MicrosoftDocs
diff --git a/‎articles/azure-resource-manager/templates/media/template-tutorial-use-key-vault/resource-manager-template-key-vault-diagram.png
1.15 KB b/‎articles/azure-resource-manager/templates/media/template-tutorial-use-key-vault/resource-manager-template-key-vault-diagram.png
1.15 KB
diff --git a/‎articles/azure-resource-manager/templates/template-tutorial-use-key-vault.md
Lines changed: 16 additions & 15 deletions b/‎articles/azure-resource-manager/templates/template-tutorial-use-key-vault.md
Lines changed: 16 additions & 15 deletions
@@ -2,15 +2,15 @@
 title: Use Azure Key Vault in templates
 description: Learn how to use Azure Key Vault to pass secure parameter values during Resource Manager template deployment
 author: mumian
-ms.date: 05/23/2019
+ms.date: 04/16/2020
 ms.topic: tutorial
 ms.author: jgao
 ms.custom: seodec18
 ---
 
 # Tutorial: Integrate Azure Key Vault in your ARM template deployment
 
-Learn how to retrieve secrets from an Azure key vault and pass the secrets as parameters when you deploy an Azure Resource Manager (ARM) template. The parameter value is never exposed, because you reference only its key vault ID. For more information, see [Use Azure Key Vault to pass secure parameter value during deployment](./key-vault-parameter.md).
+Learn how to retrieve secrets from an Azure key vault and pass the secrets as parameters when you deploy an Azure Resource Manager (ARM) template. The parameter value is never exposed, because you reference only its key vault ID. You can reference the key vault secret by using a static ID or a dynamic ID. This tutorial uses a static ID. With the static ID approach, you reference the key vault in the template parameter file, not the template file. For more information about both approaches, see [Use Azure Key Vault to pass secure parameter value during deployment](./key-vault-parameter.md).
 
 In the [Set resource deployment order](./template-tutorial-create-templates-with-dependent-resources.md) tutorial, you create a virtual machine (VM). You need to provide the VM administrator username and password. Instead of providing the password, you can pre-store the password in an Azure key vault and then customize the template to retrieve the password from the key vault during the deployment.
 
@@ -28,8 +28,6 @@ This tutorial covers the following tasks:
 
 If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
 
-[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
-
 ## Prerequisites
 
 To complete this article, you need:
@@ -44,7 +42,7 @@ To complete this article, you need:
 
 ## Prepare a key vault
 
-In this section, you create a key vault and add a secret to it, so that you can retrieve the secret when you deploy your template. There are many ways to create a key vault. In this tutorial, you use Azure PowerShell to deploy an [ARM template](https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/tutorials-use-key-vault/CreateKeyVault.json). This template does the following:
+In this section, you create a key vault and add a secret to it, so that you can retrieve the secret when you deploy your template. There are many ways to create a key vault. In this tutorial, you use Azure PowerShell to deploy an [ARM template](https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/tutorials-use-key-vault/CreateKeyVault.json). This template does two things:
 
 * Creates a key vault with the `enabledForTemplateDeployment` property enabled. This property must be *true* before the template deployment process can access the secrets that are defined in the key vault.
 * Adds a secret to the key vault. The secret stores the VM administrator password.
@@ -67,14 +65,16 @@ $templateUri = "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/
 
 New-AzResourceGroup -Name $resourceGroupName -Location $location
 New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -keyVaultName $keyVaultName -adUserId $adUserId -secretValue $secretValue
+
+Write-Host "Press [ENTER] to continue ..."
 ```
 
 > [!IMPORTANT]
 > * The resource group name is the project name, but with **rg** appended to it. To make it easier to [clean up the resources that you created in this tutorial](#clean-up-resources), use the same project name and resource group name when you [deploy the next template](#deploy-the-template).
 > * The default name for the secret is **vmAdminPassword**. It's hardcoded in the template.
-> * To enable the template to retrieve the secret, you must enable an access policy called "Enable access to Azure Resource Manager for template deployment" for the key vault. This policy is enabled in the template. For more information about the access policy, see [Deploy key vaults and secrets](./key-vault-parameter.md#deploy-key-vaults-and-secrets).
+> * To enable the template to retrieve the secret, you must enable an access policy called **Enable access to Azure Resource Manager for template deployment** for the key vault. This policy is enabled in the template. For more information about the access policy, see [Deploy key vaults and secrets](./key-vault-parameter.md#deploy-key-vaults-and-secrets).
 
-The template has one output value, called *keyVaultId*. Write down the ID value for later use, when you deploy the virtual machine. The resource ID format is:
+The template has one output value, called *keyVaultId*. You will use this ID along with the secret name to retrieve the secret value later in the tutorial. The resource ID format is:
 
 ```json
 /subscriptions/<SubscriptionID>/resourceGroups/mykeyvaultdeploymentrg/providers/Microsoft.KeyVault/vaults/<KeyVaultName>
@@ -103,13 +103,14 @@ Azure Quickstart Templates is a repository for ARM templates. Instead of creatin
     ```
 
 1. Select **Open** to open the file. The scenario is the same as the one that's used in [Tutorial: Create ARM templates with dependent resources](./template-tutorial-create-templates-with-dependent-resources.md).
-   The template defines five resources:
+   The template defines six resources:
 
-   * `Microsoft.Storage/storageAccounts`. See the [template reference](https://docs.microsoft.com/azure/templates/Microsoft.Storage/storageAccounts).
-   * `Microsoft.Network/publicIPAddresses`. See the [template reference](https://docs.microsoft.com/azure/templates/microsoft.network/publicipaddresses).
-   * `Microsoft.Network/virtualNetworks`. See the [template reference](https://docs.microsoft.com/azure/templates/microsoft.network/virtualnetworks).
-   * `Microsoft.Network/networkInterfaces`. See the [template reference](https://docs.microsoft.com/azure/templates/microsoft.network/networkinterfaces).
-   * `Microsoft.Compute/virtualMachines`. See the [template reference](https://docs.microsoft.com/azure/templates/microsoft.compute/virtualmachines).
+   * [**Microsoft.Storage/storageAccounts**](/azure/templates/Microsoft.Storage/storageAccounts).
+   * [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses).
+   * [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups).
+   * [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks).
+   * [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces).
+   * [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines).
 
    It's helpful to have some basic understanding of the template before you customize it.
 
@@ -123,7 +124,7 @@ Azure Quickstart Templates is a repository for ARM templates. Instead of creatin
 
 ## Edit the parameters file
 
-You don't need to make any changes to the template file.
+By using the static ID method, you don't need to make any changes to the template file. Retrieving the secret value is done by configuring the template parameter file.
 
 1. In Visual Studio Code, open *azuredeploy.parameters.json* if it's not already open.
 1. Update the `adminPassword` parameter to:
@@ -140,7 +141,7 @@ You don't need to make any changes to the template file.
     ```
 
     > [!IMPORTANT]
-    > Replace the value for **id** with the resource ID of the key vault that you created in the previous procedure.
+    > Replace the value for **id** with the resource ID of the key vault that you created in the previous procedure. The secretName is hardcoded as **vmAdminPassword**.  See [Prepare a key vault](#prepare-a-key-vault).
 
     ![Integrate key vault and Resource Manager template virtual machine deployment parameters file](./media/template-tutorial-use-key-vault/resource-manager-tutorial-create-vm-parameters-file.png)