update rbac configuration article

Author: cebundy-work

articles/healthcare-apis/configure-azure-rbac.md

@@ -1,70 +1,74 @@
 ---
-title: Configure Azure RBAC role for the FHIR service in Azure Health Data Services
-description: Learn how to configure Azure RBAC for the FHIR service in Azure Health Data Services. Assign roles, manage access, and safeguard your data plane.
+title: Configure Azure RBAC role for Azure Health Data Services
+description: Learn how to configure Azure RBAC for FHIR and DICOM services in Azure Health Data Services. Assign roles and manage access to your data plane.
 author: chachachachami
 ms.service: azure-health-data-services
-ms.topic: tutorial
-ms.date: 06/02/2025
+ms.topic: how-to
+ms.date: 03/27/2026
 ms.author: chrupa
+ms.reviewer: v-catheribun
 ms.custom: sfi-image-nochange
 --- 
 # Configure Azure RBAC roles for Azure Health Data Services
 
-In this article, you learn how to use [Azure role-based access control (RBAC)](../role-based-access-control/index.yml) to assign access to the Azure Health Data Services data plane. Using Azure RBAC roles is the preferred method for assigning data plane access when data plane users are managed in the Microsoft Entra tenant associated with your Azure subscription.
+In this article, you learn how to use [Azure role-based access control (RBAC)](../role-based-access-control/index.yml) to assign permissions to the FHIR and DICOM service instances in Azure Health Data Services. 
 
-You can complete role assignments in the Azure portal. The FHIR® service and DICOM® service define application roles differently. Add or remove one or more roles to manage user access controls.
+Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. By using Azure RBAC, you can manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
 
-## Assign roles for the FHIR service
+You can manage role assignments in the Azure portal for the FHIR® service and DICOM® service. 
 
-To grant users, service principals, or groups access to the FHIR data plane, go to the FHIR service in the Azure portal. Select **Access control (IAM)**, and then select the **Role assignments** tab. Select **+Add**, and then select **Add role assignment**.
+## RBAC roles for the FHIR and DICOM services
 
-If the role assignment option is grayed out, ask your Azure subscription administrator to grant you with the permissions to the subscription or the resource group, for example, **User Access Administrator**. For more information, see [Azure built-in roles](../role-based-access-control/built-in-roles.md).
+Azure Health Data Services provides built-in roles for the FHIR and DICOM services. These roles provide granular access control to the data plane of each service. 
 
-:::image type="content" source="media/rbac/select-role-assignment.png" alt-text="Screenshot showing role assignment selection." lightbox="media/rbac/select-role-assignment.png":::
+The built-in roles for the FHIR service include:
 
-In the **Role** selection, search for one of the built-in roles for the FHIR data plane. You can choose from these roles:
-
-* **FHIR Data Reader**: Can read (and search) FHIR data.
+* **FHIR Data Reader**: Can read and search FHIR data.
 * **FHIR Data Writer**: Can read, write, and soft delete FHIR data.
-* **FHIR Data Exporter**: Can read and export ($export operator) data.
+* **FHIR Data Exporter**: Can read and export data by using the $export operator.
 * **FHIR Data Contributor**: Can perform all data plane operations.
 * **FHIR Data Converter**: Can use the converter to perform data conversion.
 * **FHIR SMART User**: Can read and write FHIR data according to the SMART IG V1.0.0 specifications.
 
-In the **Select** section, type the client application registration name. If the name is found, the application name is listed. Select the application name, and then select **Save**.
 
-If the client application isn’t found, check your application registration. This is to ensure that the name is correct. Ensure that the client application is created in the same tenant where the FHIR service in Azure Health Data Services (hereby called the FHIR service) is deployed in.
+The built-in roles for the DICOM service include:
+* **DICOM Data Owner**:  Full access to DICOM data.
+* **DICOM Data Reader**: Can read and search DICOM data.
+
+## Assign roles for the FHIR and DICOM services
 
-:::image type="content" source="media/rbac/select-role-assignment.png" alt-text="Screenshot showing selection of role assignment." lightbox="media/rbac/select-role-assignment.png":::
+Assign roles to users, service principals, or groups to grant them access to the FHIR and DICOM services. 
 
-You can verify the role assignment by selecting the **Role assignments** tab from the **Access control (IAM)** menu option.
+For the DICOM service, an application also must have the appropriate API permissions to access the DICOM service. For more information, see [Register a client application in Microsoft Entra ID for the Azure Health Data Services](./register-application.md).
 
-## Assign roles for the DICOM service
+1. Go to your FHIR or DICOM service in the Azure portal.
+1. Select **Access control (IAM)**.
+1. Select **+ Add** > **Add role assignment**. 
+1. Enter *DICOM* or *FHIR* in the search box, select one of the built-in roles for the service, and then select **Next**.
 
-To grant users, service principals, or groups access to the DICOM data plane, select the **Access control (IAM)** blade. Select the**Role assignments** tab, and select **+ Add**.
+    :::image type="content" source="media/rbac/select-role-assignment.png" alt-text="Screenshot of adding an Azure RBAC role assignment in the Azure portal." lightbox="media/rbac/select-role-assignment.png"::: 
 
-:::image type="content" source="media/rbac/dicom-access-control.png" alt-text="Screenshot showing DICOM access control." lightbox="media/rbac/dicom-access-control.png":::
+1. On the **Members** tab, for **Assign access to**, select **User, group, or service principal**.
+1. Select **+ Select members** to search for a user, service principal, or group that you want to assign the role to. After you make your selection, select **Select**.
 
-In the **Role** selection, search for one of the built-in roles for the DICOM data plane:
+    :::image type="content" source="media/rbac/select-members.png" alt-text="Screenshot of selecting members for an Azure RBAC role assignment." lightbox="media/rbac/select-members.png":::
 
-:::image type="content" source="media/rbac/rbac-add-role-assignment.png" alt-text="Screenshot showing how to add an RBAC role assignment." lightbox="media/rbac/rbac-add-role-assignment.png":::
+1. Select **Review + assign** to take you to the **Review and assign** tab.  Review your selections, and then select **Review and assign** to finish the role assignment.
 
-You can choose between:
+    :::image type="content" source="media/rbac/assign-role.png" alt-text="Screenshot of reviewing and assigning an Azure RBAC role." lightbox="media/rbac/assign-role.png":::
 
-* DICOM Data Owner:  Full access to DICOM data.
-* DICOM Data Reader: Read and search DICOM data.
+To view your role assignments, select the **Role assignments** tab from the **Access control (IAM)** menu option.
 
-If these roles aren’t sufficient, you can use PowerShell to create custom roles. For information about creating custom roles, see [Create a custom role by using Azure PowerShell](../role-based-access-control/custom-roles-powershell.md).
+:::image type="content" source="media/rbac/view-role-assignments.png" alt-text="Screenshot of viewing Azure RBAC role assignments in the Azure portal." lightbox="media/rbac/view-role-assignments.png":::
 
-In the **Select** box, search for a user, service principal, or group that you want to assign the role to.
+From this tab, you can select any role assignment to view more details about the assignment. You can also delete a role assignment from this tab by selecting the role assignment, and then selecting **Delete**.
 
 > [!NOTE]
 > If you can't access the FHIR or DICOM service in your application or other tools, you might need to wait a few more minutes for the role assignment to finish propagating in the system.
 
-## Next steps
-
-[Access by using the REST Client](./fhir/using-rest-client.md)
+## Next step
 
-[Access by using cURL](./fhir/using-curl.md)
+>[!div class="nextstepaction"]
+>[Access Azure Health Data Services](access-healthcare-apis.md)
 
 [!INCLUDE [FHIR and DICOM trademark statement](./includes/healthcare-apis-fhir-dicom-trademark.md)]