Update best practices for disabling access keys

shpathak-msft · web-flow · commit b51b139eb2ff · 2024-10-02T11:56:56.000-07:00
diff --git a/articles/azure-cache-for-redis/cache-azure-active-directory-for-authentication.md b/articles/azure-cache-for-redis/cache-azure-active-directory-for-authentication.md
@@ -63,9 +63,11 @@ Using Microsoft Entra is the secure way to connect your cache. We recommend that
 
 When you disable access key authentication for a cache, all existing client connections are terminated, whether they use access keys or Microsoft Entra authentication. Follow the recommended Redis client best practices to implement proper retry mechanisms for reconnecting Microsoft Entra-based connections, if any.
 
-Before you disable access keys:
+### Before you disable access keys:
 
-- Microsoft Entra authorization must be enabled.
+- Ensure that Microsoft Entra authentication is enabled and you have at least one Redis User configured.
+- Ensure that the metrics "Connected Clients" and "Connected Clients Using Microsoft Entra Token" have the same values. If the values for these two metrics are not the same, that means there are still some connections that were created using access keys and not Entra Token.
+- Consider disabling access during the scheduled maintenance window for your cache instance.
 - Disabling access keys is only available for Basic, Standard, and Premium tier caches.
 - For geo-replicated caches, you must:
 
