Merge pull request #95792 from DCtheGeek/dmc-bp-ghi42654

Fixes MicrosoftDocs/azure-docs#42654 - Clarifies MI info

Author: v-shils

articles/governance/blueprints/concepts/deployment-stages.md

@@ -1,7 +1,7 @@
 ---
 title: Stages of a blueprint deployment
 description: Learn the steps the Azure Blueprint services goes through during a deployment.
-ms.date: 03/14/2019
+ms.date: 11/13/2019
 ms.topic: conceptual
 ---
 # Stages of a blueprint deployment
@@ -24,17 +24,24 @@ takes the following high-level steps:
 ## Blueprints granted owner rights
 
 The Azure Blueprints service principal is granted owner rights to the assigned subscription or
-subscriptions. The granted role allows Blueprints to create, and later revoke, the [system-assigned
-managed identity](../../../active-directory/managed-identities-azure-resources/overview.md).
+subscriptions when a [system-assigned managed
+identity](../../../active-directory/managed-identities-azure-resources/overview.md) managed identity
+is used. The granted role allows Blueprints to create, and later revoke, the **system-assigned**
+managed identity. If using a **user-assigned** managed identity, the Azure Blueprints service
+principal doesn't get and doesn't need owner rights on the subscription.
 
 The rights are granted automatically if the assignment is done through the portal. However, if the
 assignment is done through the REST API, granting the rights needs to be done with a separate API
 call. The Azure Blueprint AppId is `f71766dc-90d9-4b7d-bd9d-4499c4331c3f`, but the service principal
-varies by tenant. Use [Azure Active Directory Graph API](../../../active-directory/develop/active-directory-graph-api.md)
+varies by tenant. Use
+[Azure Active Directory Graph API](../../../active-directory/develop/active-directory-graph-api.md)
 and REST endpoint [servicePrincipals](/graph/api/resources/serviceprincipal) to get the service
-principal. Then, grant the Azure Blueprints the _Owner_ role through the [Portal](../../../role-based-access-control/role-assignments-portal.md),
-[Azure CLI](../../../role-based-access-control/role-assignments-cli.md), [Azure PowerShell](../../../role-based-access-control/role-assignments-powershell.md),
-[REST API](../../../role-based-access-control/role-assignments-rest.md), or a [Resource Manager template](../../../role-based-access-control/role-assignments-template.md).
+principal. Then, grant the Azure Blueprints the _Owner_ role through the
+[Portal](../../../role-based-access-control/role-assignments-portal.md),
+[Azure CLI](../../../role-based-access-control/role-assignments-cli.md),
+[Azure PowerShell](../../../role-based-access-control/role-assignments-powershell.md),
+[REST API](../../../role-based-access-control/role-assignments-rest.md), or a
+[Resource Manager template](../../../role-based-access-control/role-assignments-template.md).
 
 The Blueprints service doesn't directly deploy the resources.
 
@@ -48,15 +55,20 @@ While creating the blueprint assignment, the type of [managed
 identity](../../../active-directory/managed-identities-azure-resources/overview.md) is selected. The
 default is a **system-assigned** managed identity. A **user-assigned** managed identity can be
 chosen. When using a **user-assigned** managed identity, it must be defined and granted permissions
-before the blueprint assignment is created.
+before the blueprint assignment is created. Both the
+[Owner](../../../role-based-access-control/built-in-roles.md#owner) and
+[Blueprint Operator](../../../role-based-access-control/built-in-roles.md#blueprint-operator)
+built-in roles have the necessary `blueprintAssignment/write` permission to create an assignment
+that uses a **user-assigned** managed identity.
 
 ## Optional - Blueprints creates system-assigned managed identity
 
 When [system-assigned managed
 identity](../../../active-directory/managed-identities-azure-resources/overview.md) is selected
-during assignment, Blueprints creates the identity and grants the managed identity the [owner](../../../role-based-access-control/built-in-roles.md#owner)
-role. If an [existing assignment is upgraded](../how-to/update-existing-assignments.md), Blueprints
-uses the previously created managed identity.
+during assignment, Blueprints creates the identity and grants the managed identity the
+[owner](../../../role-based-access-control/built-in-roles.md#owner) role. If an
+[existing assignment is upgraded](../how-to/update-existing-assignments.md), Blueprints uses the
+previously created managed identity.
 
 The managed identity related to the blueprint assignment is used to deploy or redeploy the resources
 defined in the blueprint. This design avoids assignments inadvertently interfering with each other.