Moved 'important' note up closer to the table it's referencing

Moved 'important' note up closer to the table it's referencing

Author: yutanglin16

articles/app-service/configure-ssl-certificate.md

@@ -156,6 +156,9 @@ The service principal app ID or assignee value is the ID for the App Service res
 > [!NOTE]
 > Don't delete these permissions from Key Vault. If you do, App Service can't sync your web app with the latest Key Vault certificate version.
 
+> [!IMPORTANT]
+> The values in the table are application (client) IDs. If you grant the Key Vault Certificate User role by using infrastructure-as-code (for example, ARM templates or Bicep), you typically must use the object ID of the corresponding enterprise application (service principal) in your Microsoft Entra tenant. Using the application ID works with some tooling (for example, Azure CLI role assignment), but ARM/Bicep role assignments generally require the service principal object ID.
+
 #### [Azure CLI](#tab/azure-cli/rbac)
 
 ```azurecli-interactive
@@ -171,9 +174,6 @@ New-AzRoleAssignment -RoleDefinitionName "Key Vault Certificate User" -Applicati
 
 ---
 
-> [!IMPORTANT]
-> The values in the table are application (client) IDs. If you grant the Key Vault Certificate User role by using infrastructure-as-code (for example, ARM templates or Bicep), you typically must use the object ID of the corresponding enterprise application (service principal) in your Microsoft Entra tenant. Using the application ID works with some tooling (for example, Azure CLI role assignment), but ARM/Bicep role assignments generally require the service principal object ID.
-
 > [!NOTE]
 > If Key Vault is configured to disable public access, select the **Allow trusted Microsoft services to bypass this firewall** checkbox to ensure that Microsoft services are allowed access. For more information, see [Key Vault firewall-enabled trusted services only](/azure/key-vault/general/network-security?WT.mc_id=Portal-Microsoft_Azure_KeyVault#key-vault-firewall-enabled-trusted-services-only).