minor edit

mumian · mumian · commit 76e19f3fa855 · 2024-01-21T21:03:52.000-05:00
diff --git a/articles/azure-resource-manager/bicep/deploy-github-actions.md b/articles/azure-resource-manager/bicep/deploy-github-actions.md
@@ -8,9 +8,7 @@ ms.custom: github-actions-azure, devx-track-bicep
 
 # Quickstart: Deploy Bicep files by using GitHub Actions
 
-[GitHub Actions](https://docs.github.com/en/actions) is a suite of features in GitHub to automate your software development workflows.
-
-In this quickstart, you use the [GitHub Actions for Azure Resource Manager deployment](https://github.com/marketplace/actions/deploy-azure-resource-manager-arm-template) to automate deploying a Bicep file to Azure.
+[GitHub Actions](https://docs.github.com/en/actions) is a suite of features in GitHub to automate your software development workflows. In this quickstart, you use the [GitHub Actions for Azure Resource Manager deployment](https://github.com/marketplace/actions/deploy-azure-resource-manager-arm-template) to automate deploying a Bicep file to Azure.
 
 It provides a short introduction to GitHub actions and Bicep files. If you want more detailed steps on setting up the GitHub actions and project, see [Deploy Azure resources by using Bicep and GitHub Actions](/training/paths/bicep-github-actions).
 
@@ -42,35 +40,30 @@ New-AzResourceGroup -Name exampleRG -Location westus
 
 # [Service principal](#tab/userlevel)
 
-Your GitHub Actions run under an identity. Use the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command to create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) for the identity.
-
-Replace the placeholder `{app-name}` with the name of your application. Replace `{subscription-id}` with your subscription ID.
+Your GitHub Actions run under an identity. Use the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command to create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) for the identity. Grant the service principal the contributor role for the resource group created in the previous session so that the GitHub action with the identity can create resources in this resource group. It is recommended that you grant minimum required access.
 
 ```azurecli-interactive
 az ad sp create-for-rbac --name {app-name} --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/exampleRG --json-auth
 ```
 
-> [!IMPORTANT]
-> The scope in the previous example is limited to the resource group. We recommend that you grant minimum required access.
+Replace the placeholder `{app-name}` with the name of your application. Replace `{subscription-id}` with your subscription ID.
 
-The output is a JSON object with the role assignment credentials that provide access to your App Service app similar to below. Copy this JSON object for later. You'll only need the sections with the `clientId`, `clientSecret`, `subscriptionId`, and `tenantId` values.
+The output is a JSON object with the role assignment credentials that provide access to your App Service app similar to below. 
 
 ```output
   {
     "clientId": "<GUID>",
     "clientSecret": "<GUID>",
     "subscriptionId": "<GUID>",
     "tenantId": "<GUID>",
-    (...)
+    ...
   }
 ```
 
-> [!NOTE]
-> Remove the comma at the end of the last line, or else it will result in an invalid JSON file. You will get an error during the deployment saying "Login failed with Error: Content is not a valid JSON object. Double check if the 'auth-type' is correct."
+Copy this JSON object for later. You'll only need the sections with the `clientId`, `clientSecret`, `subscriptionId`, and `tenantId` values. Make sure you don't have an extra comma at the end of the last line, for example, the `tenantId` line in the preceding example, or else it will result in an invalid JSON file. You will get an error during the deployment saying "Login failed with Error: Content is not a valid JSON object. Double check if the 'auth-type' is correct."
 
 # [Open ID Connect](#tab/openid)
 
-
 Open ID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security.
 
 1.  If you do not have an existing application, register a [new Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application.
@@ -119,7 +112,7 @@ Open ID Connect is an authentication method that uses short-lived tokens. Settin
 
 # [Service principal](#tab/userlevel)
 
-Create secrets for your Azure credentials, resource group, and subscriptions.
+Create secrets for your Azure credentials, resource group, and subscriptions. You will use these secrets in the [Create workflow](#create-workflow) section.
 
 1. In [GitHub](https://github.com/), navigate to your repository.
 
