MicrosoftDocs
diff --git a/‎articles/purview/how-to-policies-data-owner-authoring-generic.md
Lines changed: 2 additions & 2 deletions b/‎articles/purview/how-to-policies-data-owner-authoring-generic.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/purview/includes/access-policies-configuration-generic.md
Lines changed: 43 additions & 27 deletions b/‎articles/purview/includes/access-policies-configuration-generic.md
Lines changed: 43 additions & 27 deletions
diff --git a/‎articles/purview/includes/access-policies-prerequisites-arc-sql-server.md
Lines changed: 46 additions & 39 deletions b/‎articles/purview/includes/access-policies-prerequisites-arc-sql-server.md
Lines changed: 46 additions & 39 deletions
@@ -77,7 +77,7 @@ Now that you have created your policy, you will need to publish it for it to bec
 ## Publish a policy
 A newly created policy is in the **draft** state. The process of publishing associates the new policy with one or more data sources under governance. This is called "binding" a policy to a data source.
 
-Ensure you have the *Data Source Admin* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-publish-data-owner-policies)
+Ensure you have the *Data Source Admin* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-for-publishing-data-owner-policies)
 
 The steps to publish a policy are as follows:
 
@@ -99,7 +99,7 @@ The steps to publish a policy are as follows:
 > After making changes to a policy, there is no need to publish it again for it to take effect if the data source(s) continues to be the same.
 
 ## Unpublish a policy
-Ensure you have the *Data Source Admin* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-publish-data-owner-policies)
+Ensure you have the *Data Source Admin* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-for-publishing-data-owner-policies)
 
 The steps to publish a policy are as follows:
 
 
@@ -8,44 +8,60 @@ ms.date: 10/28/2022
 ms.custom:
 ---
 
-#### Configure permissions needed to enable *Data use management* on the data source
-This step is needed before a policy can be created in Microsoft Purview for that resource. To enable the *Data use management* toggle for a data source, resource group, or subscription, the **same user** must have **both** specific IAM privileges on the resource and specific Microsoft Purview privileges. 
+#### Configure permissions to enable Data use management on the data source
 
-1) The user must have **either one of the following** IAM role combinations on the resource's ARM path or any parent of it (i.e, leveraging IAM permission inheritance).
-   - IAM *Owner*
-   - Both IAM *Contributor* + IAM *User Access Administrator*
+Before a policy can be created in Microsoft Purview for a resource, you must configure permissions. To enable the **Data use management** toggle for a data source, resource group, or subscription, the *same user* must have *both* specific identity and access management (IAM) privileges on the resource and specific Microsoft Purview privileges: 
 
-   Follow this [guide to configure Azure RBAC role permissions](../../role-based-access-control/check-access.md). The following screenshot shows how to access the Access Control section in Azure portal experience for the data resource to add a role assignment:
+- The user must have *either one* of the following IAM role combinations on the resource's Azure Resource Manager path or any parent of it (that is, using IAM permission inheritance):
+   - IAM Owner
+   - Both IAM Contributor and IAM User Access Administrator
 
-   ![Screenshot shows how to access Access Control in Azure Portal to add a role assignment.](../media/how-to-policies-data-owner-authoring-generic/assign-IAM-permissions.png)
+   To configure Azure role-based access control (RBAC) permissions, follow [this guide](../../role-based-access-control/check-access.md). The following screenshot shows how to access the **Access Control** section in the Azure portal for the data resource to add a role assignment.
 
-2) In addition, the same user needs to have Microsoft Purview Data source administrator (DSA) role for the collection or a parent collection (if inheritance is enabled). See the guide on [managing Microsoft Purview role assignments](../catalog-permissions.md#assign-permissions-to-your-users). The following screenshot shows how to assign Data Source Admin at root collection level:
-![Screenshot shows how to assign Data Source Admin at root collection level.](../media/how-to-policies-data-owner-authoring-generic/assign-purview-permissions.png)
+   ![Screenshot that shows the section in the Azure portal for adding a role assignment.](../media/how-to-policies-data-owner-authoring-generic/assign-IAM-permissions.png)
 
-#### Configure Microsoft Purview permissions to create, update or delete access policies
-The following permissions are needed in Microsoft Purview at the **root collection level**:
-- *Policy authors* role can create, update and delete DevOps and Data Owner policies
-- *Policy authors* role can delete Self-service access policies
+- The same user needs to have the Microsoft Purview *Data source admin* role for the collection or a parent collection (if inheritance is enabled). For more information, see the [guide on managing Microsoft Purview role assignments](../catalog-permissions.md#assign-permissions-to-your-users). 
 
-Check the section on managing Microsoft Purview role assignments in this [guide](../how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).
+  The following screenshot shows how to assign the *Data source admin* role at the root collection level.
+
+  ![Screenshot that shows selections for assigning the Data source admin role at the root collection level.](../media/how-to-policies-data-owner-authoring-generic/assign-purview-permissions.png)
+
+#### Configure Microsoft Purview permissions to create, update, or delete access policies
+
+The following permissions are needed in Microsoft Purview at the *root collection level*:
+
+- The *Policy author* role can create, update, and delete DevOps and Data Owner policies.
+- The *Policy author* role can delete self-service access policies.
+
+For more information about managing Microsoft Purview role assignments, see [Create and manage collections in the Microsoft Purview Data Map](../how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).
 
 >[!NOTE]
-> Currently, Microsoft Purview roles related to creating/updating/deleting policies must be configured at **root collection level**.
-> In addition to Microsoft Purview *Policy authors* role, user may need *Directory Reader* permission in Azure Active Directory to create a policy. This is a common permission for users in an Azure tenant. You can check permissions for [Azure AD Directory Reader](../../active-directory/roles/permissions-reference.md#directory-readers).
+> Currently, Microsoft Purview roles related to creating, updating, and deleting policies must be configured at the root collection level.
+>
+> In addition to the Microsoft Purview *Policy author* role, users might need [Directory Readers](../../active-directory/roles/permissions-reference.md#directory-readers) permission in Azure Active Directory to create a policy. This is a common permission for users in an Azure tenant.
+
+#### Configure Microsoft Purview permissions for publishing Data Owner policies
+
+Data Owner policies allow for checks and balances if you assign the Microsoft Purview *Policy author* and *Data source admin* roles to different people in the organization. Before a data policy takes effect, a second person (*Data source admin*) must review it and explicitly approve it by publishing it. Publishing is automatic after DevOps or self-service access policies are created or updated, so it doesn't apply to these types of policies.
 
-#### Configure Microsoft Purview permissions needed to publish Data Owner policies
-Data owner policies allow for check and balances if you assign the Microsoft Purview *Policy author* and *Data source admin* roles to different people in the organization. With this, before a data policy takes effect, a second person (the *Data source admin*) must review it and explicitly approve it by publishing it. Publishing is automatic once DevOps or Self-service access policies are created/updated so it does not apply to these types of policies.
-The following permissions are needed in Microsoft Purview at the **root collection level**:
-- *Data source administrator* role can publish a policy.
+The following permissions are needed in Microsoft Purview at the *root collection level*:
 
-Check the section on managing Microsoft Purview role assignments in this [guide](../how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).
+- The *Data source admin* role can publish a policy.
+
+For more information about managing Microsoft Purview role assignments, see [Create and manage collections in the Microsoft Purview Data Map](../how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).
 
 >[!NOTE]
-> Currently, Microsoft Purview roles related to publishing Data Owner policies must be configured at **root collection level**.
+> Currently, Microsoft Purview roles related to publishing Data Owner policies must be configured at the root collection level.
 
 #### Delegation of access provisioning responsibility to roles in Microsoft Purview
->[!IMPORTANT]
-> - Once a resource has been enabled for *Data use management*, **any** Microsoft Purview user with *Policy author* role at root-collection level will be able to provision access to that data source from Microsoft Purview.
-> - The IAM Owner role for a data resource can be inherited from parent resource group, subscription or subscription Management group. Check which AAD users, groups and service principals hold or are inheriting IAM Owner for the resource.
-> - Note that **Any** Microsoft Purview root *Collection admin* can assign **new** users to root *Policy author* roles. **Any** *Collection admin* can assign **new** users to *Data Source Admin* under the collection. Minimize and carefully vet the users that hold Microsoft Purview *Collection admin*, *Data Source Admin* or *Policy author* roles.
-> - If a Microsoft Purview account with published policies is deleted, such policies will stop being enforced within an amount of time dependent on the specific data source. This can have implications both on security and data access availability. The Contributor and Owner roles in IAM are able to delete Microsoft Purview accounts. You can check these permissions by navigating to the Access control (IAM) section for your Microsoft Purview account and selecting **Role Assignments**. You can also place a lock to prevent the Microsoft Purview account from being deleted through [ARM locks](../../azure-resource-manager/management/lock-resources.md).
+
+After a resource has been enabled for **Data use management**, any Microsoft Purview user with the *Policy author* role at the root collection level can provision access to that data source from Microsoft Purview.
+
+The *IAM Owner* role for a data resource can be inherited from a parent resource group, a subscription, or a subscription management group. Check which Azure AD users, groups, and service principals hold or are inheriting the *IAM Owner* role for the resource.
+
+> [!NOTE]
+> Any Microsoft Purview root *Collection admin* can assign new users to root *Policy author* roles. Any *Collection admin* can assign new users to a *Data source admin* role under the collection. Minimize and carefully vet the users that hold Microsoft Purview *Collection admin*, *Data source admin*, or *Policy author* roles.
+
+If a Microsoft Purview account with published policies is deleted, such policies will stop being enforced within an amount of time that depends on the specific data source. This change can have implications on both security and data access availability. The Contributor and Owner roles in IAM can delete Microsoft Purview accounts. 
+
+You can check these permissions by going to the **Access control (IAM)** section for your Microsoft Purview account and selecting **Role Assignments**. You can also place a lock to prevent the Microsoft Purview account from being deleted through [Resource Manager locks](../../azure-resource-manager/management/lock-resources.md).
@@ -9,55 +9,62 @@ ms.custom: references_regions
 ---
 
 
-- Get SQL server version 2022 RC 1 or later running on Windows and install it. [Follow this link](https://www.microsoft.com/sql-server/sql-server-2022).
-- Complete process to onboard that [SQL server with Azure Arc](/sql/sql-server/azure-arc/connect).
-- Enable [Azure AD Authentication in SQL server](/sql/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-setup-tutorial). For a simpler setup [follow this article](/sql/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-automation-setup-tutorial#setting-up-azure-ad-admin-using-the-azure-portal).
+- Get [SQL Server version 2022 RC 1 or later](https://www.microsoft.com/sql-server/sql-server-2022) running on Windows and install it.
+- Complete the process to onboard that [SQL Server instance with Azure Arc](/sql/sql-server/azure-arc/connect).
+- Enable [Azure Active Directory authentication in SQL Server](/sql/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-setup-tutorial). For a simpler setup, follow [this article](/sql/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-automation-setup-tutorial#setting-up-azure-ad-admin-using-the-azure-portal).
 
 #### Region support
-- Policy enforcement is only available in the following regions for Microsoft Purview:
-    - East US
-    - East US 2
-    - South Central US
-    - West Central US
-    - West US
-    - West US2
-    - West US3
-    - Canada Central
-    - Brazil South
-    - North Europe
-    - West Europe
-    - France Central
-    - Switzerland North
-    - UK South
-    - UAE North
-    - South Africa North
-    - Central India
-    - Korea Central
-    - Japan East
-    - Australia East
-    
+
+Policy enforcement is available in only the following regions for Microsoft Purview:
+
+- East US
+- East US 2
+- South Central US
+- West Central US
+- West US
+- West US2
+- West US3
+- Canada Central
+- Brazil South
+- North Europe
+- West Europe
+- France Central
+- Switzerland North
+- UK South
+- UAE North
+- South Africa North
+- Central India
+- Korea Central
+- Japan East
+- Australia East
+
 #### Security considerations for SQL Server on Azure Arc-enabled servers
-- The Server admin can turn off the Microsoft Purview policy enforcement.
-- Arc Admin/Server admin permissions empower the Arc admin or Server admin with the ability to change the ARM path of the given server. Given that mappings in Microsoft Purview use ARM paths, this can lead to wrong policy enforcements. 
-- SQL Admin (DBA) can gain the power of Server admin and can tamper with the cached policies from Microsoft Purview.
-- The recommended configuration is to create a separate App Registration per SQL server instance. This prevents SQL server2 from reading the policies meant for SQL server1, in case a rogue admin in SQL server2 tampers with the ARM path.
 
-#### SQL Server on Azure Arc-enabled server configuration
-This section describes the steps to configure the SQL Server on Azure Arc to use Microsoft Purview.
+- The server admin can turn off the Microsoft Purview policy enforcement.
+- Azure Arc admin and server admin permissions provide the ability to change the Azure Resource Manager path of the server. Because mappings in Microsoft Purview use Resource Manager paths, this can lead to wrong policy enforcements. 
+- A SQL Server admin (database admin) can gain the power of a server admin and can tamper with the cached policies from Microsoft Purview.
+- The recommended configuration is to create a separate app registration for each SQL server instance. This configuration prevents the second SQL Server instance from reading the policies meant for the first SQL Server instance, in case a rogue admin in the second SQL Server instance tampers with the Resource Manager path.
+
+#### SQL Server configuration on Azure Arc
+
+This section describes the steps to configure SQL Server on Azure Arc to use Microsoft Purview.
+
+1. Sign in to the Azure portal through [this link](https://portal.azure.com/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/sqlServers), which lists SQL Server instances on Azure Arc.
+
+1. Select the SQL Server instance that you want to configure.
 
-1. Sign in to Azure portal through this [link](https://portal.azure.com/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/sqlServers) which lists SQL Servers on Azure Arc.
+1. Go to **Azure Active Directory** on the left pane.
 
-1. Select the SQL Server you want to configure
+1. Verify that Azure Active Directory authentication is configured with an admin login, a SQL Server service certificate, and a SQL Server app registration.
 
-1. Navigate to **Azure Active Directory** feature on the left pane
+1. Scroll down to set **External Policy Based Authorization** to **Enabled**.
 
-1. Verify that Azure Active Directory Authentication is configured. This means that all these have been entered: an admin login, a SQL Server service certificate, and a SQL Server app registration.
-![Screenshot shows how to configure Microsoft Purview endpoint in Azure AD section.](../media/how-to-policies-data-owner-sql/setup-sql-on-arc-for-purview.png)
+1. For **Microsoft Purview Endpoint**, enter an endpoint in the format *https://\<purview-account-name\>.purview.azure.com*. You can see the names of Microsoft Purview accounts in your tenant through [this link](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Purview%2FAccounts). 
 
-1. Scroll down to set **External Policy Based Authorization** to enabled
+   Optionally, you can confirm the endpoint by going to the Microsoft Purview account. Go to the **Properties** section on the left menu and scroll down until you see **Scan endpoint**. The full endpoint path is the one listed without "/Scan" at the end.
 
-1. Enter **Microsoft Purview Endpoint** in the format *https://\<purview-account-name\>.purview.azure.com*. You can see the names of Microsoft Purview accounts in your tenant through [this link](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Purview%2FAccounts). Optionally, you can confirm the endpoint by navigating to the Microsoft Purview account, then  to the Properties section on the left menu and scrolling down until you see "Scan endpoint". The full endpoint path will be the one listed without the "/Scan" at the end.
+1. Make a note of the **App registration ID** value. You'll need it when you register and enable this data source for **Data use management** in Microsoft Purview.
 
-1. Make a note of the **App registration ID**, as you will need it when you register and enable this data source for *Data Use Management* in Microsoft Purview.
+   ![Screenshot that shows selections for configuring a Microsoft Purview endpoint in the Azure Active Directory section.](../media/how-to-policies-data-owner-sql/setup-sql-on-arc-for-purview.png)
 
 1. Select the **Save** button to save the configuration.