Clarify Batch managed identity

- Resolves https://github.com/MicrosoftDocs/azure-docs/issues/92951

Author: alfpark

articles/batch/batch-customer-managed-key.md

@@ -2,7 +2,7 @@
 title: Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity
 description: Learn how to encrypt Batch data using customer-managed keys.
 ms.topic: how-to
-ms.date: 02/27/2023
+ms.date: 04/03/2023
 ms.devlang: csharp
 ms.custom: devx-track-azurecli
 ---
@@ -27,6 +27,11 @@ customer-managed keys at Batch account creation, as shown next.
 
 If you don't need a separate user-assigned managed identity, you can enable system-assigned managed identity when you create your Batch account.
 
+> [!IMPORTANT]
+> A system-assigned managed identity created for a Batch account for customer data encryption as described in this document
+> cannot be used as a [user-assigned managed identity on a Batch pool](managed-identity-pools.md). If you wish to use the
+> same managed identity on both the Batch account and Batch pool, then use a common user-assigned managed identity instead.
+
 ### Azure portal
 
 In the [Azure portal](https://portal.azure.com/), when you create Batch accounts, pick **System assigned** in the identity type under the **Advanced** tab.
@@ -202,7 +207,7 @@ az batch account set \
 - **Can I disable customer-managed keys?** You can set the encryption type of the Batch Account back to "Microsoft managed key" at any time. You're free to delete or change the key afterwards.
 - **How can I rotate my keys?** Customer-managed keys aren't automatically rotated unless the [key is versionless with an appropriate key rotation policy set within Key Vault](../key-vault/keys/how-to-configure-key-rotation.md). To manually rotate the key, update the Key Identifier that the account is associated with.
 - **After I restore access how long will it take for the Batch account to work again?** It can take up to 10 minutes for the account to be accessible again once access is restored.
-- **While the Batch Account is unavailable what happens to my resources?** Any pools that are running when Batch access to the customer-managed key is lost will continue to run. However, the nodes in these pools will transition into an unavailable state, and tasks will stop running (and be requeued). Once access is restored, nodes become available again, and tasks are restarted.
+- **While the Batch Account is unavailable what happens to my resources?** Any pools that are active when Batch access to the customer-managed key is lost will continue to run. However, the nodes in these pools will transition into an unavailable state, and tasks will stop running (and be requeued). Once access is restored, nodes become available again, and tasks are restarted.
 - **Does this encryption mechanism apply to VM disks in a Batch pool?** No. For Cloud Services Configuration pools (which are [deprecated](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/)), no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration pools, the OS and any specified data disks are encrypted with a Microsoft platform managed key by default. Currently, you can't specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the [diskEncryptionConfiguration](/rest/api/batchservice/pool/add#diskencryptionconfiguration) property in your [Virtual Machine Configuration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks. For more information, see [Create a pool with disk encryption enabled](./disk-encryption.md)
 - **Is the system-assigned managed identity on the Batch account available on the compute nodes?** No. The system-assigned managed identity is currently used only for accessing the Azure Key Vault for the customer-managed key. To use a user-assigned managed identity on compute nodes, see [Configure managed identities in Batch pools](managed-identity-pools.md).
 

articles/batch/managed-identity-pools.md

@@ -2,12 +2,15 @@
 title: Configure managed identities in Batch pools
 description: Learn how to enable user-assigned managed identities on Batch pools and how to use managed identities within the nodes.
 ms.topic: conceptual
-ms.date: 04/18/2022
+ms.date: 04/03/2023
 ms.devlang: csharp
 ---
 # Configure managed identities in Batch pools
 
-[Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure Active Directory (Azure AD) and using it to obtain Azure Active Directory (Azure AD) tokens.
+[Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) eliminate
+complicated identity and credential management by providing an identity for the Azure resource in Azure Active Directory
+(Azure AD). This identity is used to obtain Azure Active Directory (Azure AD) tokens to authenticate with target
+resources in Azure.
 
 This topic explains how to enable user-assigned managed identities on Batch pools and how to use managed identities within the nodes.
 
@@ -16,12 +19,14 @@ This topic explains how to enable user-assigned managed identities on Batch pool
 >
 > Creating pools with managed identities can be done by using the [Batch .NET management library](/dotnet/api/overview/azure/batch#management-library), but is not currently supported with the [Batch .NET client library](/dotnet/api/overview/azure/batch#client-library).
 
-## Create a user-assigned identity
+## Create a user-assigned managed identity
 
-First, [create your user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) in the same tenant as your Batch account. You can create the identity using the Azure portal, the Azure Command-Line Interface (Azure CLI), PowerShell, Azure Resource Manager, or the Azure REST API. This managed identity does not need to be in the same resource group or even in the same subscription.
+First, [create your user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) in the same tenant as your Batch account. You can create the identity using the Azure portal, the Azure Command-Line Interface (Azure CLI), PowerShell, Azure Resource Manager, or the Azure REST API. This managed identity doesn't need to be in the same resource group or even in the same subscription.
 
 > [!IMPORTANT]
-> Identities must be configured as user-assigned managed identities. The system-assigned managed identity is available for retrieving [customer-managed keys from Azure KeyVault](batch-customer-managed-key.md), but these are not supported in batch pools.
+> A system-assigned managed identity created for a Batch account for [customer data encryption](batch-customer-managed-key.md)
+> cannot be used as a user-assigned managed identity on a Batch pool as described in this document. If you wish to use the same
+> managed identity on both the Batch account and Batch pool, then use a common user-assigned managed identity instead.
 
 ## Create a Batch pool with user-assigned managed identities
 
@@ -38,7 +43,7 @@ To create a Batch pool with a user-assigned managed identity through the Azure p
 1. In the search bar, enter and select **Batch accounts**.
 1. On the **Batch accounts** page, select the Batch account where you want to create a Batch pool.
 1. In the menu for the Batch account, under **Features**, select **Pools**.
-1. In the **Pools** menu, select **Add** to add a new Batch pool. 
+1. In the **Pools** menu, select **Add** to add a new Batch pool.
 1. For **Pool ID**, enter an identifier for your pool.
 1. For **Identity**, change the setting to **User assigned**.
 1. Under **User assigned managed identity**, select **Add**.
@@ -58,7 +63,7 @@ To create a Batch pool with a user-assigned managed identity with the [Batch .NE
 ```csharp
 var poolParameters = new Pool(name: "yourPoolName")
     {
-        VmSize = "standard_d1_v2",
+        VmSize = "standard_d2_v3",
         ScaleSettings = new ScaleSettings
         {
             FixedScale = new FixedScaleSettings
@@ -71,10 +76,10 @@ var poolParameters = new Pool(name: "yourPoolName")
             VirtualMachineConfiguration = new VirtualMachineConfiguration(
                 new ImageReference(
                     "Canonical",
-                    "UbuntuServer",
-                    "18.04-LTS",
+                    "0001-com-ubuntu-server-jammy",
+                    "22_04-lts",
                     "latest"),
-                "batch.node.ubuntu 18.04")
+                "batch.node.ubuntu 22.04")
         },
         Identity = new BatchPoolIdentity
         {
@@ -92,12 +97,14 @@ var pool = await managementClient.Pool.CreateWithHttpMessagesAsync(
     resourceGroupName: "yourResourceGroupName",
     accountName: "yourAccountName",
     parameters: poolParameters,
-    cancellationToken: default(CancellationToken)).ConfigureAwait(false);    
+    cancellationToken: default(CancellationToken)).ConfigureAwait(false);
 ```
 
 ## Use user-assigned managed identities in Batch nodes
 
-Many Azure Batch technologies which access other Azure resources, such as Azure Storage or Azure Container Registry, support managed identities. For more information on using managed identities with Azure Batch, see the following links:
+Many Azure Batch functions that access other Azure resources directly on the compute nodes, such as Azure Storage or
+Azure Container Registry, support managed identities. For more information on using managed identities with Azure Batch,
+see the following links:
 
 - [Resource files](resource-files.md)
 - [Output files](batch-task-output-files.md#specify-output-files-using-managed-identity)
@@ -111,7 +118,7 @@ Within the Batch nodes, you can get managed identity tokens and use them to auth
 For Windows, the PowerShell script to get an access token to authenticate is:
 
 ```powershell
-$Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={Resource App Id Url}' -Method GET -Headers @{Metadata="true"} 
+$Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={Resource App Id Url}' -Method GET -Headers @{Metadata="true"}
 ```
 
 For Linux, the Bash script is: