Limit role assignments scope to _acme-challenge TXT record. No need to grant any role at full Zone scope for ACME purposes.

How-to-use-Azure-DNS.md

@@ -107,13 +107,19 @@ az network dns zone list
 
 #### Create a service principal
 
-The service principal is used to grant acme.sh access to the DNS Zone using the id value from the previous commands output
+The service principal is used to grant acme.sh access to the _acme-challenge TXT record within the DNS Zone using the id value from the previous commands output
 
 (See the [az ad sp create-for-rbac](https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac) documentation for more details)  
 
+This grants the "DNS Zone Contributor" role only on the exact scope of the `_acme-challenge.example.com`:
 ```
 az ad sp create-for-rbac --name  "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \
-    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com
+    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com/TXT/_acme-challenge
+```
+If you want to issue certificates for `subdomain.example.com` the scope changes as follow:
+```
+az ad sp create-for-rbac --name  "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \
+    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com/TXT/_acme-challenge.subdomain
 ```
 
 ```json
@@ -134,8 +140,8 @@ For example, if you are managing certificates for both `example.com` and `exampl
 
 ```
 az ad sp create-for-rbac --name  "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes \
-    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com \
-    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns2_rg/providers/Microsoft.Network/dnszones/example.edu
+    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns_rg/providers/Microsoft.Network/dnszones/example.com/TXT/_acme-challenge \
+    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/exampledns2_rg/providers/Microsoft.Network/dnszones/example.edu/TXT/_acme-challenge
 ```
 
 Or if the service principal has already been created, you can grant it access to the additional scope:
@@ -152,7 +158,7 @@ az ad sp list --filter "displayname eq 'AcmeDnsValidator'" | grep '^    \"id\":'
 
 ```
 az role assignment create --assignee daaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa --role "DNS Zone Contributor" --scope \
-    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu
+    /subscriptions/12345678-9abc-def0-1234-567890abcdef/resourceGroups/deleteme_rg/providers/Microsoft.Network/dnszones/example.edu/TXT/_acme-challenge
 ```
 
 ##### Note: Dealing with multiple credentials
@@ -163,7 +169,7 @@ If you want to use different credentials, use the `--accountconf` switch to spec
 
 #### Limit access permissions to TXT records 
 
-In Azure DNS you can limit the permissions for the service principal further and only grant permissions to modifiy TXT records for a given DNS Zone.
+In Azure DNS you can further narrow down the permissions for the default "DNS Zone Contributor" role to only allow the service principal modification of TXT records type only. This is only useful in special cases where you cannot create all the exact role assignments you need for all your challenges, otherwise it is not recommended as the service principal will be able to access other critical TXT records on the same zone.
 
 (See [How to protect DNS zones and records](https://learn.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets) for more details)