Update docs

Author: hahahahahaiyiwen

articles/azure-app-configuration/concept-enable-rbac.md

@@ -30,7 +30,7 @@ Azure provides the following Azure built-in roles for authorizing access to App
 
 - **App Configuration Data Owner**: Use this role to give read/write/delete access to App Configuration data. This does not grant access to the App Configuration resource.
 - **App Configuration Data Reader**: Use this role to give read access to App Configuration data. This does not grant access to the App Configuration resource.
-- **Contributor** or **Owner**: Use this role to manage the App Configuration resource. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role does not grant direct access to the data using Microsoft Entra ID. This role is required if you access the App Configuration data via ARM template, Bicep, or Terraform during deployment. For more information, see [authorization](quickstart-resource-manager.md#authorization).
+- **Contributor** or **Owner**: Use this role to manage the App Configuration resource. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role does not grant direct access to the data using Microsoft Entra ID. This role is required if you access the App Configuration data via ARM template, Bicep, or Terraform during deployment. For more information, see [deployment](quickstart-deployment-overview.md).
 - **Reader**: Use this role to give read access to the App Configuration resource. This does not grant access to the resource's access keys, nor to the data stored in App Configuration.
 
 > [!NOTE]

articles/azure-app-configuration/howto-disable-access-key-authentication.md

@@ -28,9 +28,9 @@ Disabling access key authentication will delete all access keys. If any running
 To disallow access key authentication for an Azure App Configuration resource in the Azure portal, follow these steps:
 
 1. Navigate to your Azure App Configuration resource in the Azure portal.
-2. Locate the **Access keys** setting under **Settings**.
+2. Locate the **Access settings** setting under **Settings**.
 
-    :::image type="content" border="true" source="./media/access-keys-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade":::
+    :::image type="content" border="true" source="./media/access-settings-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade":::
 
 3. Set the **Enable access keys** toggle to **Disabled**.
 
@@ -51,9 +51,9 @@ To verify that access key authentication is no longer permitted, a request can b
 To verify access key authentication is disabled for an Azure App Configuration resource in the Azure portal, follow these steps:
 
 1. Navigate to your Azure App Configuration resource in the Azure portal.
-2. Locate the **Access keys** setting under **Settings**.
+2. Locate the **Access settings** setting under **Settings**.
 
-    :::image type="content" border="true" source="./media/access-keys-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade":::
+    :::image type="content" border="true" source="./media/access-settings-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade":::
 
 3. Verify there are no access keys displayed and **Enable access keys** is toggled to **Disabled**.
 
@@ -94,13 +94,8 @@ Be careful to restrict assignment of these roles only to those who require the a
 > [!NOTE]
 > The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage App Configuration resources. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).
 
-## Limitations
-
-The capability to disable access key authentication has the following limitation:
-
-### ARM template access
-
-When access key authentication is disabled, the capability to read/write key-values in an [ARM template](./quickstart-resource-manager.md) will be disabled as well. This is because access to the Microsoft.AppConfiguration/configurationStores/keyValues resource used in ARM templates requires an Azure Resource Manager role, such as contributor or owner. When access key authentication is disabled, access to the resource requires one of the Azure App Configuration [data plane roles](concept-enable-rbac.md), therefore ARM template access is rejected.
+> [!NOTE]
+> When access key authentication is disabled and ARM authentication mode is local, the capability to read/write key-values in an [ARM template](./quickstart-resource-manager.md) will be disabled as well. This is because access to the Microsoft.AppConfiguration/configurationStores/keyValues resource used in ARM templates requires access key authentication with local ARM authentication mode. It's recommended to use pass-through ARM authentication mode. For more information, see [Deployment overview](./quickstart-deployment-overview.md).
 
 ## Next steps
 

articles/azure-app-configuration/media/access-settings-blade.png

@@ -0,0 +1,83 @@
+---
+title: Deployment overview
+titleSuffix: Azure App Configuration
+description: Learn how to use Azure App Configuration in deployment.
+author: maud-lv
+ms.author: haiyiwen
+ms.date: 03/15/2024
+ms.service: azure-app-configuration
+ms.topic: quickstart
+ms.custom: subject-armqs, mode-arm, devx-track-bicep
+---
+
+# Deployment
+
+Azure App Configuration supports following methods to read and manage your configuration for deployment:
+- [ARM template](./quickstart-resource-manager.md)
+- [Bicep](./quickstart-bicep.md)
+- Terraform
+
+## Manage Azure App Configuration resources
+Azure App Configuration resources can be managed during deployment.
+
+### Authorization
+You must have permissions to manage Azure App Configuration resources. Azure role-based access control (Azure RBAC) roles that provide these permissions include the Microsoft.AppConfiguration/configurationStores/write or Microsoft.AppConfiguration/configurationStores/* action. Built-in roles with this action include:
+- The Azure Resource Manager Owner role
+- The Azure Resource Manager Contributor role
+
+To learn more about Azure RBAC and Microsoft Entra ID, see [Authorize access to Azure App Configuration using Microsoft Entra ID](./concetp-enable-rbac.md)
+
+## Manage Azure App Configuration data
+Azure App Configuration data, such as key-values and snapshots, can be managed during deployment. 
+
+### ARM authentication mode
+# [Azure portal](#tab/portal)
+
+To configure ARM authentication mode of Azure App Configuration resource in the Azure portal, follow these steps:
+
+1. Navigate to your Azure App Configuration resource in the Azure portal.
+2. Locate the **Access settings** setting under **Settings**.
+
+    :::image type="content" border="true" source="./media/access-settings-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access settings blade":::
+
+3. Select the recommended **Pass-through** authentication mode under **Azure Resouce Manager Authentication Mode**.
+
+    :::image type="content" border="true" source="./media/quickstarts/deployment/select-passthrough-authentication-mode.png" alt-text="Screenshot showing pass-through authentication mode being selected under Azure Resource Manager Authentication Mode":::
+
+---
+
+> [!NOTE]
+> Local authentication mode is for backward compatibility and has several limitations. Local authentication mode does not support proper auditing for accessing data during deployment. Key-value data access inside an ARM template/Bicep/Terraform is disabled if access key authentication is disabled under local authentication mode. For more information, see [disable access  we key authentication](./howto-disable-access-key-authentication.md#limitations). Azure App Configuration data plane permissions are not required for accessing data under local authentication mode. 
+
+### Authorization
+You must have permissions to read and manage Azure App Configuration data during deployment. In addition to the permissions required for Azure App Configuration resource, which are provided by built-in Owner or Contributor roles, Azure App Configuration data plane permissions including Microsoft.AppConfiguration/configurationStores/keyValues/read and Microsoft.AppConfiguration/configurationStores/snapshots/read are also required under pass-through authentication mode. Built-in roles with this action include:
+- App Configuration Data Owner
+- App Configuration Data Reader
+
+To learn more about Azure RBAC and Microsoft Entra ID, see [Authorize access to Azure App Configuration using Microsoft Entra ID](./concetp-enable-rbac.md)
+
+### ARM prviate access
+[Azure Resource Management Private Link]() can be set up to restrict access for managing resources in your virtual network. Azure App Configuration supports ARM Private Link access to the App Configuration data with pass-through authentication mode and ARM private access enabled. 
+
+# [Azure portal](#tab/portal)
+
+To configure ARM private access of Azure App Configuration resource in the Azure portal, follow these steps:
+
+1. Navigate to your Azure App Configuration resource in the Azure portal.
+2. Locate the **Networkinng** setting under **Settings**.
+
+    :::image type="content" border="true" source="./media/networking-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources networking blade":::
+
+3. Check **Enable Azure Resource Manager Private Access** under **Private Access**.
+
+    :::image type="content" border="true" source="./media/quickstarts/deployment/enable-arm-private-access.png" alt-text="Screenshot showing pass-through authentication mode being selected under Azure Resource Manager Authentication Mode":::
+
+> [!NOTE]
+> ARM private access can only be enabled with pass-through authentication mode.
+
+## Next steps
+
+To learn about adding feature flag and Key Vault reference to an App Configuration store, check out the ARM template examples.
+
+- [app-configuration-store-ff](https://azure.microsoft.com/resources/templates/app-configuration-store-ff/)
+- [app-configuration-store-keyvaultref](https://azure.microsoft.com/resources/templates/app-configuration-store-keyvaultref/)