updating code samples and wording

vturecek · vturecek · commit 3c344380c804 · 2024-06-05T11:58:58.000-07:00
diff --git a/articles/container-apps/managed-identity.md b/articles/container-apps/managed-identity.md
@@ -46,7 +46,7 @@ User-assigned identities are ideal for workloads that:
 
 ## Limitations
 
-[Init containers](containers.md#init-containers) can't access managed identities in [Consumption-only environments](environment.md#types)
+[Init containers](containers.md#init-containers) can't access managed identities in [consumption-only environments](environment.md#types) and [dedicated workload profile environments](environment.md#types)
 
 ## Configure managed identities
 
@@ -333,28 +333,30 @@ The queue storage account uses the `accountName` property to identify the storag
             "accountName": "mystorageaccount",
             "queueName": "myqueue",
             "queueLength": 2,
-            "identity": "/subscriptions/580c472d-3045-4ca1-9773-f58d56ffe662/resourceGroups/myRg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity"
+            "identity": "<IDENTITY1_RESOURCE_ID>"
         }
     }]
 }
 ```
 
 ## Control managed identity availability
 
-Container Apps allow you to specify [init containers](containers.md#init-containers) and main containers. By default, both main and init containers in a consumption workload profile environment can use managed identity to access other Azure services. Managed identity access tokens are available for every managed identity configured on the container app. However, in some situations where only the init container or the main container require access tokens for a managed identity. Other times, you may use a managed identity only to access your Azure Container Registry to pull the container image, and your application itself doesn't need to have access to your Azure Container Registry. 
+Container Apps allow you to specify [init containers](containers.md#init-containers) and main containers. By default, both main and init containers in a consumption workload profile environment can use managed identity to access other Azure services. In consumption-only environments and dedicated workload profile environments, only main containers can use managed identity. Managed identity access tokens are available for every managed identity configured on the container app. However, in some situations only the init container or the main container require access tokens for a managed identity. Other times, you may use a managed identity only to access your Azure Container Registry to pull the container image, and your application itself doesn't need to have access to your Azure Container Registry.
 
 Starting in API version `2024-02-02-preview`, you can control which managed identities are available to your container app during the init and main phases to follow the security principle of least privilege. The following options are available:
 
-- `Init`: available only to init containers. Use this when you want to perform some intilization work that requires a managed identity, but you no longer need the managed identity in the main container. This option is currently not supported in [Consumption-only environments](environment.md#types)
+- `Init`: available only to init containers. Use this when you want to perform some intilization work that requires a managed identity, but you no longer need the managed identity in the main container. This option is currently only supported in [workload profile consumption environments](environment.md#types)
 - `Main`: available only to main containers. Use this if your init container does not need managed identity.
 - `All`: available to all containers. This is the default setting.
-- `None`: not available to any containers. Use this when you have a managed identity that is only used for ACR image pull or scale rules, and does not need to be available to the code running in your containers.
+- `None`: not available to any containers. Use this when you have a managed identity that is only used for ACR image pull, scale rules, or Key Vault secrets and does not need to be available to the code running in your containers.
 
-The following example shows how to configure a workload profile consumption environment that:
+The following example shows how to configure a container app on a workload profile consumption environment that:
 
 - Restricts the container app's system-assigned identity to main containers only.
 - Restricts a specific user-assigned identity to init containers only.
-- Uses a specific user-assigned identity for Azure Container Registry image pull without allowing the code in the containers to use that managed identity to access the registry. In this example, the containers themselves don't need to access the registry. This approach reduces the access if a malicious actor were to gain unauthorized access to the containers.
+- Uses a specific user-assigned identity for Azure Container Registry image pull without allowing the code in the containers to use that managed identity to access the registry. In this example, the containers themselves don't need to access the registry.
+
+This approach limits the resources that can be accessed if a malicious actor were to gain unauthorized access to the containers.
 
 # [ARM template](#tab/arm)
 
@@ -364,26 +366,26 @@ The following example shows how to configure a workload profile consumption envi
     "identity":{
     "type": "SystemAssigned, UserAssigned",
         "userAssignedIdentities": {
-            "/subscriptions/580c472d-3045-4ca1-9773-f58d56ffe662/resourceGroups/myRg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity":{},
-            "/subscriptions/580c472d-3045-4ca1-9773-f58d56ffe662/resourceGroups/myRg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myAcrPullIdentity":{}
+            "<IDENTITY1_RESOURCE_ID>":{},
+            "<ACR_IMAGEPULL_IDENTITY_RESOURCE_ID>":{}
          }
      },
     "properties": {
-    "workloadProfileName":"Consumption",
-    "environmentId": "/subscriptions/1d7aa588-e409-456c-95c2-5b48a03ad562/resourceGroups/myRg/providers/Microsoft.App/managedEnvironments/myenv",
+        "workloadProfileName":"Consumption",
+        "environmentId": "<CONTAINER_APPS_ENVIRONMENT_ID>",
         "configuration": {
             "registries": [
             {
                 "server": "myregistry.azurecr.io",
-                "identity": "/subscriptions/580c472d-3045-4ca1-9773-f58d56ffe662/resourceGroups/myRg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myAcrPullIdentity"
+                "identity": "ACR_IMAGEPULL_IDENTITY_RESOURCE_ID"
             }],
             "identitySettings":[
             {
-                "identity": "/subscriptions/580c472d-3045-4ca1-9773-f58d56ffe662/resourceGroups/myRg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myAcrPullIdentity",
+                "identity": "ACR_IMAGEPULL_IDENTITY_RESOURCE_ID",
                 "lifecycle": "none"
             },
             {
-                "identity": "/subscriptions/580c472d-3045-4ca1-9773-f58d56ffe662/resourceGroups/myRg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity",
+                "identity": "<IDENTITY1_RESOURCE_ID>",
                 "lifecycle": "init"
             },
             {
