Update RBAC role assignment steps - batch 25

Author: dksimpson

articles/devtest-labs/encrypt-disks-customer-managed-keys.md

@@ -5,6 +5,7 @@ ms.topic: how-to
 ms.author: rosemalcolm
 author: RoseHJM
 ms.date: 09/29/2021
+ms.custom: subject-rbac-steps
 ---
 
 # Encrypt disks using customer-managed keys in Azure DevTest Labs
@@ -27,32 +28,17 @@ The following section shows how a lab owner can set up encryption using a custom
 
     > [!div class="mx-imgBorder"]
     > :::image type="content" source="./media/encrypt-disks-customer-managed-keys/managed-keys.png" alt-text="Managed keys":::
-1. For the lab to handle encryption for all the lab disks, lab owner needs to explicitly grant the lab’s **system-assigned identity** reader role on the disk encryption set as well as virtual machine contributor role on the underlying Azure subscription. Lab owner can do so by completing the following steps:
+1. For the lab to handle encryption for all the lab disks, lab owner needs to explicitly grant the lab’s **system-assigned identity** reader role on the disk encryption set as well as virtual machine contributor role on the underlying Azure subscription. The lab owner can do so by completing the following steps:
 
-   
-    1. Ensure you are a member of [User Access Administrator role](../role-based-access-control/built-in-roles.md#user-access-administrator) at the Azure subscription level so that you can manage user access to Azure resources. 
-    1. On the **Disk Encryption Set** page, select **Access control (IAM)** on the left menu. 
-    1. Select **+ Add** on the toolbar and select **Add a role assignment**.  
-
-        :::image type="content" source="./media/encrypt-disks-customer-managed-keys/add-role-management-menu.png" alt-text="Add role management - menu":::
-    1. On the **Add role assignment** page, select the **Reader** role or a role that allows more access. 
-    1. Type the lab name for which the disk encryption set will be used and select the lab name (system-assigned identity for the lab) from the dropdown-list. 
-    
-        :::image type="content" source="./media/encrypt-disks-customer-managed-keys/select-lab.png" alt-text="Select system-managed identity of the lab":::        
-    1. Select **Save** on the toolbar. 
-
-        :::image type="content" source="./media/encrypt-disks-customer-managed-keys/save-role-assignment.png" alt-text="Save role assignment":::
-3. Add the lab's **system-assigned identity** to the **Virtual Machine Contributor** role using the **Subscription** -> **Access control (IAM)** page. The steps are similar to the ones in the previous steps. 
-
-    
-    1. Navigate to the **Subscription** page in the Azure portal. 
-    1. Select **Access control (IAM)**. 
-    1. Select **+Add** on the toolbar, and select **Add a role assignment**. 
-    
-        :::image type="content" source="./media/encrypt-disks-customer-managed-keys/subscription-access-control-page.png" alt-text="Subscription -> Access control (IAM) page":::
-    1. On the **Add role assignment** page, select **Virtual Machine Contributor** for the role.
-    1. Type the lab name, and select the **lab name** (system-assigned identity for the lab) from the dropdown-list. 
-    1. Select **Save** on the toolbar. 
+    1. Ensure you are a member of [User Access Administrator role](../role-based-access-control/built-in-roles.md#user-access-administrator) at the Azure subscription level so that you can manage user access to Azure resources.
+
+    1. On the **Disk Encryption Set** page, assign at least the Reader role to the lab name for which the disk encryption set will be used.
+
+       For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+
+    1. Navigate to the **Subscription** page in the Azure portal.
+
+    1. Assign the Virtual Machine Contributor role to the lab name (system-assigned identity for the lab).
 
 ## Encrypt lab OS disks with a customer-managed key 
 

articles/devtest-labs/media/encrypt-disks-customer-managed-keys/add-role-management-menu.png

@@ -9,7 +9,7 @@ manager: craigg
 ms.reviewer: craigg
 ms.service: dms
 ms.workload: data-services
-ms.custom: seo-lt-2019, mode-ui
+ms.custom: seo-lt-2019, mode-ui, subject-rbac-steps
 ms.topic: quickstart
 ms.date: 03/13/2020
 ---
@@ -97,15 +97,21 @@ You need to create an Azure App registration ID that the on-premises hybrid work
 
 4. After App ID registration is completed, make a note of the **Application (client) ID**, which you'll use while installing the hybrid worker.
 
-5. In the Azure portal, navigate to Azure Database Migration Service, select **Access control (IAM)**, and then select **Add role assignment** to assign contributor access to the App ID.
+5. In the Azure portal, navigate to Azure Database Migration Service.
 
-    ![Azure Database Migration Service hybrid mode assign contributor role](media/quickstart-create-data-migration-service-hybrid-portal/dms-app-assign-contributor.png)
+6. In the navigation menu, select **Access control (IAM)**.
 
-6. Select **Contributor** as the role, assign access to **Azure AD user, or service principal**, and then select the App ID name.
+7. Select **Add** > **Add role assignment**.
 
-    ![Azure Database Migration Service hybrid mode assign contributor role details](media/quickstart-create-data-migration-service-hybrid-portal/dms-add-role-assignment.png)
+    ![Access control (IAM) page with Add role assignment menu open.](../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png)
 
-7. Select **Save** to save the role assignment for the App ID on the Azure Database Migration Service resource.
+8. On the **Role** tab, select the **Contributor** role.
+
+    ![Add role assignment page with Role tab selected.](../../includes/role-based-access-control/media/add-role-assignment-role-generic.png)
+
+9. On the **Members** tab, select **User, group, or service principal**, and then select the App ID name.
+
+10. On the **Review + assign** tab, select **Review + assign** to assign the role.
 
 ## Download and install the hybrid worker