[APIM] Refine security note wording

nimakamoosi · nimakamoosi · commit 4c133cfc84fb · 2026-04-14T14:53:03.000-04:00
diff --git a/articles/api-management/api-management-howto-use-managed-service-identity.md b/articles/api-management/api-management-howto-use-managed-service-identity.md
@@ -27,7 +27,7 @@ You can grant two types of identities to an API Management instance:
 - A *user-assigned identity* is a standalone Azure resource that you can assign to your service. The service can have multiple user-assigned identities.
 
 > [!IMPORTANT]
-> **Security consideration:** Users with permissions to edit API Management policies (for example, users assigned the [API Management Service Contributor](/azure/role-based-access-control/built-in-roles#api-management-service-contributor) role) can use the [`authentication-managed-identity`](authentication-managed-identity-policy.md) policy to authenticate as the service's managed identity. When you assign roles or permissions to the managed identity, be aware that any user who can edit policies may be able to access those same resources through the managed identity. To mitigate risk:
+> **Security consideration:** Users with permissions to edit API Management policies (for example, users assigned the [API Management Service Contributor](/azure/role-based-access-control/built-in-roles#api-management-service-contributor) role) can use the [`authentication-managed-identity`](authentication-managed-identity-policy.md) policy to authenticate as the service's managed identity. When you assign roles or permissions to the API Management resouce, be aware that any user who can edit policies may be able to access those same resources through the managed identity. To mitigate risk:
 > - Follow the [principle of least privilege](/entra/identity-platform/secure-least-privileged-access) when assigning roles to managed identities.
 > - Only grant the API Management Contributor role or policy editing permissions to trusted users.
 > - Regularly review and audit managed identity role assignments and who has access to edit API Management policies.
diff --git a/articles/api-management/authentication-managed-identity-policy.md b/articles/api-management/authentication-managed-identity-policy.md
@@ -21,7 +21,7 @@ Both system-assigned identity and any of the multiple user-assigned identities c
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
 > [!IMPORTANT]
-> **Security consideration:** Any user with permissions to edit API Management policies (for example, users assigned the [API Management Service Contributor](/azure/role-based-access-control/built-in-roles#api-management-service-contributor) role) can use this policy to authenticate as the service's managed identity. This effectively grants that user access to any resource for which the managed identity has permissions. Ensure that you follow the [principle of least privilege](/entra/identity-platform/secure-least-privileged-access) both when assigning permissions to the managed identity and when granting users the ability to edit API Management policies. For more information, see [How to use managed identities in Azure API Management](api-management-howto-use-managed-service-identity.md).
+> **Security consideration:** Any user with permissions to edit API Management policies (for example, users assigned the [API Management Service Contributor](/azure/role-based-access-control/built-in-roles#api-management-service-contributor) role) can use this policy to authenticate as the service's managed identity. This effectively grants that user access to any resource for which the managed identity has permissions. Ensure that you follow the [principle of least privilege](/entra/identity-platform/secure-least-privileged-access) when assigning permissions to API Management resource. For more information, see [How to use managed identities in Azure API Management](api-management-howto-use-managed-service-identity.md).
 
   
 ## Policy statement  
