Merge pull request #210619 from jlichwa/patch-24

Update best-practices.md

Author: 19BMG00

articles/key-vault/general/best-practices.md

@@ -34,35 +34,31 @@ Suggestions for controlling access to your vault are as follows:
 - Use the principle of least privilege access to grant access.
 - Turn on firewall and [virtual network service endpoints](overview-vnet-service-endpoints.md).
 
-## Backup
-
-Make sure you take regular backups of your vault. Backups should be performed when you update, delete, or create objects in your vault. 
-
-### Azure PowerShell backup commands
-
-* [Backup certificate](/powershell/module/azurerm.keyvault/Backup-AzureKeyVaultCertificate)
-* [Backup key](/powershell/module/azurerm.keyvault/Backup-AzureKeyVaultKey)
-* [Backup secret](/powershell/module/azurerm.keyvault/Backup-AzureKeyVaultSecret)
-
-### Azure CLI backup commands
+## Turn on data protection for your vault
 
-* [Backup certificate](/cli/azure/keyvault/certificate#az-keyvault-certificate-backup)
-* [Backup key](/cli/azure/keyvault/key#az-keyvault-key-backup)
-* [Backup secret](/cli/azure/keyvault/secret#az-keyvault-secret-backup)
+Turn on purge protection to guard against malicious or accidental deletion of the secrets and key vault even after soft-delete is turned on.
 
+For more information, see [Azure Key Vault soft-delete overview](soft-delete-overview.md)
 
 ## Turn on logging
 
 [Turn on logging](logging.md) for your vault. Also, [set up alerts](alert.md).
 
-## Turn on recovery options
+## Backup
+
+Purge protection prevents malicious and accidental deletion of vault objects for up to 90 days. In scenarios when purge protection is not a possible option, we recommend backup vault objects, which can't be recreated from other sources like encryption keys generated within the vault.
 
-- Turn on [soft-delete](soft-delete-overview.md).
-- Turn on purge protection if you want to guard against force deletion of the secrets and key vault even after soft-delete is turned on.
+For more information about backup, see [Azure Key Vault backup and restore](backup.md)
 
 ## Multitenant solutions and Key Vault
 
 A multitenant solution is built on an architecture where components are used to serve multiple customers or tenants. Multitenant solutions are often used to support software as a service (SaaS) solutions. If you're building a multitenant solution that includes Key Vault, review [Multitenancy and Azure Key Vault](/azure/architecture/guide/multitenant/service/key-vault).
 
+## Frequently Asked Questions:
+### Can I use Key Vault role-based access control (RBAC) permission model object-scope assignments to provide isolation for application teams within Key Vault?
+No. RBAC permission model allows to assign access to individual objects in Key Vault to user or application, but any administrative operations like network access control, monitoring, and objects management require vault level permissions which will then expose secure information to operators across application teams.
+
 ## Learn more
 - [Best practices for secrets management in Key Vault](../secrets/secrets-best-practices.md)
+
+