CMK policy edit

Author: HeidiSteen

articles/search/search-security-manage-encryption-keys.md

@@ -7,8 +7,8 @@ manager: nitinme
 author: HeidiSteen
 ms.author: heidist
 ms.service: cognitive-search
-ms.topic: conceptual
-ms.date: 12/14/2022
+ms.topic: how-to
+ms.date: 01/20/2023
 ms.custom: references_regions, devx-track-azurepowershell 
 ---
 
@@ -335,9 +335,9 @@ Once you create the encrypted object on the search service, you can use it as yo
 
 <a name="encryption-enforcement-policy"></a>
 
-## 6 Set up policy
+## 6 - Set up policy
 
-Azure Cognitive Search has an optional [built-in policy](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F76a56461-9dc0-40f0-82f5-2453283afa2f) to enforce usage of CMK on individual objects defined in a search service. In this step, you'll apply this policy to your search service and set up your search service to enforce this policy.
+Azure Cognitive Search has an optional [built-in policy](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F76a56461-9dc0-40f0-82f5-2453283afa2f) to enforce usage of CMK service-wide. In this section, you'll apply this policy to your search service, and then set up your search service to enforce this policy.
 
 > [!NOTE]
 > Policy set up requires the preview [Services - Create or Update API](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update).
@@ -346,13 +346,15 @@ Azure Cognitive Search has an optional [built-in policy](https://portal.azure.co
 
    :::image type="content" source="media/search-security-manage-encryption-keys/assign-policy.png" alt-text="Screenshot of assigning built-in CMK policy." border="true":::
 
-1. Set up the [policy scope](../governance/policy/concepts/scope.md). In the **Parameters** section, uncheck **Only show parameters...** and set **Effect** to **Deny**
+1. Set up the [policy scope](../governance/policy/concepts/scope.md). In the **Parameters** section, uncheck **Only show parameters...** and set **Effect** to **Deny**. 
+
+   In Azure policies: "Deny is used to prevent a resource request that doesn't match defined standards through a policy definition and fails the request". Assuming the standard for your service is CMK encryption, setting the policy to "Deny" will deny requests that don't specify CMK encryption.
 
    :::image type="content" source="media/search-security-manage-encryption-keys/effect-deny.png" alt-text="Screenshot of changing built-in CMK policy effect to deny." border="true":::
 
 1. Finish creating the policy.
 
-1. Call the [Services - Create or Update API](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update) to enable CMK policy enforcement.
+1. Call the [Services - Create or Update API](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update) to enable CMK policy enforcement at the service level.
 
 ```http
 PATCH https://management.azure.com/subscriptions/[subscriptionId]/resourceGroups/[resourceGroupName]/providers/Microsoft.Search/searchServices/[serviceName]?api-version=2021-04-01-preview