Update active-directory-msi-cross-tenant-cmk-overview.md

liljack17 · web-flow · commit 9a0cf9c2843e · 2022-09-08T10:51:44.000-07:00
diff --git a/includes/active-directory-msi-cross-tenant-cmk-overview.md b/includes/active-directory-msi-cross-tenant-cmk-overview.md
@@ -62,7 +62,7 @@ Operations in Phase 1 would be a one-time setup for most service provider applic
 | Step | Description | Least privileged Azure RBAC roles | Least privileged Azure AD roles |
 | -- | ----------------------------------- | -------------- | --------------|
 | 1. | <li><i>Recommended</i>: Send the user to [sign in](/azure/active-directory/develop/scenario-web-app-sign-user-overview?tabs=aspnetcore) to your app. If the user can sign in, then a service principal for your app exists in their tenant. </li><li>Use [Microsoft Graph](/graph/api/serviceprincipal-post-serviceprincipals), [Microsoft Graph PowerShell](/powershell/module/microsoft.graph.applications/new-mgserviceprincipal?view=graph-powershell-beta&preserve-view=true), [Azure PowerShell](/powershell/module/az.resources/new-azadserviceprincipal), or [Azure CLI](/cli/azure/ad/sp#az-ad-sp-create) to create the service principal. </li><li>Construct [an admin-consent URL](../articles/active-directory/manage-apps/grant-admin-consent.md#construct-the-url-for-granting-tenant-wide-admin-consent) and grant tenant-wide consent to create the service principal using the application ID. | None | Users with permissions to install applications |
-| 2. | Create an Azure Key Vault and a key used as the customer-managed key. | A user must must be assigned the [Key Vault Contributor](../articles/role-based-access-control/built-in-roles.md#key-vault-contributor) role to create the key vault<br /><br /> A user must be assigned the [Key Vault Crypto Officer](../articles/role-based-access-control/built-in-roles.md#key-vault-crypto-officer) role to add a key to the key vault | None |
+| 2. | Create an Azure Key Vault and a key used as the customer-managed key. | A user must be assigned the [Key Vault Contributor](../articles/role-based-access-control/built-in-roles.md#key-vault-contributor) role to create the key vault<br /><br /> A user must be assigned the [Key Vault Crypto Officer](../articles/role-based-access-control/built-in-roles.md#key-vault-crypto-officer) role to add a key to the key vault | None |
 | 3. | Grant the consented application identity access to the Azure key vault by assigning the role [Key Vault Crypto Service Encryption User](/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations&preserve-view=true) | To assign the **Key Vault Crypto Service Encryption User** role to the application, you must have been assigned the [User Access Administrator](../articles/role-based-access-control/built-in-roles.md#user-access-administrator) role. | None |
 | 4. | Copy the key vault URL and key name into the customer-managed keys configuration of the SaaS offering.| None| None|
 
