Merge pull request #273404 from chen-karen/patch-4

prmerger-automator[bot] · web-flow · commit 4677783ccc5c · 2024-04-25T17:26:22.000Z
Update role-management.md
diff --git a/articles/key-vault/managed-hsm/role-management.md b/articles/key-vault/managed-hsm/role-management.md
@@ -21,6 +21,9 @@ This article shows you how to manage roles for a Managed HSM data plane. To lear
 
 To allow a security principal (such as a user, a service principal, group or a managed identity) to perform managed HSM data plane operations, they must be assigned a role that permits performing those operations. For example, if you want to allow an application to perform a sign operation using a key, it must be assigned a role that contains the "Microsoft.KeyVault/managedHSM/keys/sign/action" as one of the data actions. A role can be assigned at a specific scope. Managed HSM local RBAC supports two scopes, HSM-wide (`/` or `/keys`) and per key (`/keys/<keyname>`).
 
+> [!NOTE]
+> Service principal group access is not supported to perform data plane operations. Service principals must be added to the role directly. Only user group access is supported for data plane operations.
+
 For a list of all Managed HSM built-in roles and the operations they permit, see [Managed HSM built-in roles](built-in-roles.md).
 
 ## Prerequisites
