more rephrasing

HeidiSteen · HeidiSteen · commit 6e174cbdaf3d · 2024-06-19T07:52:04.000-07:00
diff --git a/articles/search/search-manage.md b/articles/search/search-manage.md
@@ -53,21 +53,21 @@ On a new search service, we recommend these configuration tasks.
 
 ### Enable role-based access
 
-A search service is always created with [API keys](search-security-api-keys.md). An admin API key grants read-write access to all data plane operations. You can't delete admin API keys but you can [disable API keys](search-security-enable-roles.md#disable-api-key-authentication) if you want all users to access data plane operations through role assignments.
+A search service is always created with [API keys](search-security-api-keys.md) and uses key-based authentication by default. However, using Microsoft Entra ID and role assignments is a more secure option because it eliminates storing and passing keys in plain text.
 
-1. [Enable roles](search-security-enable-roles.md) on your search service.
+1. [Enable roles](search-security-enable-roles.md) on your search service. We recommend the roles-only option.
 
 1. For administration, [assign data plane roles](search-security-rbac.md) to replace the functionality lost when you disable API keys. Role assignments include Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader. You need all three.
 
    Sometimes it can take five to ten minutes for role assignments to take effect. Until that happens, the following message appears in the portal pages used for data plane operations.
 
    :::image type="content" source="media/search-security-rbac/you-do-not-have-access.png" alt-text="Screenshot of portal message indicating insufficient permissions.":::
 
-1. [Add more role assignments](search-security-rbac.md) for developers and apps.
+1. Continue to [add more role assignments](search-security-rbac.md) for solution developers and apps.
 
 ### Configure a managed identity
 
-If you plan to use indexers for automated indexing, applied AI, or integrated vectorization, you should [configure the search service to use a managed identity](search-howto-managed-identities-data-sources.md). You can then add role assignments on other Azure services that authorize your search service for access to data and operations.
+If you plan to use indexers for automated indexing, applied AI, or integrated vectorization, you should [configure the search service to use a managed identity](search-howto-managed-identities-data-sources.md). You can then add role assignments on other Azure services that authorize your search service to access data and operations.
 
 For integrated vectorization, a search service identity needs:
 
diff --git a/articles/search/search-security-enable-roles.md b/articles/search/search-security-enable-roles.md
@@ -25,7 +25,7 @@ Roles for service administration (control plane) are built in and can't be enabl
 
 ## Prerequisites
 
-+ **Owner**, **User Access Administrator**, or a custom role with [Microsoft.Authorization/roleAssignments/write](/azure/templates/microsoft.authorization/roleassignments) permissions.
++ Owner, User Access Administrator, or a custom role with [Microsoft.Authorization/roleAssignments/write](/azure/templates/microsoft.authorization/roleassignments) permissions.
 
 + A search service in any region, on any tier, including free.
 
@@ -53,7 +53,7 @@ Once role-based access is enabled, the search service recognizes an **authorizat
    | Role-based access control | Requires membership in a role assignment to complete the task. It also requires an authorization header on the request. |
    | Both | Requests are valid using either an API key or role-based access control, but if you provide both in the same request, the API key is used. |
 
-1. If you choose a roles-only approach, [assign data plane roles](search-security-rbac.md) to restore full administrative access over data plane operations in the Azure portal. Roles include Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader. You need all three roles if you want equivalent access.
+1. As an administrator, if you choose a roles-only approach, [assign data plane roles](search-security-rbac.md) to your user account to restore full administrative access over data plane operations in the Azure portal. Roles include Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader. You need all three roles if you want equivalent access.
 
    Sometimes it can take five to ten minutes for role assignments to take effect. Until that happens, the following message appears in the portal pages used for data plane operations.
 
diff --git a/articles/search/service-configure-firewall.md b/articles/search/service-configure-firewall.md
@@ -18,11 +18,11 @@ ms.date: 06/18/2024
 As soon as you install Azure AI Search, you can set up network access to limit access to an approved set of devices and cloud services. There are two mechanisms:
 
 + Inbound rules listing the IP addresses, ranges, or subnets from which requests are admitted
-+ Exceptions to network rules, where requests are admitted with no checks, as long as the request originates from a trusted service
++ Exceptions to network rules, where requests are admitted with no checks, as long as the request originates from a [trusted service](#grant-access-to-trusted-azure-services)
 
 Network rules aren't required, but it's a security best practice to add them.
 
-Network rules are scoped to data plane operations. Data plane operations include creating or querying indexes, and all other actions described by the [Search REST APIs](/rest/api/searchservice/). Control plane operations target service administration. Those operations specify resource provider endpoints, which are subject to the [network protections supported by Azure Resource Manager](/security/benchmark/azure/baselines/azure-resource-manager-security-baseline).
+Network rules are scoped to data plane operations against the search service's public endpoint. Data plane operations include creating or querying indexes, and all other actions described by the [Search REST APIs](/rest/api/searchservice/). Control plane operations target service administration. Those operations specify resource provider endpoints, which are subject to the [network protections supported by Azure Resource Manager](/security/benchmark/azure/baselines/azure-resource-manager-security-baseline).
 
 This article explains how to configure network access to a search service's public endpoint. To block *all* data plane access to the public endpoint, use [private endpoints](service-create-private-endpoint.md) and an Azure virtual network.
 
@@ -63,7 +63,7 @@ This article assumes the Azure portal for network access configuration. You can
    + `Microsoft.CognitiveServices` for Azure OpenAI and Azure AI services
    + `Microsoft.MachineLearningServices` for Azure Machine Learning
 
-   When you enable this exception, you take a dependency on Microsoft Entra ID authentication, managed identities, and role assignments if you choose the trusted service exception. Any Azure AI service or AML feature that has a valid role assignment can pass the firewall. See [Grant access to trusted services](#grant-access-to-trusted-azure-services) for more details.
+   When you enable this exception, you take a dependency on Microsoft Entra ID authentication, managed identities, and role assignments. Any Azure AI service or AML feature that has a valid role assignment can pass the firewall. See [Grant access to trusted services](#grant-access-to-trusted-azure-services) for more details.
 
 1. **Save** your changes.
 
