further refining article

Author: Michael Bender

articles/virtual-network-manager/concept-security-admins.md

@@ -127,7 +127,7 @@ Security admin rules do not apply when they are deployed in a virtual network wi
 - [Azure SQL Managed Instances](/azure/azure-sql/managed-instance/connectivity-architecture-overview.md#service-aided-subnet-configuration)  
 - Azure Databricks  
 
-If you want *Allow rules* applied to supported services in the virtual network, you can set `AllowRulesOnly` on `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices`. When set, *Allow rules* in your security rule configuration will be applied to supported services on the virtual networks with Azure SQL Managed Instances or Azure Databricks. Both *Allow* and *Deny* rules will still be applied on the virtual networks without these services using the *AllowRulesOnly* option. 
+If you want *Allow rules* applied to supported services in the virtual network, you set this in your security configuration with the `AllowRulesOnly` field in the [securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices](/dotnet/api/microsoft.azure.management.network.models.networkintentpolicybasedservice?view=azure-dotnet) .NET class. When set, *Allow rules* in your security rule configuration will be applied to supported services on the virtual networks with Azure SQL Managed Instances or Azure Databricks. Both *Allow* and *Deny* rules will still be applied on the virtual networks without these services using the *AllowRulesOnly* option. You can create a security rule configuration with *Allow* rules only and deploy it to your virtual networks with [Azure PowerShell](/powershell/module/az.network/new-aznetworkmanagersecurityadminconfiguration.md#examples1) and [Azure CLI](/cli/azure/network/manager/security-admin-config.md#az-network-manager-security-admin-config-create-examples).
 
 > [!NOTE]
 > When multiple Azure Virtual Network Manager instances have different settings for `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices` for the same virtual network, the setting of the AVNM with the highest scope will be used. For example, if the AVNM whose scope is the root management group uses AllowRulesOnly for the `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices` option, but the other AVNM whose scope is a subscription under this root management group uses the default setting, when these two AVNMs apply security admin rules for a particular virtual network, the AllowRulesOnly will be used for the `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices` setting. 

articles/virtual-network-manager/faq.md

@@ -133,6 +133,10 @@ A network manager is only delegated enough access to apply configurations to vir
 
 Azure SQL Managed Instance has some network requirements. These are enforced through high priority Network Intent Policies, whose purpose conflicts with Security Admin Rules. By default, Admin rule application is skipped on VNets containing any of these Intent Policies. Since *Allow* rules pose no risk of conflict, you can opt to apply *Allow Only* rules. If you only wish to use Allow rules, you can set AllowRulesOnly on `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices`.
 
+#### Are you applying security rules to a VNet or subnet that contains services blocking security configuration rules?
+
+Certain services such as Azure SQL Managed Instance, Azure Databricks and Azure Application Gateway use Network Intent Policies to enforce network requirements. These policies are enforced through high priority Network Intent Policies, whose purpose conflicts with Security Admin Rules. By default, Admin rule application is skipped on VNets containing any of these Intent Policies. Since *Allow* rules pose no risk of conflict, you can opt to apply *Allow Only* rules. If you only wish to use Allow rules, you can set AllowRulesOnly on `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices`.
+
 ## Limits
 
 ### What are the service limitations of Azure Virtual Network Manager?