Update best-practices.md

Author: jlichwa

articles/key-vault/general/best-practices.md

@@ -30,10 +30,10 @@ Encryption keys and secrets like certificates, connection strings, and passwords
 
 Recommendations for controlling access to your vault are as follows:
 - Lock down access to your subscription, resource group, and key vaults using role-based access control (RBAC).
-- Assign RBAC roles at Key Vault scope for applications, services, and workloads requiring persistent access to Key Vault
-- Assign just-in-time eligible RBAC roles for operators, administrators and other user accounts requiring privileged access to Key Vault using [Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md) 
-  - Require at least one approver
-  - Enforce multi-factor authentication
+  - Assign RBAC roles at Key Vault scope for applications, services, and workloads requiring persistent access to Key Vault
+  - Assign just-in-time eligible RBAC roles for operators, administrators and other user accounts requiring privileged access to Key Vault using [Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md) 
+    - Require at least one approver
+    - Enforce multi-factor authentication
 - Restrict network access with [Private Link](private-link-service.md), [firewall and virtual networks](network-security.md)
 
 ## Turn on data protection for your vault