MicrosoftDocs
diff --git a/‎articles/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md
Lines changed: 19 additions & 4 deletions b/‎articles/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md
Lines changed: 19 additions & 4 deletions
diff --git a/‎articles/active-directory/managed-identities-azure-resources/media/how-managed-identities-work-vm/managed-identity-client-id.png
86.5 KB b/‎articles/active-directory/managed-identities-azure-resources/media/how-managed-identities-work-vm/managed-identity-client-id.png
86.5 KB
@@ -12,7 +12,7 @@ ms.subservice: msi
 ms.devlang:
 ms.topic: conceptual
 ms.custom: mvc
-ms.date: 10/30/2022
+ms.date: 11/15/2022
 ms.author: barclayn
 ms.collection: M365-identity-device-management
 ---
@@ -33,7 +33,7 @@ Your code can use a managed identity to request access tokens for services that
 
 The following diagram shows how managed service identities work with Azure virtual machines (VMs):
 
-[![Managed service identities and Azure VMs](media/how-managed-identities-work-vm/data-flow.png)](media/how-managed-identities-work-vm/data-flow.png#lightbox)
+[![Diagram that shows how managed service identities are associated with Azure virtual machines, get an access token, and invoked a protected Azure AD resource.](media/how-managed-identities-work-vm/data-flow.png)](media/how-managed-identities-work-vm/data-flow.png#lightbox)
 
 The following table shows the differences between the system-assigned and user-assigned managed identities:
 
@@ -52,12 +52,18 @@ The following table shows the differences between the system-assigned and user-a
 
 3. Azure Resource Manager updates the VM identity using the Azure Instance Metadata Service identity endpoint (for [Windows](/azure/virtual-machines/windows/instance-metadata-service) and [Linux](/azure/virtual-machines/linux/instance-metadata-service)), providing the endpoint with the service principal client ID and certificate.
 
-4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use Azure role-based access control (Azure RBAC) to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
+4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use Azure Role-Based Access Control (Azure RBAC) to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
 
 5. Your code that's running on the VM can request a token from the Azure Instance Metadata service endpoint, accessible only from within the VM: `http://169.254.169.254/metadata/identity/oauth2/token`
     - The resource parameter specifies the service to which the token is sent. To authenticate to Azure Resource Manager, use `resource=https://management.azure.com/`.
     - API version parameter specifies the IMDS version, use api-version=2018-02-01 or greater.
 
+    The following example demonstrates how to to use CURL to make a request to the local Managed Identity endpoint to get an access token for Azure Instance Metadata service.
+
+    ```bash
+    curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F' -H Metadata:true
+    ```
+
 6. A call is made to Azure AD to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Azure AD returns a JSON Web Token (JWT) access token.
 
 7. Your code sends the access token on a call to a service that supports Azure AD authentication.
@@ -77,9 +83,18 @@ The following table shows the differences between the system-assigned and user-a
 
 5. Your code that's running on the VM can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the VM: `http://169.254.169.254/metadata/identity/oauth2/token`
     - The resource parameter specifies the service to which the token is sent. To authenticate to Azure Resource Manager, use `resource=https://management.azure.com/`.
-    - The client ID parameter specifies the identity for which the token is requested. This value is required for disambiguation when more than one user-assigned identity is on a single VM.
+    - The `client_id` parameter specifies the identity for which the token is requested. This value is required for disambiguation when more than one user-assigned identity is on a single VM. You can find the **Client ID** in the Managed Identity **Overview**:
+
+        [![Screenshot that shows how to copy the managed identity client ID.](./media/how-managed-identities-work-vm/managed-identity-client-id.png)](./media/how-managed-identities-work-vm/managed-identity-client-id.png#lightbox)
+
     - The API version parameter specifies the Azure Instance Metadata Service version. Use `api-version=2018-02-01` or higher.
 
+        The following example demonstrates how to to use CURL to make a request to the local Managed Identity endpoint to get an access token for Azure Instance Metadata service.
+    
+        ```bash
+        curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F&client_id=12345678-0000-0000-0000-000000000000' -H Metadata:true
+        ```
+
 6. A call is made to Azure AD to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Azure AD returns a JSON Web Token (JWT) access token.
 7. Your code sends the access token on a call to a service that supports Azure AD authentication.