added policy steps

Author: JimacoMS3

articles/iot-hub/iot-hub-python-python-module-twin-getstarted.md

@@ -6,7 +6,7 @@ ms.service: iot-hub
 services: iot-hub
 ms.devlang: python
 ms.topic: conceptual
-ms.date: 07/30/2019
+ms.date: 04/03/2020
 ms.author: menchi
 ---
 
@@ -38,9 +38,9 @@ At the end of this tutorial, you have three Python apps:
 
 ## Get the IoT hub connection string
 
-[!INCLUDE [iot-hub-howto-module-twin-shared-access-policy-text](../../includes/iot-hub-howto-module-twin-shared-access-policy-text.md)]
+In this article, you create a back-end service that adds a device in the identity registry and then adds a module to that device. This service requires the **registry write** permission. You also create a service that adds desired properties to the module twin for the newly created module. This service needs the **service connect** permission. Although there are default shared access policies that grant these permissions individually, in this section, you create a custom shared access policy that contains both of these permissions. (The **registry read** permission is included with **registry write**.)
 
-[!INCLUDE [iot-hub-include-find-registryrw-connection-string](../../includes/iot-hub-include-find-registryrw-connection-string.md)]
+[!INCLUDE [iot-hub-include-find-service-regrw-connection-string](../../includes/iot-hub-include-find-service-regrw-connection-string.md)]
 
 ## Create a device identity and a module identity in IoT Hub
 
@@ -179,7 +179,7 @@ In this section, you create a Python service app that updates the module twin de
 
 ## Get updates on the device side
 
-In this section, you create a Python device app to get the module twin desired properties update on your device.
+In this section, you create a Python app to get the module twin desired properties update on your device.
 
 1. Get your module connection string. In [Azure portal](https://portal.azure.com/), navigate to your IoT Hub and select **IoT devices** in the left pane. Select **myFirstDevice** from the list of devices and open it. Under **Module identities**, select **myFirstModule**. Copy the module connection string. You need it in a following step.
 

includes/iot-hub-include-find-service-regrw-connection-string.md

@@ -0,0 +1,32 @@
+---
+title: include file
+description: include file
+author: robinsh
+ms.service: iot-hub
+services: iot-hub
+ms.topic: include
+ms.date: 04/03/2020
+ms.author: robinsh
+ms.custom: include file
+---
+<!-- This tells how to create a custom shared access policy that has service connect and registry RW permissions for your IoT hub and get the connection string for it-->
+
+To create a shared access policy that grants **service connect**, **registry read**, and **registry write** permissions and to get a connection string for this policy, follow these steps:
+
+1. In the [Azure portal](https://portal.azure.com), select **Resource groups**. Select the resource group where your hub is located, and then select your hub from the list of resources.
+
+1. On the left-side pane of your hub, select **Shared access policies**.
+
+1. From the top menu above the list of policies, select **Add**.
+
+1. Under **Add a shared access policy**, enter a descriptive name for your policy, such as *serviceAndRegistryReadWrite*. Under **Permissions**, select **Registry write** and **Service connect**, and then select **Create**.
+
+    ![Show how to add a new shared access policy](./media/iot-hub-include-find-service-regrw-connection-string/iot-hub-add-svc-regrw-policy.png)
+
+1. Select your new policy from the list of policies.
+
+1. Under **Shared access keys**, select the copy icon for the **Connection string -- primary key** and save the value.
+
+    ![Show how to retrieve the connection string](./media/iot-hub-include-find-service-regrw-connection-string/iot-hub-get-connection-string.png)
+
+For more information about IoT Hub shared access policies and permissions, see [Access control and permissions](../articles/iot-hub/iot-hub-devguide-security.md#access-control-and-permissions).