-control/overview.md).
+Besides using Hash-based Message Authentication Code (HMAC), Azure App Configuration supports using Azure Active Directory (Azure AD) to authorize requests to App Configuration instances.  Azure AD allows you to use role-based access control (RBAC) to grant permissions to a security principal.  A security principal may be a user, a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) or an [application service principal](../active-directory/develop/app-objects-and-service-principals.md).  To learn more about roles and role assignments, see [Understanding different roles](../role-based-access-control/overview.md).
 
 ## Overview
-Requests made by security principal (a user, or an application) to access an App Configuration resource must be authorized.  With Azure AD, access to a resource is a two-step process.
+Requests made by security principal to access an App Configuration resource must be authorized.  With Azure AD, access to a resource is a two-step process.
 1. The security principal's identity is authenticated and an OAuth 2.0 token is returned.  The resource name to request a token is `https://login.microsoftonline.com/{tenantID}` where `{tenantID}` matches the Azure Active Directory tenant ID to which the service principal belongs.
 2. The token is passed as part of a request to the App Configuration service to authorize access to the specified resource.
 
@@ -33,5 +33,8 @@ Azure provides the following built-in RBAC roles for authorizing access to App C
 - **Contributor**: Use this role to manage the App Configuration resource. While the App Configuration data can be accessed using access keys, this role does not grant access to the data using Azure AD.
 - **Reader**: Use this role to give read access to the App Configuration resource. This does not grant access to the resource's access keys, nor to the data stored in App Configuration.
 
+> [!NOTE]
+> The Azure portal and CLI supports only HMAC authentication to access App Configuration data currently. Therefore, users of the Azure portal and CLI require the Contributor role to access the access keys of the App Configuration resource.
+
 ## Next steps
 Learn more about using [managed identities](howto-integrate-azure-managed-service-identity.md) to administer your App Configuration service.
