Updates

msmbaldwin · msmbaldwin · commit 03b9841223ea · 2023-01-12T06:22:02.000-08:00
diff --git a/articles/key-vault/general/common-error-codes.md b/articles/key-vault/general/common-error-codes.md
@@ -8,7 +8,7 @@ tags: azure-resource-manager
 ms.service: key-vault
 ms.subservice: general
 ms.topic: reference
-ms.date: 09/29/2020
+ms.date: 01/12/2023
 ms.author: mbaldwin
 
 #Customer intent: As an Azure Key Vault administrator, I want to react to soft-delete being turned on for all key vaults.
@@ -25,7 +25,7 @@ The error codes listed in the following table may be returned by an operation on
 | VaultNameNotValid |  The vault name should be string of 3 to 24 characters and can contain only numbers (0-9), letters (a-z, A-Z), and hyphens (-) |
 | AccessDenied |  You may be missing permissions in access policy to do that operation. |
 | ForbiddenByFirewall |  Client address isn't authorized and caller isn't a trusted service. |
-| ConflictError |  You're requesting multiple operations on the same item, e.g., Key Vault, secret, key, certificate, or common components within a Key Vault like VNET. It's recommended to sequence operations or to implement retry logic. |
+| ConflictError |  You're requesting multiple operations on the same item, for example, Key Vault, secret, key, certificate, or common components within a Key Vault like VNET. It's recommended to sequence operations or to implement retry logic. |
 | RegionNotSupported |  Specified Azure region isn't supported for this resource. |
 | SkuNotSupported |  Specified SKU type isn't supported for this resource. |
 | ResourceNotFound |  Specified Azure resource isn't found. |
diff --git a/articles/key-vault/general/common-parameters-and-headers.md b/articles/key-vault/general/common-parameters-and-headers.md
@@ -8,7 +8,7 @@ tags: azure-resource-manager
 ms.service: key-vault
 ms.subservice: general
 ms.topic: conceptual
-ms.date: 01/07/2019
+ms.date: 01/11/2023
 ms.author: mbaldwin
 
 ---
diff --git a/articles/key-vault/general/customer-data.md b/articles/key-vault/general/customer-data.md
@@ -7,7 +7,7 @@ tags: azure-resource-manager
 
 ms.service: key-vault
 ms.topic: reference
-ms.date: 01/07/2019
+ms.date: 01/11/2023
 ms.author: mbaldwin
 
 ---
@@ -35,7 +35,7 @@ The following information identifies customer data within Azure Key Vault:
 
 The same REST APIs, Portal experience, and SDKs used to create vaults, keys, secrets, certificates, and managed storage accounts, are also able to update and delete these objects.
 
-Soft-delete allows you to recover deleted data for 90 days after deletion. When using soft-delete, the data may be permanently deleted prior to the 90 days retention period expires by performing a purge operation. If the vault or subscription has been configured to block purge operations, it is not possible to permanently delete data until the scheduled retention period has passed.
+Soft-delete allows you to recover deleted data for 90 days after deletion. When using soft-delete, the data may be permanently deleted prior to the 90 days retention period expires by performing a purge operation. If the vault or subscription has been configured to block purge operations, it isn't possible to permanently delete data until the scheduled retention period has passed.
 
 ## Exporting customer data
 
diff --git a/articles/key-vault/general/event-grid-logicapps.md b/articles/key-vault/general/event-grid-logicapps.md
@@ -8,13 +8,13 @@ tags: azure-resource-manager
 ms.service: key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 11/11/2019
+ms.date: 01/11/2023
 ms.author: mbaldwin
 
 ---
 # Use Logic Apps to receive email about status changes of key vault secrets
 
-In this guide you will learn how to respond to Azure Key Vault events that are received via [Azure Event Grid](../../event-grid/index.yml) by using [Azure Logic Apps](../../logic-apps/index.yml). By the end, you will have an Azure logic app set up to send a notification email every time a secret is created in Azure Key Vault.
+In this guide, you will learn how to respond to Azure Key Vault events that are received via [Azure Event Grid](../../event-grid/index.yml) by using [Azure Logic Apps](../../logic-apps/index.yml). By the end, you will have an Azure logic app set up to send a notification email every time a secret is created in Azure Key Vault.
 
 For an overview of Azure Key Vault / Azure Event Grid integration, see [Monitoring Key Vault with Azure Event Grid](event-grid-overview.md).
 
@@ -27,16 +27,16 @@ For an overview of Azure Key Vault / Azure Event Grid integration, see [Monitori
 
 ## Create a Logic App via Event Grid
 
-First, create Logic App with event grid handler and subscribe to Azure Key Vault "SecretNewVersionCreated" events.
+First, create Logic App with Event Grid handler and subscribe to Azure Key Vault "SecretNewVersionCreated" events.
 
 To create an Azure Event Grid subscription, follow these steps:
 
-1. In the Azure portal, go to your key vault, select **Events > Get Started** and click **Logic Apps**
+1. In the Azure portal, go to your key vault, select **Events > Get Started** and select **Logic Apps**
 
     
     ![Key Vault - events page](../media/eventgrid-logicapps-kvsubs.png)
 
-1. On **Logic Apps Designer** validate the connection and click **Continue** 
+1. On **Logic Apps Designer** validate the connection and select **Continue** 
  
     ![Logic App Designer - connection](../media/eventgrid-logicappdesigner1.png)
 
@@ -61,8 +61,8 @@ To create an Azure Event Grid subscription, follow these steps:
 
     ![Logic App Designer - email body](../media/eventgrid-logicappdesigner4.png)
 
-8. Click **Save as**.
-9. Enter a **name** for new logic app and click **Create**.
+8. Select **Save as**.
+9. Enter a **name** for new logic app and select **Create**.
     
     ![Logic App Designer - create](../media/eventgrid-logicappdesigner5.png)
 
diff --git a/articles/key-vault/general/event-grid-overview.md b/articles/key-vault/general/event-grid-overview.md
@@ -1,13 +1,13 @@
 ---
-title: 'Monitoring Key Vault with Azure Event Grid'
-description: 'Use Azure Event Grid to subscribe to Key Vault events'
+title: Monitoring Key Vault with Azure Event Grid
+description: Use Azure Event Grid to subscribe to Key Vault events
 services: key-vault
 author: msmbaldwin
 
 ms.service: key-vault
 ms.subservice: general
 ms.topic: conceptual
-ms.date: 11/12/2019
+ms.date: 01/11/2023
 ms.author: mbaldwin
 ---
  
@@ -19,7 +19,7 @@ Applications can react to these events using modern serverless architectures, wi
 
 ## Key Vault events and schemas
 
-Event grid uses [event subscriptions](../../event-grid/concepts.md#event-subscriptions) to route event messages to subscribers. Key Vault events contain all the information you need to respond to changes in your data. You can identify a Key Vault event because the eventType property starts with "Microsoft.KeyVault".
+Event Grid uses [event subscriptions](../../event-grid/concepts.md#event-subscriptions) to route event messages to subscribers. Key Vault events contain all the information you need to respond to changes in your data. You can identify a Key Vault event because the eventType property starts with "Microsoft.KeyVault".
 
 For more information, see the [Key Vault event schema](../../event-grid/event-schema-key-vault.md).
 
@@ -30,8 +30,8 @@ For more information, see the [Key Vault event schema](../../event-grid/event-sc
 
 Applications that handle Key Vault events should follow a few recommended practices:
 
-* Multiple subscriptions can be configured to route events to the same event handler. It is important not to assume events are from a particular source, but to check the topic of the message to ensure that it comes from the key vault you are expecting.
-* Similarly, check that the eventType is one you are prepared to process, and do not assume that all events you receive will be the types you expect.
+* Multiple subscriptions can be configured to route events to the same event handler. It's important not to assume events are from a particular source, but to check the topic of the message to ensure that it comes from the key vault you're expecting.
+* Similarly, check that the eventType is one you're prepared to process, and do not assume that all events you receive will be the types you expect.
 * Ignore fields you don't understand.  This practice will help keep you resilient to new features that might be added in the future.
 * Use the "subject" prefix and suffix matches to limit events to a particular event.
 
diff --git a/articles/key-vault/general/event-grid-tutorial.md b/articles/key-vault/general/event-grid-tutorial.md
@@ -8,7 +8,7 @@ tags: azure-resource-manager
 ms.service: key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 10/25/2019
+ms.date: 01/11/2023
 ms.author: mbaldwin
 
 ---
@@ -52,7 +52,7 @@ After your Automation account is ready, create a runbook.
 
 ![Create a runbook UI](../media/event-grid-tutorial-3.png)
 
-1.  Select the Automation account you just created.
+1.  Select the Automation account you created.
 
 1.  Select **Runbooks** under **Process Automation**.
 
@@ -94,7 +94,7 @@ write-Error "No input data found."
 
 Create a webhook to trigger your newly created runbook.
 
-1.  Select **Webhooks** from the **Resources** section of the runbook you just published.
+1.  Select **Webhooks** from the **Resources** section of the runbook you published.
 
 1.  Select **Add Webhook**.
 
@@ -107,7 +107,7 @@ Create a webhook to trigger your newly created runbook.
     > [!IMPORTANT] 
     > You can't view the URL after you create it. Make sure you save a copy in a secure location where you can access it for the remainder of this guide.
 
-1. Select **Parameters and run settings** and then select **OK**. Don't enter any parameters. This will enable the **Create** button.
+1. Select **Parameters and run settings** and then select **OK**. Don't enter any parameters. The **Create** button will be enabled.
 
 1. Select **OK** and then select **Create**.
 
diff --git a/articles/key-vault/general/manage-with-cli2.md b/articles/key-vault/general/manage-with-cli2.md
@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: key-vault
 ms.subservice: general
 ms.topic: tutorial
-ms.date: 08/12/2019
+ms.date: 01/11/2023
 ms.author: mbaldwin 
 ms.custom: devx-track-azurecli
 
@@ -143,15 +143,15 @@ If you have an existing key in a .pem file, you can upload it to Azure Key Vault
 az keyvault key import --vault-name "ContosoKeyVault" --name "ContosoFirstKey" --pem-file "./softkey.pem" --pem-password "hVFkk965BuUv" --protection software
 ```
 
-You can now reference the key that you created or uploaded to Azure Key Vault, by using its URI. Use `https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey` to always get the current version. Use https://[keyvault-name].vault.azure.net/keys/[keyname]/[key-unique-id] to get this specific version. For example, `https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey/cgacf4f763ar42ffb0a1gca546aygd87`. 
+You can now reference the key that you created or uploaded to Azure Key Vault, by using its URI. Use `https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey` to always get the current version. Use `https://<keyvault-name>.vault.azure.net/keys/<keyname>/<key-unique-id>` to get this specific version. For example, `https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey/cgacf4f763ar42ffb0a1gca546aygd87`.
 
-Add a secret to the vault, which is a password named SQLPassword, and that has the value of "hVFkk965BuUv" to Azure Key Vaults. 
+Add a secret to the vault, which is a password named SQLPassword, and that has the value of "hVFkk965BuUv" to Azure Key Vaults.
 
 ```azurecli
 az keyvault secret set --vault-name "ContosoKeyVault" --name "SQLPassword" --value "hVFkk965BuUv "
 ```
 
-Reference this password by using its URI. Use **https://ContosoVault.vault.azure.net/secrets/SQLPassword** to always get the current version, and https://[keyvault-name].vault.azure.net/secret/[secret-name]/[secret-unique-id] to get this specific version. For example, **https://ContosoVault.vault.azure.net/secrets/SQLPassword/90018dbb96a84117a0d2847ef8e7189d**.
+Reference this password by using its URI. Use **https://ContosoVault.vault.azure.net/secrets/SQLPassword** to always get the current version, and `https://<keyvault-name>.vault.azure.net/secret/<secret-name>/<secret-unique-id>` to get this specific version. For example, `https://ContosoVault.vault.azure.net/secrets/SQLPassword/90018dbb96a84117a0d2847ef8e7189d`.
 
 Import a certificate to the vault using a .pem or .pfx.
 
@@ -161,19 +161,19 @@ az keyvault certificate import --vault-name "ContosoKeyVault" --file "c:\cert\ce
 
 Let's view the key, secret, or certificate that you created:
 
-* To view your keys, type: 
+* To view your keys, type:
 
 ```azurecli
 az keyvault key list --vault-name "ContosoKeyVault"
 ```
 
-* To view your secrets, type: 
+* To view your secrets, type:
 
 ```azurecli
 az keyvault secret list --vault-name "ContosoKeyVault"
 ```
 
-* To view certificates, type: 
+* To view certificates, type:
 
 ```azurecli
 az keyvault certificate list --vault-name "ContosoKeyVault"
@@ -215,7 +215,7 @@ To authorize the same application to read secrets in your vault, type the follow
 az keyvault set-policy --name "ContosoKeyVault" --spn 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed --secret-permissions get
 ```
 
-## <a name="bkmk_KVperCLI"></a> Setting key vault advanced access policies
+## Setting key vault advanced access policies
 
 Use [az keyvault update](/cli/azure/keyvault#az-keyvault-update) to enable advanced policies for the key vault.
 
diff --git a/articles/key-vault/general/overview-throttling.md b/articles/key-vault/general/overview-throttling.md
@@ -7,7 +7,7 @@ author: msmbaldwin
 ms.service: key-vault
 ms.subservice: general
 ms.topic: conceptual
-ms.date: 12/02/2019
+ms.date: 01/11/2023
 ms.author: mbaldwin
 
 ---
@@ -20,19 +20,19 @@ Throttling limits vary based on the scenario. For example, if you are performing
 
 ## How does Key Vault handle its limits?
 
-Service limits in Key Vault prevent misuse of resources and ensure quality of service for all of Key Vault's clients. When a service threshold is exceeded, Key Vault limits any further requests from that client for a period of time, returns HTTP status code 429 (Too many requests), and the request fails. Failed requests that return a 429 do not count towards the throttle limits tracked by Key Vault. 
+Service limits in Key Vault prevent misuse of resources and ensure quality of service for all of Key Vault's clients. When a service threshold is exceeded, Key Vault limits any further requests from that client, returns HTTP status code 429 (Too many requests), and the request fails. Failed requests that return a 429 do not count towards the throttle limits tracked by Key Vault.
 
-Key Vault was originally designed to be used to store and retrieve your secrets at deployment time.  The world has evolved, and Key Vault is being used at run-time to store and retrieve secrets, and often apps and services want to use Key Vault like a database.  Current limits do not support high throughput rates.
+Key Vault was originally designed to store and retrieve your secrets at deployment time. The world has evolved, and Key Vault is being used at run-time to store and retrieve secrets, and often apps and services want to use Key Vault like a database.  Current limits do not support high throughput rates.
 
 Key Vault was originally created with the limits specified in [Azure Key Vault service limits](service-limits.md).  To maximize your Key Vault throughput rates, here are some recommended guidelines/best practices for maximizing your throughput:
-1. Ensure you have throttling in place.  Client must honor exponential back-off policies for 429's and ensure you are doing retries as per the guidance below.
+1. Ensure you have throttling in place.  Client must honor exponential back-off policies for 429s and ensure you are doing retries as per the guidance below.
 1. Divide your Key Vault traffic amongst multiple vaults and different regions.   Use a separate vault for each security/availability domain.   If you have five apps, each in two regions, then we recommend 10 vaults each containing the secrets unique to app and region.  A subscription-wide limit for all transaction types is five times the individual key vault limit. For example, HSM-other transactions per subscription are limited to 5,000 transactions in 10 seconds per subscription. Consider caching the secret within your service or app to also reduce the RPS directly to key vault and/or handle burst based traffic.  You can also divide your traffic amongst different regions to minimize latency and use a different subscription/vault.  Do not send more than the subscription limit to the Key Vault service in a single Azure region.
 1. Cache the secrets you retrieve from Azure Key Vault in memory, and reuse from memory whenever possible.  Re-read from Azure Key Vault only when the cached copy stops working (e.g. because it got rotated at the source). 
-1. Key Vault is designed for your own services secrets.   If you are storing your customers' secrets (especially for high-throughput key storage scenarios), consider putting the keys in a database or storage account with encryption, and storing just the master key in Azure Key Vault.
+1. Key Vault is designed for your own services secrets.   If you are storing your customers' secrets (especially for high-throughput key storage scenarios), consider putting the keys in a database or storage account with encryption, and storing just the primary key in Azure Key Vault.
 1. Encrypt, wrap, and verify  public-key operations can be performed with no access to Key Vault, which not only reduces risk of throttling, but also improves reliability (as long as you properly cache the public key material).
 1. If you use Key Vault to store credentials for a service, check if that service supports Azure AD Authentication to authenticate directly. This reduces the load on Key Vault, improves reliability and simplifies your code since Key Vault can now use the Azure AD token.  Many services have moved to using Azure AD Auth.  See the current list at [Services that support managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources).
 1. Consider staggering your load/deployment over a longer period of time to stay under the current RPS limits.
-1. If your app comprises multiple nodes that need to read the same secret(s), then consider using a fan out pattern, where one entity reads the secret from Key Vault, and fans out to all nodes.   Cache the retrieved secrets only in memory.
+1. If your app comprises multiple nodes that need to read the same secret(s), then consider using a fan-out pattern, where one entity reads the secret from Key Vault, and fans out to all nodes.   Cache the retrieved secrets only in memory.
 
 
 ## How to throttle your app in response to service limits
@@ -45,7 +45,8 @@ The following are **best practices** you should implement when your service is t
 
 When you implement your app's error handling, use the HTTP error code 429 to detect the need for client-side throttling. If the request fails again with an HTTP 429 error code, you are still encountering an Azure service limit. Continue to use the recommended client-side throttling method, retrying the request until it succeeds.
 
-Code that implements exponential backoff is shown below. 
+Here is code that implements exponential backoff: 
+
 ```
 SecretClientOptions options = new SecretClientOptions()
     {
diff --git a/articles/key-vault/general/rest-error-codes.md b/articles/key-vault/general/rest-error-codes.md
diff --git a/articles/key-vault/general/versions.md b/articles/key-vault/general/versions.md
