update rbac roles

Author: laujan

articles/ai-services/document-intelligence/faq.yml

@@ -158,7 +158,7 @@ sections:
           What is a bounding box?
         answer: |
 
-          A bounding box (`polygon` in v3.0 and later versions) is an abstract rectangle that surrounds text elements in a document or form. It's used as a reference point for object detection.
+          A bounding box (`polygon` in v3.0 and later versions) is an abstract rectangle that surrounds text elements in a document or form used as a reference point for object detection.
 
           The bounding box specifies position by using an x and y coordinate plane presented in an array of four numerical pairs. Each pair represents a corner of the box in the following order: upper left, upper right, lower right, lower left.
 
@@ -189,27 +189,27 @@ sections:
 
           - Basic
 
-            - **Cognitive Services User**: You need this role for a [Document Intelligence](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [Cognitive Services multiple-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource to read/write data and is **required to call the API**.
+            - **Cognitive Services User**: You need this role for a [Document Intelligence](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [Azure Cognitive Services multiple-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource to use Document Intelligence Studio.
 
           - Advanced
 
-            - **Contributor**: You need this role to create a resource group or a Document Intelligence resource. The Contributor role doesn't allow you to list keys for Cognitive Services and doesn't give you access to use the created resources or storage, it only allows a user to read/write the resource itself. To use Document Intelligence Studio, you still need the Cognitive Services User role.
+            - **Contributor**: You need this role to create a resource group or a Document Intelligence resource.
 
           For custom model projects, here are the role requirements for user scenarios:
 
           - Basic
 
-            - **Cognitive Services User**: You need this role for a [Document Intelligence](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [Cognitive Services multiple-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource to read/write data and is **required to call the API**.  This role is also the minimum necessary to train a custom model or analyze with trained models.
+            - **Cognitive Services User**: You need this role for a [Document Intelligence](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [Cognitive Services multiple-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource to train a custom model or analyze with trained models.
 
             - **Storage Blob Data Contributor**: You need this role for a storage account to create project and label data.
 
           - Advanced
 
             - **Storage Account Contributor**: You need this role for the storage account to set up cross-origin resource sharing (CORS) settings. It's a one-time effort if you reuse the same storage account.
 
-              The Contributor role doesn't allow you to access data in your blob. To use Document Intelligence Studio, you still need the Storage Blob Data Contributor role.
+            - **Contributor**: You need this role to create a resource group and resources.
 
-            - **Contributor**: You need this role to create a resource group and resources. The Contributor role doesn't give you access to use the created resources or storage, it only allows a user to read/write the resource itself. To use Document Intelligence Studio, you still need basic roles.
+          Having Contributor or Storage Account Contributor role doesn't give you access to use your Document Intelligence resource or storage account if local (key-based) authentication is disabled. You still need the basic roles (Cognitive Services User and Storage Data Blob Contributor) to use the functions on Document Intelligence Studio.
 
           For more information, see [Microsoft Entra built-in roles](../../role-based-access-control/built-in-roles.md) and the sections about Azure role assignments in the [Document Intelligence Studio quickstart](quickstarts/try-document-intelligence-studio.md).
 
@@ -264,7 +264,7 @@ sections:
 
           - "URL for the Azure US Government cloud (Azure Fairfax): [Document Intelligence Studio US Government](https://formrecognizer.appliedai.azure.us/studio)".
 
-          - "URL Microsoft Azure operated by 21Vianet (Azure in China): [Document Intelligence Studio China](https://formrecognizer.appliedai.azure.cn/studio)".
+          - "URL Microsoft Azure operated by 21Vianet (Azure in China): [Document Intelligence Studio China](https://formrecognizer.appliedai.azure.cn/studio)."
 
 
   - name: App development

articles/ai-services/document-intelligence/managed-identities-secured-access.md

@@ -265,7 +265,7 @@ That's it! You can now configure secure access for your Document Intelligence re
    :::image type="content" source="media/managed-identities/cors-error.png" alt-text="Screenshot of error message when CORS config is required":::
 
   **Resolution**:
-    1. [Configure CORS](quickstarts/try-document-intelligence-studio.md#prerequisites-for-new-users).
+    1. [Configure CORS](quickstarts/try-document-intelligence-studio.md#configure-cors).
 
     1. Make sure the client computer can access Document Intelligence resource and storage account, either they are in the same VNET, or client IP address is allowed in **Networking > Firewalls and virtual networks** setting page of both Document Intelligence resource and storage account.
 
@@ -285,7 +285,7 @@ That's it! You can now configure secure access for your Document Intelligence re
 
   :::image type="content" source="media/managed-identities/access-denied.png" alt-text="Screenshot of an access denied error.":::
 
-  **Resolution**: Check to make sure there's connectivity between the computer accessing the Document Intelligence Studio and the Document Intelligence service. For example, you might need to add the client IP address to the Document Intelligence service's networking tab.
+  **Resolution**: Check to make sure there's connectivity between the computer accessing the Document Intelligence Studio and the Document Intelligence service. For example, you might need to allow the client IP address in **Networking > Firewalls and virtual networks** setting page of both Document Intelligence resource and storage account.
 
 ## Next steps
 

articles/ai-services/document-intelligence/managed-identities.md

@@ -132,7 +132,9 @@ You need to grant Document Intelligence access to your storage account before it
 
 ### Additional role assignment for Document Intelligence Studio
 
-If you are going to use Document Intelligence Studio and your storage account is configured with network restriction such as firewall or virtual network, an additional role, **Storage Blob Data Contributor**, needs to be assigned to your Document Intelligence service. Document Intelligence Studio requires this role to write blobs to your storage account when you perform Auto label, OCR upgrade, Human in the loop, or Project sharing operations.
+If you are going to use Document Intelligence Studio and your storage account is configured with network restriction such as firewall or virtual network, an additional role, **Storage Blob Data Contributor**, needs to be assigned to your Document Intelligence service. Document Intelligence Studio requires this role to write blobs to your storage account when you perform Auto label, Human in the loop, or Project sharing/upgrade operations.
+
+  :::image type="content" source="media/managed-identities/blob-data-contributor-role.png" alt-text="Screenshot of assigning storage blob data contributor role.":::
 
 ## Next steps
 > [!div class="nextstepaction"]

articles/ai-services/document-intelligence/media/managed-identities/blob-data-contributor-role.png

@@ -29,6 +29,8 @@ monikerRange: '>=doc-intel-3.0.0'
 
 > [!TIP]
 > Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll need a single-service resource if you intend to use [Microsoft Entra authentication](../../../active-directory/authentication/overview-authentication.md).
+>
+> Document Intelligence now supports AAD token authentication additional to local (key-based) authentication when accessing the Document Intelligence resources and storage accounts. Be sure to follow below instructions to setup correct access roles, especially if your resources are applied with `DisableLocalAuth` policy.
 
 #### Azure role assignments
 
@@ -41,6 +43,9 @@ For document analysis and prebuilt models, following role assignments are requir
 
 For more information on authorization, *see* [Document Intelligence Studio authorization policies](../studio-overview.md#authorization-policies).
 
+> [!NOTE]
+> If local (key-based) authentication is disabled for your Document Intelligence service resource, be sure to obtain **Cognitive Services User** role and your AAD token will be used to authenticate requests on Document Intelligence Studio.  The **Contributor** role only allows you to list keys but does not give you permission to use the resource when key-access is disabled.
+
 ## Models
 
 Prebuilt models help you add Document Intelligence features to your apps without having to build, train, and publish your own models. You can choose from several prebuilt models, each of which has its own set of supported data fields. The choice of model to use for the analyze operation depends on the type of document to be analyzed. Document Intelligence currently supports the following prebuilt models: