Revised steps for update SPN credentials

MGoedtel · MGoedtel · commit 31c5c925b139 · 2023-03-01T13:30:37.000-05:00
diff --git a/articles/aks/update-credentials.md b/articles/aks/update-credentials.md
@@ -2,7 +2,7 @@
 title: Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster
 description: Learn how update or rotate the service principal or Azure AD Application credentials for an Azure Kubernetes Service (AKS) cluster.
 ms.topic: article
-ms.date: 02/28/2023
+ms.date: 03/01/2023
 ---
 
 # Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster
@@ -14,7 +14,7 @@ AKS clusters created with a service principal have a one-year expiration time. A
 
 ## Before you begin
 
-You need the Azure CLI version 2.0.65 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+You need the Azure CLI version 2.0.65 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
 
 ## Update or create a new service principal for your AKS cluster
 
@@ -38,7 +38,7 @@ az ad app credential list --id "$SP_ID" --query "[].endDateTime" -o tsv
 
 ### Reset the existing service principal credentials
 
-To update the credentials for the existing service principal, get the service principal ID of your cluster using the [`az aks show`][az-aks-show] command. The following example gets the ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. The service principal ID is set as a variable named *SP_ID* to use in additional command. These commands use Bash syntax.
+To update the credentials for an existing service principal, get the service principal ID of your cluster using the [`az aks show`][az-aks-show] command. The following example gets the ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. The variable named *SP_ID* stores the service principal ID used in the next step. These commands use the Bash command language.
 
 > [!WARNING]
 > When you reset your cluster credentials on an AKS cluster that uses Azure Virtual Machine Scale Sets, a [node image upgrade][node-image-upgrade] is performed to update your nodes with the new credential information.
@@ -48,18 +48,21 @@ SP_ID=$(az aks show --resource-group myResourceGroup --name myAKSCluster \
     --query servicePrincipalProfile.clientId -o tsv)
 ```
 
-Use the variable containing the service principal ID to reset the credentials using the [`az ad app credential reset`][az-ad-app-credential-reset] command. The following example enables the Azure platform to generate a new secure secret for the service principal and stores it as a variable named *SP_SECRET*.
+Use the variable *SP_ID* containing the service principal ID to reset the credentials using the [`az ad app credential reset`][az-ad-app-credential-reset] command. The following example enables the Azure platform to generate a new secure secret for the service principal and store it as a variable named *SP_SECRET*.
 
 ```azurecli-interactive
 SP_SECRET=$(az ad app credential reset --id "$SP_ID" --query password -o tsv)
 ```
 
-Next, you can [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
+Next, you [update AKS cluster with new service principal credentials][update-cluster-new-service-principal-credentials]. This step is necessary to update the service principal on your AKS cluster.
+
+>[!IMPORTANT]
+>For large clusters, updating your AKS cluster with a new service principal may take a long time to complete. Consider reviewing and customizing the [node surge upgrade settings][node-surge-upgrade] to minimize disruption during the update. For small and midsize clusters, it takes a several minutes for the new credentials to update in the cluster.
 
 ### Create a new service principal
 
 > [!NOTE]
-> If you updated the existing service principal credentials in the previous section, skip this section and instead [update the AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials).
+> If you updated the existing service principal credentials in the previous section, skip this section and instead [update the AKS cluster with new service principal credentials][update-cluster-new-service-principal-credentials].
 
 To create a service principal and update the AKS cluster to use the new credentials, use the [`az ad sp create-for-rbac`][az-ad-sp-create] command.
 
@@ -85,7 +88,7 @@ SP_ID=7d837646-b1f3-443d-874c-fd83c7c739c5
 SP_SECRET=a5ce83c9-9186-426d-9183-614597c7f2f7
 ```
 
-Next, you can [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
+Next, you can [update AKS cluster with new service principal credentials][update-cluster-new-service-principal-credentials]. This step is necessary for the Service Principal changes to reflect on the AKS cluster.
 
 ## Update AKS cluster with new service principal credentials
 
@@ -105,7 +108,7 @@ az aks update-credentials \
 
 ## Update AKS cluster with new Azure AD application credentials
 
-You can create new Azure AD server and client applications by following the [Azure AD integration steps][create-aad-app], or reset your existing Azure AD applications following the [same method as for service principal reset](#reset-the-existing-service-principal-credentials). After that, you need to update your cluster Azure AD application credentials using the [`az aks update-credentials`][az-aks-update-credentials] command with the *--reset-aad* variables.
+You can create new Azure AD server and client applications by following the [Azure AD integration steps][create-aad-app], or reset your existing Azure AD applications following the [same method as for service principal reset][reset-existing-service-principal-credentials]. After that, you need to update your cluster Azure AD application credentials using the [`az aks update-credentials`][az-aks-update-credentials] command with the *--reset-aad* variables.
 
 ```azurecli-interactive
 az aks update-credentials \
@@ -133,3 +136,5 @@ In this article, you learned how to update or rotate service principal and Azure
 [az-ad-app-credential-reset]: /cli/azure/ad/app/credential#az_ad_app_credential_reset
 [node-image-upgrade]: ./node-image-upgrade.md
 [node-surge-upgrade]: upgrade-cluster.md#customize-node-surge-upgrade
+[update-cluster-new-service-principal-credentials]: #update-aks-cluster-with-new-service-principal-credentials
+[reset-existing-service-principal-credentials]: #reset-the-existing-service-principal-credentials
