Line edits2

Author: lootle1

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/includes/5-grant-service-principal-access-azure.md

@@ -13,7 +13,7 @@ After Microsoft Entra ID has authenticated a service principal, the next questio
 
 ## Select the right role assignment for your pipeline
 
-A role assignment has three key parts: who the role is assigned to (the *assignee*), what they can do (the *role*), and what resource or resources the role assignment applies to (the *scope*).
+A role assignment has three key parts: who the role is assigned to (the _assignee_), what they can do (the _role_), and what resource or resources the role assignment applies to (the _scope_).
 
 ### Assignee
 
@@ -23,9 +23,9 @@ When you work with a service principal, you assign roles for that service princi
 
 It can be a little more work to figure out which role to assign. In Azure, there are a few common roles:
 
-- *Reader*, which allows the assignee to read information about resources but not modify or delete them.
-- *Contributor*, which allows the assignee to create resources, and to read and modify existing resources. However, contributors can't grant other principals access to resources.
-- *Owner*, which allows full control over resources, including granting other principals access.
+- _Reader_, which allows the assignee to read information about resources but not modify or delete them.
+- _Contributor_, which allows the assignee to create resources and to read and modify existing resources. However, contributors can't grant other principals access to resources.
+- _Owner_, which allows full control over resources, including granting other principals access.
 
 > [!CAUTION]
 > You should only grant service principals the minimum permissions that they need to do their jobs. Most of the time, the Owner role is too permissive for a deployment pipeline.
@@ -50,12 +50,12 @@ Remember that role assignments are inherited. If you assign a role at a subscrip
 Now that you understand the components of a role assignment, you can decide the appropriate values for your scenarios. Here are some general guidelines to consider:
 
 > [!div class="checklist"]
-> * Use the least permissive role that you can. If your pipeline is only going to deploy basic Bicep templates and won't manage role assignments, don't use the Owner role.
-> * Use the narrowest scope that you can. Most pipelines only need to deploy resources to a resource group, so they shouldn't be given subscription-scoped role assignments.
-> * For many pipelines, a good default option for a role assignment is the Contributor role on the resource group scope.
-> * Consider everything your pipeline does, and everything it might do in the future. For example, you might consider creating a custom role definition for your website's deployment pipeline and only grant permissions for App Service and Application Insights. Next month, you might need to add an Azure Cosmos DB account to your Bicep file, but the custom role will block Azure Cosmos DB resources from being created. 
+> - Use the least permissive role that you can. If your pipeline is only going to deploy basic Bicep templates and won't manage role assignments, don't use the Owner role.
+> - Use the narrowest scope that you can. Most pipelines only need to deploy resources to a resource group, so they shouldn't be given subscription-scoped role assignments.
+> - For many pipelines, a good default option for a role assignment is the Contributor role on the resource group scope.
+> - Consider everything your pipeline does, and everything it might do in the future. For example, you might consider creating a custom role definition for your website's deployment pipeline and only grant permissions for App Service and Application Insights. Next month, you might need to add an Azure Cosmos DB account to your Bicep file, but the custom role will block Azure Cosmos DB resources from being created. 
 Instead, it's often better to use a built-in role, or a combination of built-in roles, to avoid having to repeatedly change your role definitions. Consider using Azure Policy to enforce your governance requirements for allowed services, SKUs, and locations.
-> * Test the pipeline to verify that the role assignment works.
+> - Test the pipeline to verify that the role assignment works.
 
 ### Mixing and matching role assignments
 
@@ -113,7 +113,7 @@ Let's look at each argument:
 
 > [!TIP]
 > It's a good practice to provide a justification for your role assignments by specifying a description. A description helps anyone who reviews the role assignments later to understand their purpose, and to understand how you decided on the assignee, role, and scope.
-
+>
 > [!NOTE]
 > Role assignments can take a few minutes to become active.
 

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/includes/6-exercise-authorize-service-principal-deployments.md

@@ -16,7 +16,7 @@ In the previous exercise, you signed in by using the service principal and then
 
 ::: zone pivot="cli"
 
-1. In Visual Studio Code's Azure Cloud Shell (bash) terminal, sign in to Azure by running the following command: 
+1. In Visual Studio Code's Azure Cloud Shell (bash) terminal, sign in to Azure by running the following command:
 
     ```azurecli
     az login
@@ -70,9 +70,9 @@ Now you'll create a resource group to contain the toy company's website resource
 
 For your website's deployment pipeline, you decide to create a role assignment with the following details:
 
-- **Assignee**: The service principal that you created in the previous exercise.
-- **Role**: The Contributor built-in role.
-- **Scope**: The resource group that you created in the previous step.
+* **Assignee**: The service principal that you created in the previous exercise.
+* **Role**: The Contributor built-in role.
+* **Scope**: The resource group that you created in the previous step.
 
 ::: zone pivot="cli"
 
@@ -116,7 +116,7 @@ You previously created a Bicep file that deploys your website's resources. Here,
 
 ## Deploy the Bicep file by using the service principal
 
-You don't currently have a deployment pipeline, so you'll simulate what a pipeline does to deploy your Bicep file. 
+You don't currently have a deployment pipeline, so you'll simulate what a pipeline does to deploy your Bicep file.
 
 ::: zone pivot="cli"
 
@@ -183,8 +183,8 @@ Use the Azure portal to inspect the resources that you deployed and to inspect t
 
    You might also see a deployment named **Failure-Anomalies-Alert-Rule-Deployment**. Application Insights creates this deployment automatically.
 
-1. Select the **main** deployment to see what resources were deployed, and then expand **Deployment details**. 
- 
+1. Select the **main** deployment to see what resources were deployed, and then expand **Deployment details**.
+
    In this case, the App Service plan, the app, and the Application Insights instance are listed.
 
     :::image type="content" source="../media/6-deployment-details.png" alt-text="Screenshot of the Azure portal deployments overview pane for the main deployment, with an App Service plan and app, and an Application Insights instance listed." border="true":::
@@ -193,7 +193,7 @@ Use the Azure portal to inspect the resources that you deployed and to inspect t
 
 ## Clean up the resource group and service principal
 
-You've successfully created a service principal and role assignment, and you've deployed your website's resources by using a Bicep file. You can now remove the resources that you created. 
+You've successfully created a service principal and role assignment, and you've deployed your website's resources by using a Bicep file. You can now remove the resources that you created.
 
 ::: zone pivot="cli"
 
@@ -203,7 +203,7 @@ You've successfully created a service principal and role assignment, and you've
    az logout
    ```
 
-1. Sign back in to Azure with your own user account by running the following command: 
+1. Sign back in to Azure with your own user account by running the following command:
 
     ```azurecli
     az login
@@ -219,7 +219,7 @@ You've successfully created a service principal and role assignment, and you've
 
    When you're prompted to confirm, enter `y`.
 
-2. Run the following command to delete the service principal. Replace the `APPLICATION_ID` placeholder with the application ID that you copied in the previous exercise:
+1. Run the following command to delete the service principal. Replace the `APPLICATION_ID` placeholder with the application ID that you copied in the previous exercise:
 
    ```azurecli
    az ad sp delete --id APPLICATION_ID
@@ -235,7 +235,7 @@ You've successfully created a service principal and role assignment, and you've
    Logout-AzAccount
    ```
 
-1. Sign back in to Azure with your own user account by running the following command: 
+1. Sign back in to Azure with your own user account by running the following command:
 
     ```azurepowershell
     Connect-AzAccount
@@ -259,4 +259,4 @@ You've successfully created a service principal and role assignment, and you've
 
    When you're prompted to confirm, enter `y`.
 
-::: zone-end
+::: zone-end