Merge pull request #177436 from v-gpettibone/pics15

Updating pics for configuring managed identities

Author: denrea

articles/iot-hub/iot-hub-managed-identity.md

@@ -16,19 +16,21 @@ Managed identities provide Azure services with an automatically managed identity
 In IoT Hub, managed identities can be used for egress connectivity from IoT Hub to other Azure services for features such as [message routing](iot-hub-devguide-messages-d2c.md), [file upload](iot-hub-devguide-file-upload.md), and [bulk device import/export](iot-hub-bulk-identity-mgmt.md). In this article, you learn how to use system-assigned and user-assigned managed identities in your IoT hub for different functionalities.
 
 ## Prerequisites
+
 - Read the documentation of [managed identities for Azure resources](./../active-directory/managed-identities-azure-resources/overview.md) to understand the differences between system-assigned and user-assigned managed identity.
 
 - If you don’t have an IoT hub, [create one](iot-hub-create-through-portal.md) before continuing.
 
 ## System-assigned managed identity
 
 ### Add and remove a system-assigned managed identity in Azure portal
-1.	Sign in to the Azure portal and navigate to your desired IoT hub.
-2.	Navigate to **Identity** in your IoT Hub portal
-3.	Under **System-assigned** tab, select **On** and click **Save**.
-4.	To remove system-assigned managed identity from an IoT hub, select **Off** and click **Save**.
 
-    :::image type="content" source="./media/iot-hub-managed-identity/system-assigned.png" alt-text="Screenshot showing where to turn on system-assigned managed identity for an IoT hub":::        
+1. Sign in to the Azure portal and navigate to your desired IoT hub.
+2. Navigate to **Identity** in your IoT Hub portal
+3. Under **System-assigned** tab, select **On** and click **Save**.
+4. To remove system-assigned managed identity from an IoT hub, select **Off** and click **Save**.
+
+    :::image type="content" source="./media/iot-hub-managed-identity/system-assigned.png" alt-text="Screenshot showing where to turn on system-assigned managed identity for an I O T hub.":::
 
 ### Enable system-assigned managed identity at hub creation time using ARM template
 
@@ -112,14 +114,17 @@ After the resource is created, you can retrieve the system-assigned assigned to
 ```azurecli-interactive
 az resource show --resource-type Microsoft.Devices/IotHubs --name <iot-hub-resource-name> --resource-group <resource-group-name>
 ```
-## User-assigned managed identity 
+
+## User-assigned managed identity
+
 In this section, you learn how to add and remove a user-assigned managed identity from an IoT hub using Azure portal.
-1.	First you need to create a user-assigned managed identity as a standalone resource. To do so, you can follow the instructions in [Create a user-assigned managed identity](./../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity).
-2.	Go to your IoT hub, navigate to the **Identity** in the IoT Hub portal.
-3.	Under **User-Assigned** tab, click **Associate a user-assigned managed identity**. Choose the user-assigned managed identity you want to add to your hub and then click **Select**. 
-4.	You can remove a user-assigned identity from an IoT hub. Choose the user-assigned identity you want to remove, and click **Remove** button. Note you are only removing it from IoT hub, and this removal does not delete the user-assigned identity as a resource. To delete the user-assigned identity as a resource, follow the instructions in [Delete a user-assigned managed identity](./../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#delete-a-user-assigned-managed-identity).
 
-    :::image type="content" source="./media/iot-hub-managed-identity/user-assigned.png" alt-text="Screenshot showing how to add user-assigned managed identity for an IoT hub":::        
+1. First you need to create a user-assigned managed identity as a standalone resource. To do so, you can follow the instructions in [Create a user-assigned managed identity](./../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity).
+2. Go to your IoT hub, navigate to the **Identity** in the IoT Hub portal.
+3. Under **User-Assigned** tab, click **Associate a user-assigned managed identity**. Choose the user-assigned managed identity you want to add to your hub and then click **Select**. 
+4. You can remove a user-assigned identity from an IoT hub. Choose the user-assigned identity you want to remove, and click **Remove** button. Note you are only removing it from IoT hub, and this removal does not delete the user-assigned identity as a resource. To delete the user-assigned identity as a resource, follow the instructions in [Delete a user-assigned managed identity](./../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#delete-a-user-assigned-managed-identity).
+
+    :::image type="content" source="./media/iot-hub-managed-identity/user-assigned.png" alt-text="Screenshot showing how to add user-assigned managed identity for an I O T hub.":::
 
 ### Enable user-assigned managed identity at hub creation time using ARM template
 
@@ -236,11 +241,11 @@ In this section, we use the [message routing](iot-hub-devguide-messages-d2c.md)
 
 3. For user-assigned, choose **User-assigned managed identity** under **Assign access to**. Select your subscription and your user-assigned managed identity in the drop-down list. Click the **Save** button.
 
-    :::image type="content" source="./media/iot-hub-managed-identity/eventhub-iam-user-assigned.png" alt-text="IoT Hub message routing with user assigned":::
+    :::image type="content" source="./media/iot-hub-managed-identity/eventhub-iam-user-assigned.png" alt-text="Screenshot that shows message routing with user assigned.":::
 
 4. For system-assigned, under **Assign access to** choose **User, group, or service principal** and select your IoT Hub's resource name in the drop-down list. Click **Save**.
 
-    :::image type="content" source="./media/iot-hub-managed-identity/eventhub-iam-system-assigned.png" alt-text="IoT Hub message routing with system assigned":::
+    :::image type="content" source="./media/iot-hub-managed-identity/eventhub-iam-system-assigned.png" alt-text="Screenshot that shows message routing with system assigned.":::
 
     If you need to restrict the connectivity to your custom endpoint through a VNet, you need to turn on the trusted Microsoft first party exception, to give your IoT hub access to the specific endpoint. For example, if you're adding an event hub custom endpoint, navigate to the **Firewalls and virtual networks** tab in your event hub and enable **Allow access from selected networks** option. Under the **Exceptions** list, check the box for **Allow trusted Microsoft services to access event hubs**. Click the **Save** button. This also applies to storage account and service bus. Learn more about [IoT Hub support for virtual networks](./virtual-network-support.md).
 
@@ -251,12 +256,11 @@ In this section, we use the [message routing](iot-hub-devguide-messages-d2c.md)
 
 6. At the bottom of the page, choose your preferred **Authentication type**. In this section, we use the **User-Assigned** as the example. In the dropdown, select the preferred user-assigned managed identity then click **Create**.
 
-    :::image type="content" source="./media/iot-hub-managed-identity/eventhub-routing-endpoint.png" alt-text="IoT Hub event hub with user assigned":::
+    :::image type="content" source="./media/iot-hub-managed-identity/eventhub-routing-endpoint.png" alt-text="Screenshot that shows event hub with user assigned.":::
 
-7. Custom endpoint successfully created. 
-8. After creation, you can still change the authentication type. Select the custom endpoint that you want to change the authentication type, then click **Change authentication type**.
+7. Custom endpoint successfully created.
 
-    :::image type="content" source="./media/iot-hub-managed-identity/change-authentication-type.png" alt-text="IoT Hub authentication type":::
+8. After creation, you can still change the authentication type. Select **Message routing** in the left navigation pane and then **Custom endpoints**. Select the custom endpoint for which you want to change the authentication type and then click **Change authentication type**.
 
 9. Choose the new authentication type to be updated for this endpoint, click **Save**.
 
@@ -276,7 +280,7 @@ IoT Hub's [file upload](iot-hub-devguide-file-upload.md) feature allows devices
 5. On your IoT hub's resource page, navigate to **File upload** tab.
 6. On the page that shows up, select the container that you intend to use in your blob storage, configure the **File notification settings, SAS TTL, Default TTL, and Maximum delivery count** as desired. Choose the preferred authentication type, and click **Save**. If you get an error at this step, temporarily set your storage account to allow access from **All networks**, then try again. You can configure firewall on the storage account once the File upload configuration is complete.
 
-    :::image type="content" source="./media/iot-hub-managed-identity/file-upload.png" alt-text="IoT Hub file upload with msi":::
+    :::image type="content" source="./media/iot-hub-managed-identity/file-upload.png" alt-text="Screen shot that shows file upload with msi.":::
 
     > [!NOTE]
     > In the file upload scenario, both hub and your device need to connect with your storage account. The steps above are for connecting your IoT hub to your storage account with desired authentication type. You still need to connect your device to storage using the SAS URI. Today the SAS URI is generated using connection string. We'll add support to generate SAS URI with managed identity soon. Please follow the steps in [file upload](iot-hub-devguide-file-upload.md).
@@ -381,4 +385,4 @@ Use the links below to learn more about IoT Hub features:
 
 * [Message routing](./iot-hub-devguide-messages-d2c.md)
 * [File upload](./iot-hub-devguide-file-upload.md)
-* [Bulk device import/export](./iot-hub-bulk-identity-mgmt.md)
+* [Bulk device import/export](./iot-hub-bulk-identity-mgmt.md)