Addressed Matt's feedback

Author: HeidiSteen

articles/search/search-howto-managed-identities-storage.md

@@ -60,6 +60,8 @@ Indexers use a data source object for connections to an external data source. Th
 
 ### System-assigned managed identity
 
+You must have a [system-assigned managed identity already configured](search-howto-managed-identities-data-sources.md), and it must have a role-assignment on Azure Storage. 
+
 For connections made using a system-assigned managed identity, the only change to the [data source definition](/rest/api/searchservice/create-data-source) is the format of the `credentials` property. 
 
 Provide a `ResourceId` that has no account key or password. The `ResourceId` must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name.
@@ -81,7 +83,9 @@ POST https://[service name].search.windows.net/datasources?api-version=2023-11-0
 
 ### User-assigned managed identity
 
-Connections made through user-assigned managed identities use the same credentials as a system-assigned managed identity, plus an extra identity property that contains the collection of user-assigned managed identities. Only one user-assigned managed identity should be provided when creating the data source. Set it to type `userAssignedIdentities`.
+You must have a [user-assigned managed identity already configured](search-howto-managed-identities-data-sources.md) and associated with your search service, and the identity must have a role-assignment on Azure Storage. 
+
+Connections made through user-assigned managed identities use the same credentials as a system-assigned managed identity, plus an extra identity property that contains the collection of user-assigned managed identities. Only one user-assigned managed identity should be provided when creating the data source. Set `userAssignedIdentity` to the user-assigned managed identity..
 
 Provide a `ResourceId` that has no account key or password. The `ResourceId` must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name.
 

articles/search/search-security-enable-roles.md

@@ -16,7 +16,7 @@ ms.date: 06/03/2024
 
 Azure AI Search supports authentication and authorization through role assignments and Microsoft Entra ID, which is built into all Azure tenants.
 
-Roles for service administration (control plane) are built in and can't be disabled. Roles for data plane operations are optional, but recommended. The alternative is [key-based authentication](search-security-api-keys.md), which is the default. However, if you want to assign Search Service Contributor, Search Index Data Contributor, or Search Index Data Reader roles for data plane operations, you must enable role-based access on your service.
+Roles for service administration (control plane) are built in and can't be disabled. Roles for data plane operations are optional, but recommended. The alternative is [key-based authentication](search-security-api-keys.md), which is the default. However, if you want to use role-based authentication for data plane operations, you must enable role-based access on your service.
 
 In this article, learn how to configure your search service to recognize an **authorization** header on data plane requests that provide an OAuth2 access token.
 
@@ -132,7 +132,7 @@ All calls to the Management REST API are authenticated through Microsoft Entra I
 
 ## Disable role-based access control
 
-Because roles aren't required, it's possible to disable role-based access control for data plane operations and use key-based authentication instead. You might do this as part of a test workflow, for example to rule out permission issues.
+It's possible to disable role-based access control for data plane operations and use key-based authentication instead. You might do this as part of a test workflow, for example to rule out permission issues.
 
 Reverse the steps you followed previously to enable role-based access.