Merge pull request MicrosoftDocs#85692 from msmbaldwin/patch-4

PRMerger6 · web-flow · commit 7f8c990e1657 · 2019-08-16T12:04:59.000-07:00
Update service-to-service-authentication.md
diff --git a/articles/key-vault/service-to-service-authentication.md b/articles/key-vault/service-to-service-authentication.md
@@ -129,7 +129,7 @@ This applies only to local development. When your solution is deployed to Azure,
 
 ## Running the application using managed identity or user-assigned identity 
 
-When you run your code on an Azure App Service or an Azure VM with a managed identity enabled, the library automatically uses the managed identity. 
+When you run your code on an Azure App Service or an Azure VM with a managed identity enabled, the library automatically uses the managed identity. No code changes are required, but the managed identity must have *get* permissions for the key vault. You can give the managed identity *get* permissions through the key vault's *Access Policies*.
 
 Alternatively, you may authenticate with a user-assigned identity. For more information on user-assigned identities, see [About Managed Identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md#how-does-the-managed-identities-for-azure-resources-work). To authenticate with a user-assigned identity, you need to specify the Client ID of the user-assigned identity in the connection string. The connection string is specified in the [Connection String Support](#connection-string-support) section below.
 
