Merge pull request #49580 from BryanLa/patch-33

Clarify app identity

Author: PRMerger17

articles/key-vault/key-vault-ovw-storage-keys.md

@@ -8,7 +8,7 @@ ms.service: key-vault
 author: bryanla
 ms.author: bryanla
 manager: mbaldwin
-ms.date: 10/12/2017
+ms.date: 08/21/2017
 ---
 # Azure Key Vault Storage Account Keys
 
@@ -103,18 +103,18 @@ accountSasCredential.UpdateSASToken(sasToken);
 
 ## Getting started
 
-### Setup for role-based access control (RBAC) permissions
+### Give Key Vault access to your Storage Account 
 
-The Azure Key Vault application identity needs permissions to *list* and
-*regenerate* keys for a storage account. Set up these permissions using the
-following steps:
+Like many applications, Key Vault is registered with Azure AD in order to use OAuth to access other services. During registration, [a service principal](/azure/active-directory/develop/app-objects-and-service-principals) object is created, which is used to represent the application's identity at run time. The service principal is also used to authorize the application's identity to access another resource, through role-based access control (RBAC).
+
+The Azure Key Vault application identity needs permissions to *list* and *regenerate* keys for your storage account. Set up these permissions using the following steps:
 
 ```powershell
 # Get the resource ID of the Azure Storage Account you want to manage.
 # Below, we are fetching a storage account using Azure Resource Manager
 $storage = Get-AzureRmStorageAccount -ResourceGroupName "mystorageResourceGroup" -StorageAccountName "mystorage"
 
-# Get ObjectId of Azure Key Vault Identity
+# Get Application ID of Azure Key Vault's service principal
 $servicePrincipal = Get-AzureRmADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093
 
 # Assign Storage Key Operator role to Azure Key Vault Identity