Merge pull request #314603 from yutanglin16/patch-32

Rearrange Key Vault access policy notes for improved clarity

Author: prmerger-automator[bot]

articles/app-service/configure-ssl-certificate.md

@@ -143,9 +143,6 @@ By default, the App Service resource provider doesn't have access to your key va
 
 The service principal app ID or assignee value is the application (client) ID for the App Service resource provider.
 
-> [!IMPORTANT]
-> The values in the table are application (client) IDs. If you grant the Key Vault Certificate User role by using infrastructure-as-code (for example, ARM templates or Bicep), you typically must use the object ID of the corresponding enterprise application (service principal) in your Microsoft Entra tenant. Using the application ID works with some tooling (for example, Azure CLI role assignment), but ARM/Bicep role assignments generally require the service principal object ID.
-
 ### [Access policy permissions](#tab/accesspolicy)
 
 | Resource provider | Service principal app ID | Key Vault secret permissions | Key Vault certificate permissions |
@@ -154,12 +151,13 @@ The service principal app ID or assignee value is the application (client) ID fo
 
 The service principal app ID or assignee value is the ID for the App Service resource provider. To learn how to authorize Key Vault permissions for the App Service resource provider by using an access policy, see [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy?tabs=azure-portal).
 
-Don't delete these access policy permissions from the key vault. If you do, App Service can't sync your web app with the latest Key Vault certificate version.
-
 ---
 
 > [!NOTE]
-> If Key Vault is configured to disable public access, select the **Allow trusted Microsoft services to bypass this firewall** checkbox to ensure that Microsoft services are allowed access. For more information, see [Key Vault firewall-enabled trusted services only](/azure/key-vault/general/network-security?WT.mc_id=Portal-Microsoft_Azure_KeyVault#key-vault-firewall-enabled-trusted-services-only).
+> Don't delete these permissions from Key Vault. If you do, App Service can't sync your web app with the latest Key Vault certificate version.
+
+> [!IMPORTANT]
+> The values in the table are application (client) IDs. If you grant the Key Vault Certificate User role by using infrastructure-as-code (for example, ARM templates or Bicep), you typically must use the object ID of the corresponding enterprise application (service principal) in your Microsoft Entra tenant. Using the application ID works with some tooling (for example, Azure CLI role assignment), but ARM/Bicep role assignments generally require the service principal object ID.
 
 #### [Azure CLI](#tab/azure-cli/rbac)
 
@@ -174,11 +172,11 @@ az role assignment create --role "Key Vault Certificate User" --assignee "abfa0a
 New-AzRoleAssignment -RoleDefinitionName "Key Vault Certificate User" -ApplicationId "abfa0a7c-a6b6-4736-8310-5855508787cd" -Scope "/subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}"
 ```
 
-> [!NOTE]
-> Don't delete these RBAC permissions from Key Vault. If you do, App Service can't sync your web app with the latest Key Vault certificate version.
-
 ---
 
+> [!NOTE]
+> If Key Vault is configured to disable public access, select the **Allow trusted Microsoft services to bypass this firewall** checkbox to ensure that Microsoft services are allowed access. For more information, see [Key Vault firewall-enabled trusted services only](/azure/key-vault/general/network-security?WT.mc_id=Portal-Microsoft_Azure_KeyVault#key-vault-firewall-enabled-trusted-services-only).
+
 ### Import a certificate from your vault to your app
 
 1. In the [Azure portal](https://portal.azure.com), on the left pane, select **App Services** > *\<app-name>*.