update

Author: msmbaldwin

articles/key-vault/general/tutorial-net-create-vault-azure-web-app.md

@@ -230,12 +230,12 @@ http://<your-webapp-name>.azurewebsites.net
 You'll see the "Hello World!" message you saw earlier when you visited `http://localhost:5000`.
 
 For more information about deploying web application using Git, see [Local Git deployment to Azure App Service](../../app-service/deploy-local-git.md)
- 
+
 ## Configure the web app to connect to Key Vault
 
 In this section, you'll configure web access to Key Vault and update your application code to retrieve a secret from Key Vault.
 
-### Create and assign a managed identity
+### Create and assign access to a managed identity
 
 In this tutorial, we'll use [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) to authenticate to Key Vault. Managed identity automatically manages application credentials.
 
@@ -255,13 +255,7 @@ The command will return this JSON snippet:
 }
 ```
 
-To give your web app permission to do **get** and **list** operations on your key vault, pass the `principalId` to the Azure CLI [az keyvault set-policy](/cli/azure/keyvault?#az-keyvault-set-policy) command:
-
-```azurecli-interactive
-az keyvault set-policy --name "<your-keyvault-name>" --object-id "<principalId>" --secret-permissions get list
-```
-
-You can also assign access policies by using the [Azure portal](./assign-access-policy-portal.md) or [PowerShell](./assign-access-policy-powershell.md).
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 ### Modify the app to access your key vault
 

articles/key-vault/general/tutorial-net-virtual-machine.md

@@ -111,18 +111,8 @@ xxxxxxxx-xx-xxxxxx   xxxxxxxx-xxxx-xxxx   SystemAssigned
 ---
 
 ## Assign permissions to the VM identity
-Assign the previously created identity permissions to your key vault with the [az keyvault set-policy](/cli/azure/keyvault#az-keyvault-set-policy) command:
 
-# [Azure CLI](#tab/azure-cli)
-```azurecli
-az keyvault set-policy --name '<your-unique-key-vault-name>' --object-id <VMSystemAssignedIdentity> --secret-permissions  get list set delete
-```
-# [Azure PowerShell](#tab/azurepowershell)
-
-```azurepowershell
-Set-AzKeyVaultAccessPolicy -ResourceGroupName <YourResourceGroupName> -VaultName '<your-unique-key-vault-name>' -ObjectId '<VMSystemAssignedIdentity>' -PermissionsToSecrets  get,list,set,delete
-```
----
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 ## Sign in to the virtual machine
 

articles/key-vault/general/tutorial-python-virtual-machine.md

@@ -94,11 +94,7 @@ Note the system-assigned identity that's displayed in the following code. The ou
 
 ## Assign permissions to the VM identity
 
-Now you can assign the previously created identity permissions to your key vault by running the following command:
-
-```azurecli
-az keyvault set-policy --name "<your-unique-keyvault-name>" --object-id "<systemAssignedIdentity>" --secret-permissions get list
-```
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 ## Log in to the VM
 

articles/key-vault/secrets/quick-create-net.md

@@ -79,6 +79,7 @@ This quickstart is using Azure Identity library with Azure PowerShell to authent
 ### Grant access to your key vault
 
 [!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
+
 ---
 
 ### Create new .NET console app

includes/key-vault-quickstart-rbac-cli.md

@@ -9,10 +9,10 @@ ms.author: msmbaldwin
 
 ---
 
-To grant your user account permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure CLI command [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create).
+To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure CLI command [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create).
 
 ```azurecli
-az role assignment create --role "Key Vault Secrets User" --assignee "<your-email-address>" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
+az role assignment create --role "Key Vault Secrets User" --assignee "<app-id>" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
 ```
 
-Replace \<your-email-address\>, \<subscription-id\>, \<resource-group-name\> and \<your-unique-keyvault-name\> with your actual values. \<your-email-address\> is your sign-in name.
+Replace \<app-id\>, \<subscription-id\>, \<resource-group-name\> and \<your-unique-keyvault-name\> with your actual values. \<app-id\> is the Application (client) ID of your registered application in Azure AD.

includes/key-vault-quickstart-rbac-powershell.md

@@ -12,7 +12,7 @@ ms.author: msmbaldwin
 To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure PowerShell cmdlet [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment).
 
 ```azurepowershell
-New-AzRoleAssignment -RoleDefinitionName "Key Vault Secrets User" -SignInName "<your-email-address>" -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
+New-AzRoleAssignment -ObjectId "<app-id>" -RoleDefinitionName "Key Vault Secrets User" -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
 ```
 
-Replace \<your-email-address\>, \<subscription-id\>, \<resource-group-name\> and \<your-unique-keyvault-name\> with your actual values. \<your-email-address\> is your sign-in name; you can instead use the `-ObjectId` parameter and a Microsoft Entra Object ID.
+Replace \<app-id\>, \<subscription-id\>, \<resource-group-name\> and \<your-unique-keyvault-name\> with your actual values. \<app-id\> is the Application (client) ID of your registered application in Azure AD.

includes/key-vault-quickstart-rbac.md

@@ -11,20 +11,10 @@ ms.author: msmbaldwin
 
 ### [Azure CLI](#tab/azure-cli)
 
-To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure CLI command [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create).
-
-```azurecli
-az role assignment create --role "Key Vault Secrets User" --assignee "<app-id>" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
-```
+[!INCLUDE [Using RBAC to provide access to a key vault - CLI](./key-vault-quickstart-rbac-cli.md)]
 
 ### [Azure PowerShell](#tab/azure-powershell)
 
-To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure PowerShell cmdlet [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment).
-
-```azurepowershell
-New-AzRoleAssignment -ObjectId "<app-id>" -RoleDefinitionName "Key Vault Secrets User" -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
-```
+[!INCLUDE [Using RBAC to provide access to a key vault - PowerShell](./key-vault-quickstart-rbac-powershell.md)]
 
 ---
-
-Replace \<app-id\>, \<subscription-id\>, \<resource-group-name\> and \<your-unique-keyvault-name\> with your actual values. \<app-id\> is the Application (client) ID of your registered application in Azure AD.