Refocus article on managed identity on Operator Insights use

rcdun · rcdun · commit 96af48ed19c4 · 2024-01-23T14:32:04.000Z
diff --git a/articles/operator-insights/TOC.yml b/articles/operator-insights/TOC.yml
@@ -15,8 +15,6 @@
 - name: Concepts
   expanded: false
   items:
-  - name: Managed identity
-    href: managed-identity.md
   - name: Business continuity disaster recovery
     href: business-continuity-disaster-recovery.md
   - name: Data quality and data monitoring
@@ -29,6 +27,8 @@
     href: concept-mcc-data-product.md
   - name: Monitoring - Affirmed MCC Data Product
     href: concept-monitoring-mcc-data-product.md
+  - name: Managed identity
+    href: managed-identity.md
 - name: How-to guides
   expanded: false
   items:
diff --git a/articles/operator-insights/index.yml b/articles/operator-insights/index.yml
@@ -29,8 +29,6 @@ landingContent:
             url: operator-insights-faq.yml
       - linkListType: concept
         links:
-          - text: Managed identity
-            url: managed-identity.md
           - text: Business continuity and disaster recovery
             url: business-continuity-disaster-recovery.md
           - text: Data quality and data monitoring 
@@ -43,6 +41,8 @@ landingContent:
             url: concept-mcc-data-product.md
           - text: Monitoring - Affirmed MCC Data Product
             url: concept-monitoring-mcc-data-product.md
+          - text: Managed identity
+            url: managed-identity.md
 
   # Card 
   - title: Get started with Azure Operator Insights
diff --git a/articles/operator-insights/managed-identity.md b/articles/operator-insights/managed-identity.md
@@ -6,44 +6,42 @@ ms.author: rdunstan
 ms.reviewer: rathishr
 ms.service: operator-insights
 ms.topic: concept-article
-ms.date: 10/18/2023
+ms.date: 01/23/2024
 ---
 
 # Managed identity for Azure Operator Insights
 
 This article helps you understand managed identity (formerly known as Managed Service Identity/MSI) and how it works in Azure Operator Insights.
 
-## Overview
+## Overview of managed identities
 
-Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra ID (formerly Azure Active Directory) authentication. For example, the service can use a managed identity to access resources like [Azure Key Vault](../key-vault/general/overview.md), where data admins can securely store credentials or access storage accounts. The service uses the managed identity to obtain Microsoft Entra ID (formerly Azure Active Directory) tokens.
+Managed identities eliminate the need to manage credentials. Managed identities provide an identity for service instances to use when connecting to resources that support Microsoft Entra ID (formerly Azure Active Directory) authentication. For example, the service can use a managed identity to access resources like [Azure Key Vault](../key-vault/general/overview.md), where data admins can securely store credentials or access storage accounts. The service uses the managed identity to obtain Microsoft Entra ID tokens.
 
-There are two types of supported managed identities:
+Microsoft Entra ID offers two types of managed identities:
 
-- **System-assigned:** You can enable a managed identity directly on a service instance. When you allow a system-assigned managed identity during the creation of the service, an identity is created in Microsoft Entra ID (formerly Azure Active Directory) tied to that service instance's lifecycle. By design, only that Azure resource can use this identity to request tokens from Azure AD. So when the resource is deleted, Azure automatically deletes the identity for you.
+- **System-assigned:** You can enable a managed identity directly on a resource. When you enable a system-assigned managed identity during the creation of the resource, an identity is created in Microsoft Entra ID tied to that resource's lifecycle. By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID. When the resource is deleted, Azure automatically deletes the identity for you.
 
-- **User-assigned:** You can also create a managed identity as a standalone Azure resource. You can [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md). In user-assigned managed identities, the identity is managed separately from the resources that use it.
+- **User-assigned:** You can also create a managed identity as a standalone resource and associate it with other resources. The identity is managed separately from the resources that use it.
 
-Managed identity provides the below benefits:
+For more general information about managed identities, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview).
 
-- [Store credential in Azure Key Vault](../data-factory/store-credentials-in-key-vault.md), in which case-managed identity is used for Azure Key Vault authentication.
+## User-assigned managed identities in Azure Operator Insights
 
-- Access data stores or computes using managed identity authentication, including Azure Blob storage, Azure Data Explorer, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure SQL Database, Azure SQL Managed Instance, Azure Synapse Analytics, REST, Databricks activity, Web activity, and more.
+Azure Operator Insights Data Products use a user-assigned managed identity for:
 
-- Managed identity is also used to encrypt/decrypt data and metadata using the customer-managed key stored in Azure Key Vault, providing double encryption.
+- Encryption with customer-managed keys, also called CMK-based encryption.
+- Integration with Microsoft Purview. The managed identity allows the Data Product to manage the collection and the data catalog within the collection.
 
-## System-assigned managed identity
+When you [create a Data Product](data-product-create.md), you set up the managed identity and associate it with the Data Product. To use the managed identity with Microsoft Purview, you must also [grant the managed identity the appropriate permissions in Microsoft Purview](purview-setup.md#access-and-set-up-your-microsoft-purview-account).
 
->[!NOTE]
-> System-assigned managed identity is not currently supported with Azure Operator Insights Data Product Resource.
+You use Microsoft Entra ID to manage user-assigned managed identities. For more information, see [Create, list, delete, or assign a role to a user-assigned managed identity using the Azure portal](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
 
-## User-assigned managed identity
+## System-assigned managed identities in Azure Operator Insights
 
-You can create, delete, manage user-assigned managed identities in Microsoft Entra ID (formerly Azure Active Directory). For more details refer to [Create, list, delete, or assign a role to a user-assigned managed identity using the Azure portal](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md).
-
-Once you have created a user-assigned managed identity, you must supply the credentials during or after [Azure Operator Insights Data Product Resource creation](../data-factory/credentials.md).
+Azure Operator Insights doesn't support system-assigned managed identities.
 
 ## Related content
 
 See [Store credential in Azure Key Vault](../data-factory/store-credentials-in-key-vault.md) for information about when and how to use managed identity.
 
-See [Managed Identities for Azure Resources Overview](../active-directory/managed-identities-azure-resources/overview.md) for more background on managed identities for Azure resources, on which managed identity in Azure Operator Insights is based.
+See [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) for more background on managed identities for Azure resources, on which managed identity in Azure Operator Insights is based.
diff --git a/articles/operator-insights/purview-setup.md b/articles/operator-insights/purview-setup.md
@@ -31,7 +31,7 @@ You can access your Purview account through the Azure portal by going to `https:
 
 To begin to catalog a data product in this account, [create a collection](../purview/how-to-create-and-manage-collections.md) to hold the Data Product.
 
-Provide your User-Assigned-Managed-Identity (UAMI) with necessary roles in the Microsoft Purview compliance portal. The UAMI you enter is the one that was set up when creating an AOI Data Product. For information on how to set up this UAMI, refer to [Set up user-assigned managed identity](data-product-create.md#set-up-user-assigned-managed-identity). At the desired collection, assign this UAMI to the **Collection admin**, **Data source admin**, and **Data curator** roles. Alternately, you can apply the UAMI at the root collection/account level. All collections would inherit these role assignments by default.
+Provide the user-assigned managed identity (UAMI) for your Azure Operator Insights Data Product with necessary roles in the Microsoft Purview compliance portal. This UAMI was set up when the Data Product was created. For information on how to set up this UAMI, see [Set up user-assigned managed identity](data-product-create.md#set-up-user-assigned-managed-identity). At the desired collection, assign this UAMI to the **Collection admin**, **Data source admin**, and **Data curator** roles. Alternately, you can apply the UAMI at the root collection/account level. All collections would inherit these role assignments by default.
 
 :::image type="content" source="media/purview-setup/data-product-role-assignments.png" alt-text="Screenshot of collections with Role assignment tab open and icon to add the UAMI to the collection admins role highlighted.":::
 
