Merge pull request #57771 from daveba/update-perms-howto-guides

PRMerger8 · web-flow · commit 60a12d85ea25 · 2018-11-13T06:09:24.000+08:00
[Azure AD MI]Update perms howto guides
diff --git a/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md b/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md
@@ -29,14 +29,6 @@ In this article, using the Azure Resource Manager deployment template, you learn
 
 - If you're unfamiliar with using Azure Resource Manager deployment template, check out the [overview section](overview.md). **Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#how-does-it-work)**.
 - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before continuing.
-- To perform the management operations in this article, your account needs the following Azure role based access control assignments:
-
-    > [!NOTE]
-    > No additional Azure AD directory role assignments required.
-
-    - [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) to create a VM and enable and remove system and/or user-assigned managed identity from an Azure VM.
-    - [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role to create a user-assigned managed identity.
-    - [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role to assign and remove a user-assigned managed identity from and to a VM.
 
 ## Azure Resource Manager templates
 
@@ -55,6 +47,8 @@ In this section, you will enable and disable a system-assigned managed identity
 
 ### Enable system-assigned managed identity during creation of an Azure VM or on an existing VM
 
+To enable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment.  No additional Azure AD directory role assignments are required.
+
 1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
 
 2. To enable system-assigned managed identity, load the template into an editor, locate the `Microsoft.Compute/virtualMachines` resource of interest within the `resources` section and add the `"identity"` property at the same level as the `"type": "Microsoft.Compute/virtualMachines"` property. Use the following syntax:
@@ -132,6 +126,8 @@ In this section, you will enable and disable a system-assigned managed identity
 
 After you have enabled system-assigned managed identity on your VM, you may want to grant it a role such as **Reader** access to the resource group in which it was created.
 
+To assign a role to your VM's system-assigned identity, your account needs the [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) role assignment.
+
 1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
  
 2. Load the template into an [editor](#azure-resource-manager-templates) and add the following information to give your VM **Reader** access to the resource group in which it was created.  Your template structure may vary depending on the editor and the deployment model you choose.
@@ -174,7 +170,7 @@ After you have enabled system-assigned managed identity on your VM, you may want
 
 ### Disable a system-assigned managed identity from an Azure VM
 
-If you have a VM that no longer needs a system-assigned managed identity:
+To remove system-assigned managed identity from a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment.  No additional Azure AD directory role assignments are required.
 
 1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
 
@@ -210,6 +206,8 @@ In this section, you assign a user-assigned managed identity to an Azure VM usin
 
  ### Assign a user-assigned managed identity to an Azure VM
 
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No additional Azure AD directory role assignments are required.
+
 1. Under the `resources` element, add the following entry to assign a user-assigned managed identity to your VM.  Be sure to replace `<USERASSIGNEDIDENTITY>` with the name of the user-assigned managed identity you created.
 
    **Microsoft.Compute/virtualMachines API version 2018-06-01**
@@ -352,7 +350,7 @@ In this section, you assign a user-assigned managed identity to an Azure VM usin
 
 ### Remove a user-assigned managed identity from an Azure VM
 
-If you have a VM that no longer needs a user-assigned managed identity:
+To remove a user-assigned identity from a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No additional Azure AD directory role assignments are required.
 
 1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
 
