Merge pull request #228300 from jaesoni/vnet-perm-check-revision

Article revision for vnet permission changes

Author: prmerger-automator[bot]

articles/application-gateway/configuration-infrastructure.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: greg-lindsay
 ms.service: application-gateway
 ms.topic: conceptual
-ms.date: 09/13/2022
+ms.date: 02/23/2023
 ms.author: greglin
 ---
 
@@ -55,22 +55,28 @@ Subnet Size /24 = 256 IP addresses - 5 reserved from the platform = 251 availabl
 > It is possible to change the subnet of an existing Application Gateway within the same virtual network. You can do this using Azure PowerShell or Azure CLI. For more information, see [Frequently asked questions about Application Gateway](application-gateway-faq.yml#can-i-change-the-virtual-network-or-subnet-for-an-existing-application-gateway)
 
 ### Virtual network permission 
+Since application gateway resources are deployed within a virtual network, Application Gateway performs a check to verify the permission on the provided virtual network resource. This validation is performed during both creation and management operations.
 
-Since application gateway resources are deployed within a virtual network resource, Application Gateway performs a check to verify the permission on the provided virtual network resource. This is verified during both create and manage operations. 
+You should check your [Azure role-based access control](../role-based-access-control/role-assignments-list-portal.md) to verify the users or service principals that operate application gateways have at least **Microsoft.Network/virtualNetworks/subnets/join/action** permission. Use built-in roles, such as [Network contributor](../role-based-access-control/built-in-roles.md#network-contributor), which already support this permission. If a built-in role doesn't provide the right permission, you can [create and assign a custom role](../role-based-access-control/custom-roles-portal.md). Learn more about [managing subnet permissions](../virtual-network/virtual-network-manage-subnet.md#permissions). You may have to allow sufficient time for [Azure Resource Manager cache refresh](../role-based-access-control/troubleshooting.md?tabs=bicep#symptom---role-assignment-changes-are-not-being-detected) after role assignment changes.
 
-You should check your [Azure role-based access control](../role-based-access-control/role-assignments-list-portal.md) to verify that users or Service Principals who operate application gateways have at least **Microsoft.Network/virtualNetworks/subnets/join/action** or some higher permission such as the built-in [Network contributor](../role-based-access-control/built-in-roles.md) role on the virtual network. Visit [Add, change, or delete a virtual network subnet](../virtual-network/virtual-network-manage-subnet.md) to know more on subnet permissions. 
+#### Identifying affected users or service principals for your subscription
+By visiting Azure Advisor for your account, you can verify if your subscription has any users or service principals with insufficient permission. The details of that recommendation are as follows:
 
-If a [built-in](../role-based-access-control/built-in-roles.md) role doesn't provide the right permission, you can [create and assign a custom role](../role-based-access-control/custom-roles-portal.md) for this purpose. Also, [allow sufficient time](../role-based-access-control/troubleshooting.md?tabs=bicep#symptom---role-assignment-changes-are-not-being-detected) after you make changes to a role assignments.
+**Title**: Update VNet permission of Application Gateway users </br>
+**Category**: Reliability </br>
+**Impact**: High </br>
+
+#### Using temporary Azure Feature Exposure Control (AFEC) flag
+
+As a temporary extension, we have introduced a subscription-level [Azure Feature Exposure Control (AFEC)](../azure-resource-manager/management/preview-features.md?tabs=azure-portal) that you can register for, until you fix the permissions for all your users and/or service principals. [Set up this flag](../azure-resource-manager/management/preview-features.md?#required-access) for your Azure subscription.
+
+**Name**: Microsoft.Network/DisableApplicationGatewaySubnetPermissionCheck </br>
+**Description**: Disable Application Gateway Subnet Permission Check </br>
+**ProviderNamespace**: Microsoft.Network </br>
+**EnrollmentType**: AutoApprove </br>
 
 > [!NOTE]
-> As a temporary extension, we have introduced a subscription-level [Azure Feature Exposure Control (AFEC)](../azure-resource-manager/management/preview-features.md?tabs=azure-portal) flag to help you fix the permissions for all your users and/or service principals' permissions. Register for this interim feature on your own through a subscription owner, contributor, or custom role. </br>
-> 
-> "**name**": "Microsoft.Network/DisableApplicationGatewaySubnetPermissionCheck", </br> 
-> "**description**": "Disable Application Gateway Subnet Permission Check", </br> 
-> "**providerNamespace**": "Microsoft.Network", </br> 
-> "**enrollmentType**": "AutoApprove" </br> 
->  
-> The provision to circumvent the virtual network permission check by using this feature control is **available only for a limited period, until 6th April 2023**. Ensure all the roles and permissions managing Application Gateways are updated by then, as there will be no further extensions. [Set up this flag in your Azure subscription](../azure-resource-manager/management/preview-features.md?tabs=azure-portal). 
+> The provision to circumvent the virtual network permission check by using this feature control (AFEC) is available only for a limited period, **until 6th April 2023**. Ensure all the roles and permissions managing Application Gateways are updated by then, as there will be no further extensions. Set up this flag in your Azure subscription.
 
 ## Network security groups