Updates

johndowns · johndowns · commit b94002098cd0 · 2022-07-11T19:53:25.000+12:00
diff --git a/articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md b/articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md
@@ -23,7 +23,7 @@ ms.custom: devx-track-azurepowershell
 Managed identities for Azure resources provide Azure services with an identity in Azure Active Directory. They work without needing credentials in your code. Azure services use this identity to authenticate to services that support Azure AD authentication. Application roles provide a form of role-based access control, and allow a service to implement authorization rules.
 
 > [!NOTE]
-> The tokens which your application receives are cached by the underlying infrastructure, which means that any changes to the managed identity's roles can take significant time to take effect. For more information, see [Limitation of using managed identities for authorization](managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization).
+> The tokens that your application receives are cached by the underlying infrastructure, which means that any changes to the managed identity's roles can take significant time to take effect. For more information, see [Limitation of using managed identities for authorization](managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization).
 
 In this article, you learn how to assign a managed identity to an application role exposed by another application using Azure AD PowerShell.
 
@@ -41,40 +41,40 @@ In this article, you learn how to assign a managed identity to an application ro
 
 1. Find the object ID of the managed identity's service principal.
 
-   **For a system-assigned managed identity**, you can find the object ID on the Azure portal on the resource's **Identity** page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the resource you created in step 1, which is available in the Azure portal on the resource's **Properties** page.
+    **For a system-assigned managed identity**, you can find the object ID on the Azure portal on the resource's **Identity** page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the resource you created in step 1, which is available in the Azure portal on the resource's **Properties** page.
 
-    ```powershell
-    $resourceIdWithManagedIdentity = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.Compute/virtualMachines/{my virtual machine name}'
-    (Get-AzResource -ResourceId $resourceIdWithManagedIdentity).Identity.PrincipalId
-    ```
+     ```powershell
+     $resourceIdWithManagedIdentity = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.Compute/virtualMachines/{my virtual machine name}'
+     (Get-AzResource -ResourceId $resourceIdWithManagedIdentity).Identity.PrincipalId
+     ```
 
-    **For a user-assigned managed identity**, you can find the managed identity's object ID on the Azure portal on the resource's **Overview** page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the user-assigned managed identity.
+     **For a user-assigned managed identity**, you can find the managed identity's object ID on the Azure portal on the resource's **Overview** page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the user-assigned managed identity.
 
-    ```powershell
-    $userManagedIdentityResourceId = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{my managed identity name}'
-    (Get-AzResource -ResourceId $userManagedIdentityResourceId).Properties.PrincipalId
-    ```
+     ```powershell
+     $userManagedIdentityResourceId = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{my managed identity name}'
+     (Get-AzResource -ResourceId $userManagedIdentityResourceId).Properties.PrincipalId
+     ```
 
 1. Create a new application registration to represent the service that your managed identity will send a request to. If the API or service that exposes the app role grant to the managed identity already has a service principal in your Azure AD tenant, skip this step. For example, if you want to grant the managed identity access to the Microsoft Graph API, you can skip this step.
 
 1. Find the object ID of the service application's service principal. You can find this using the Azure portal. Go to Azure Active Directory and open the **Enterprise applications** page, then find the application and look for the **Object ID**. You can also find the service principal's object ID by its display name using the following PowerShell script:
 
-   # [Azure PowerShell](#tab/azurepowershell)
+    # [Azure PowerShell](#tab/azurepowershell)
 
-   ```powershell
-   $serverServicePrincipalObjectId = (Get-AzureADServicePrincipal -Filter "DisplayName eq '$applicationName'").ObjectId
-   ```
+    ```powershell
+    $serverServicePrincipalObjectId = (Get-AzureADServicePrincipal -Filter "DisplayName eq '$applicationName'").ObjectId
+    ```
 
-   # [Microsoft Graph](#tab/microsoftgraph)
+    # [Microsoft Graph](#tab/microsoftgraph)
 
-   ```powershell
-   $serverServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "DisplayName eq '$applicationName'").Id
-   ```
+    ```powershell
+    $serverServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "DisplayName eq '$applicationName'").Id
+    ```
 
-   ---
+    ---
 
-   > [!NOTE]
-   > Display names for applications are not unique, so you should verify that you obtain the correct application's service principal.
+    > [!NOTE]
+    > Display names for applications are not unique, so you should verify that you obtain the correct application's service principal.
 
 1. Add an [app role](../develop/howto-add-app-roles-in-azure-ad-apps.md) to the application you created in step 3. You can create the role using the Azure portal or by using Microsoft Graph. For example, you could add an app role like this:
 
@@ -98,27 +98,27 @@ In this article, you learn how to assign a managed identity to an application ro
    
    Execute the following PowerShell command to add the role assignment:
 
-   # [Azure PowerShell](#tab/azurepowershell)
+    # [Azure PowerShell](#tab/azurepowershell)
 
-   ```powershell
-   New-AzureADServiceAppRoleAssignment `
-       -ObjectId $managedIdentityObjectId `
-       -Id $appRoleId `
-       -PrincipalId $managedIdentityObjectId `
-       -ResourceId $serverServicePrincipalObjectId
-   ```
+    ```powershell
+    New-AzureADServiceAppRoleAssignment `
+        -ObjectId $managedIdentityObjectId `
+        -Id $appRoleId `
+        -PrincipalId $managedIdentityObjectId `
+        -ResourceId $serverServicePrincipalObjectId
+    ```
 
-   # [Microsoft Graph](#tab/microsoftgraph)
+    # [Microsoft Graph](#tab/microsoftgraph)
 
-   ```powershell
-   New-MgServicePrincipalAppRoleAssignment `
-       -ServicePrincipalId $managedIdentityObjectId `
-       -PrincipalId $managedIdentityObjectId `
-       -ResourceId $serverServicePrincipalObjectId `
-       -AppRoleId $appRoleId
-   ```
+    ```powershell
+    New-MgServicePrincipalAppRoleAssignment `
+        -ServicePrincipalId $managedIdentityObjectId `
+        -PrincipalId $managedIdentityObjectId `
+        -ResourceId $serverServicePrincipalObjectId `
+        -AppRoleId $appRoleId
+    ```
 
-   ---
+    ---
 
 ## Complete script
 
