Improve language

jackrichins · web-flow · commit 32a8d9f40772 · 2023-01-26T11:33:50.000-08:00
diff --git a/articles/key-vault/managed-hsm/access-control.md b/articles/key-vault/managed-hsm/access-control.md
@@ -35,7 +35,7 @@ When a managed HSM is created, the requestor also provides a list of data plane
 Permission model for both planes uses the same syntax, but they're enforced at different levels and role assignments use different scopes. Management plane Azure RBAC is enforced by Azure Resource Manager while data plane Managed HSM local RBAC is enforced by managed HSM itself.
 
 > [!IMPORTANT]
-> Granting a security principal management plane access to an managed HSM does not grant them any access to data plane to access keys or data plane role assignments Managed HSM local RBAC). This isolation is by design to prevent inadvertent expansion of privileges affecting access to keys stored in Managed HSM. The one exception is members of Azure Active Directory Global Administrator role are implicitly part of the Managed HSM Administrator role for recovery purposes in scenarios where there are no longer any valid Managed HSM administrator accounts. Follow [Azure Active Directory best practices for securing the Global Adminstrator role](../../active-directory/roles/best-practices.md#5-limit-the-number-of-global-administrators-to-less-than-5).
+> Granting a security principal management plane access to an managed HSM does not grant them any access to data plane to access keys or data plane role assignments Managed HSM local RBAC). This isolation is by design to prevent inadvertent expansion of privileges affecting access to keys stored in Managed HSM. The one exception is members of the Azure Active Directory Global Administrator role are implicitly part of the Managed HSM Administrator role for recovery purposes such as when there are no longer any valid Managed HSM administrator accounts. Please follow [Azure Active Directory best practices for securing the Global Adminstrator role](../../active-directory/roles/best-practices.md#5-limit-the-number-of-global-administrators-to-less-than-5).
 
 For example, a subscription administrator (since they have "Contributor" permission to all resources in the subscription) can delete an managed HSM in their subscription, but if they don't have data plane access specifically granted through Managed HSM local RBAC, they can't gain access to keys or manage role assignment in the managed HSM to grant themselves or others access to data plane.
 
