Update overview-deploy.md

Changing required role/permissions for GA

Author: RamIoTMalhotra

articles/iot-operations/deploy-iot-ops/overview-deploy.md

@@ -12,7 +12,7 @@ ms.date: 11/06/2024
 
 # Deployment details
 
-When you deploy Azure IoT Operations, you install a suite of services on an [Azure Arc-enabled Kubernetes cluster](/azure/azure-arc/kubernetes/overview). This article provides an overview of the different deployment options to consider for your scenario.
+When you deploy Azure IoT Operations, you install a suite of services on an Azure Arc-enabled Kubernetes cluster. This article provides an overview of the different deployment options to consider for your scenario.
 
 ## Supported environments
 
@@ -21,10 +21,8 @@ Microsoft supports the following environments for Azure IoT Operations deploymen
 | Environment | Minimum version | Availability |
 | ----------- | --------------- | ------------ |
 | K3s on Ubuntu 24.04 | K3s version 1.31.1 | General availability |
-| Azure Kubernetes Service (AKS) Edge Essentials on Windows 11 IoT Enterprise <sup>1</sup> | AksEdge-K3s-1.29.6-1.8.202.0 | Public preview |
-| Azure Kubernetes Service (AKS) on Azure Local <sup>1</sup> | Azure Stack HCI OS, version 23H2, build 2411 | Public preview |
-
-<sup>1</sup> Regardless of the host system environment, Azure IoT Operations only supports deployment to Kubernetes clusters running on Linux nodes.
+| Azure Kubernetes Service (AKS) Edge Essentials on Windows 11 IoT Enterprise | AksEdge-K3s-1.29.6-1.8.202.0 | Public preview |
+| Azure Kubernetes Service (AKS) on Azure Local | Azure Stack HCI OS, version 23H2, build 2411 | Public preview |
 
 >[!NOTE]
 >Billing usage records are collected on any environment where Azure IoT Operations is installed, regardless of support or availability levels.
@@ -46,22 +44,31 @@ A deployment with only test settings:
 
 * Doesn't configure secrets or user-assigned managed identity capabilities.
 * Is meant to enable the end-to-end quickstart sample for evaluation purposes, so supports the OPC PLC simulator and connects to cloud resources using system-assigned managed identity.
-* Can be upgraded to use secure settings by following the steps in [Enable secure settings](howto-enable-secure-settings.md).
+* Can be upgraded to use secure settings.
+
+The quickstart scenario, [Quickstart: Run Azure IoT Operations in GitHub Codespaces](../get-started-end-to-end-sample/quickstart-deploy.md), uses test settings.
+
+At any point, you can upgrade an Azure IoT Operations instance to use secure settings by following the steps in [Enable secure settings](howto-enable-secure-settings.md).
 
 ### Secure settings deployment
 
 A deployment with secure settings:
 
 * Enables secrets and user-assignment managed identity, both of which are important capabilities for developing a production-ready scenario. Secrets are used whenever Azure IoT Operations components connect to a resource outside of the cluster; for example, an OPC UA server or a dataflow endpoint.
 
+To deploy Azure IoT Operations with secure settings, follow these articles:
+
+1. Start with [Prepare your Azure Arc-enabled Kubernetes cluster](./howto-prepare-cluster.md) to configure and Arc-enable your cluster.
+1. Then, [Deploy Azure IoT Operations](./howto-deploy-iot-operations.md).
+
 ## Required permissions
 
 The following table describes Azure IoT Operations deployment and management tasks that require elevated permissions. For information about assigning roles to users, see [Steps to assign an Azure role](../../role-based-access-control/role-assignments-steps.md).
 
 | Task | Required permission | Comments |
 | ---- | ------------------- | -------- |
-| Deploy Azure IoT Operations | **Contributor** role at the subscription level. |  |
-| Register resource providers | **Contributor** role at the subscription level. | Only required to do once per subscription. |
+| Deploy Azure IoT Operations | **Contributor** role at the resource group level. |  |
+| Register resource providers | Microsoft.ExtendedLocation/register/action Microsoft.SecretSyncController/register/action Microsoft.Kubernetes/register/action Microsoft.KubernetesConfiguration/register/action Microsoft.IoTOperations/register/action Microsoft.DeviceRegistry/register/action| Only required to do once per subscription. |
 | Create a schema registry. | **Microsoft.Authorization/roleAssignments/write** permissions at the resource group level. |  |
 | Create secrets in Key Vault | **Key Vault Secrets Officer** role at the resource level. | Only required for secure settings deployment. |
 | Enable resource sync rules on an Azure IoT Operations instance | **Microsoft.Authorization/roleAssignments/write** permissions at the resource group level. | Resource sync rules are disabled by default, but can be enabled as part of the [az iot ops create](/cli/azure/iot/ops#az-iot-ops-create) command. |
@@ -89,7 +96,7 @@ If you use enterprise firewalls or proxies to manage outbound traffic, configure
 
 * Endpoints in [Azure CLI endpoints](/cli/azure/azure-cli-endpoints?tabs=azure-cloud#endpoints).
 
-  Azure IoT Operations uses `graph.windows.net`, `*.azurecr.io`, `*.blob.core.windows.net`, `*.vault.azure.net` from this endpoint list.
+  You need `graph.windows.net`, `*.azurecr.io`, `*.blob.core.windows.net`, `*.vault.azure.net` from this endpoint list.
 
 * The following endpoints are required specifically for Azure IoT Operations:
 
@@ -104,7 +111,6 @@ If you use enterprise firewalls or proxies to manage outbound traffic, configure
   * Event Grid: [Troubleshoot connectivity issues - Azure Event Grid](/azure/event-grid/troubleshoot-network-connectivity).
   * Azure Data Lake Storage Gen 2: [Storage account standard endpoints](/azure/storage/common/storage-account-overview#standard-endpoints).
 
-Currently, Azure IoT Operations doesn't support proxies that perform TLS inspection.
 
 ## Next steps