MicrosoftDocs
diff --git a/‎articles/azure-signalr/howto-custom-domain.md
Lines changed: 32 additions & 0 deletions b/‎articles/azure-signalr/howto-custom-domain.md
Lines changed: 32 additions & 0 deletions
diff --git a/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-iam.png
85.2 KB b/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-iam.png
85.2 KB
diff --git a/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-members.png
36.5 KB b/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-members.png
36.5 KB
diff --git a/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-perm-model-access-policy.png
35.2 KB b/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-perm-model-access-policy.png
35.2 KB
diff --git a/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-perm-model-rbac.png
41.6 KB b/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-perm-model-rbac.png
41.6 KB
diff --git a/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-role.png
53.2 KB b/‎articles/azure-signalr/media/howto-custom-domain/portal-key-vault-role.png
53.2 KB
@@ -33,6 +33,14 @@ Azure SignalR Service uses Managed Identity to access your Key Vault. In order t
 
    :::image type="content" alt-text="Screenshot of enabling managed identity." source="media\howto-custom-domain\portal-identity.png" :::
 
+Depending on how you configure your Key Vault permission model, you may need to grant permissions at different places.
+
+#### [Vault access policy](#tab/vault-access-policy)
+
+If you're using Key Vault built-in access policy as Key Vault permission model as follows:
+
+   :::image type="content" alt-text="Screenshot of Key Vault IAM." source="media\howto-custom-domain\portal-key-vault-perm-model-access-policy.png" :::
+
 1. Go to your Key Vault resource.
 1. In the menu pane, select **Access configuration**. Click **Go to access policies**.
 1. Click **Create**. Select **Secret Get** permission and **Certificate Get** permission. Click **Next**.
@@ -46,6 +54,30 @@ Azure SignalR Service uses Managed Identity to access your Key Vault. In order t
 1. Skip **Application (optional)**. Click **Next**.
 1. In **Review + create**, click **Create**.
 
+#### [Azure role-based access control](#tab/azure-rbac)
+
+If you're using Azure role-based access control as Key Vault permission model:
+
+   :::image type="content" alt-text="Screenshot of Key Vault IAM." source="media\howto-custom-domain\portal-key-vault-perm-model-rbac.png" :::
+
+1. Go to your Key Vault resource.
+1. In the menu pane, select **Access control (IAM) **.
+1. Click **Add**. Select **Add role assignment**.
+
+   :::image type="content" alt-text="Screenshot of Key Vault IAM." source="media\howto-custom-domain\portal-key-vault-iam.png" :::
+
+1. Under the **Role** tab, select **Key Vault Secrets User**. Click **Next**.
+
+   :::image type="content" alt-text="Screenshot of Key Vault IAM." source="media\howto-custom-domain\portal-key-vault-role.png" :::
+
+1. Under the **Members** tab, select **Managed identity**. 1. Search for the Azure SignalR Service resource name or the user assigned identity name. Click **Next**.
+
+   :::image type="content" alt-text="Screenshot of Key Vault IAM." source="media\howto-custom-domain\portal-key-vault-members.png" :::
+
+1. Click **Review + assign**.
+
+-----
+
 ### Step 2: Create a custom certificate
 
 1. In the Azure portal, go to your Azure SignalR Service resource.