update

Author: zhiyuanliang-ms

articles/azure-app-configuration/concept-customer-managed-keys.md

@@ -78,6 +78,9 @@ After these resources are configured, use the following steps so that the Azure
     }
     ```
 
+    > [!NOTE]
+    > If you want to create a user-assigned managed identity, please go to this [tutorial](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity).
+
 1. The managed identity of the Azure App Configuration instance needs access to the key to perform key validation, encryption, and decryption. The specific set of actions to which it needs access includes: `GET`, `WRAP`, and `UNWRAP` for keys. These permissions can be granted by assigning the `Key Vault Crypto Service Encryption User` role for Azure RBAC enabled Key Vaults. For Key Vaults using access policy authorization, set the policy for the aforementioned key permissions. Granting access requires the principal ID of the App Configuration instance's managed identity. Replace the value shown below as `contoso-principalId` with the principal ID obtained in the previous step. Grant permission to the managed key by using the command line:
 
     ### [Azure RBAC](#tab/azurerbac)
@@ -102,7 +105,7 @@ After these resources are configured, use the following steps so that the Azure
     az appconfig update -g contoso-resource-group -n contoso-app-config --encryption-key-name key-name --encryption-key-version key-version --encryption-key-vault key-vault-Uri
     ```
 
-    The command uses system-assigned identity to do authentication with the key vault by default. 
+    The command uses system-assigned managed identity to do authentication with the key vault by default. 
 
     > [!NOTE]
     > When using a user-assigned managed identity to access the managed key, you can specify its client id explicitly by adding `--identity-client-id <client id of your user assigned identity>` to the command.