Merge pull request #174419 from DavidTrigano/patch-35

PRMerger14 · web-flow · commit 9e48da50bc0c · 2021-10-03T23:40:39.000-07:00
Update sql-database-vulnerability-assessment-storage.md
diff --git a/articles/azure-sql/database/sql-database-vulnerability-assessment-storage.md b/articles/azure-sql/database/sql-database-vulnerability-assessment-storage.md
@@ -21,9 +21,9 @@ If you are limiting access to your storage account in Azure for certain VNets or
 The SQL Vulnerability Assessment service needs permission to the storage account to save baseline and scan results.  There are three methods: 
 - **Use Storage Account key**: Azure creates the SAS key and saves it (though we don't save the account key)
 - **Use Storage SAS key**: The SAS key must have: Write | List | Read | Delete permissions
-- **Use SQL Server managed identity**: The SQL Server must have a managed identity. The storage account must have a role assignment for the SQL Managed Identity as StorageBlobContributor. When you apply the settings, the VA fields storageContainerSasKey and storageAccountAccessKey must be empty. When storage is behind a firewall or  virtual network, then the SQL managed identity is required. 
+- **Use SQL Server managed identity**: The SQL Server must have a managed identity. The storage account must have a role assignment for the SQL Managed Identity as [Storage Blob Data Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor). When you apply the settings, the VA fields storageContainerSasKey and storageAccountAccessKey must be empty. When storage is behind a firewall or  virtual network, then the SQL managed identity is required. 
 
-When you use the Azure portal to save SQL VA settings, Azure checks if you have permission to assign a new role assignment for the managed identity as StorageBlobContributor on the storage. If permissions are assigned, Azure uses SQL Server managed identity, otherwise Azure uses the key method. 
+When you use the Azure portal to save SQL VA settings, Azure checks if you have permission to assign a new role assignment for the managed identity as [Storage Blob Data Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) on the storage. If permissions are assigned, Azure uses SQL Server managed identity, otherwise Azure uses the key method. 
 
 ## Enable Azure SQL Database VA scanning access to the storage account
 
