First small changes through

Author: Tristan Desktop

articles/active-directory/cloud-infrastructure-entitlement-management/media/overview/discover-remediate-monitor.png

@@ -20,7 +20,7 @@ This article describes how to onboard a Microsoft Azure subscription or subscrip
 
 ## Explanation
 
-Given Permissions Management is hosted on Azure and you are onboarding your Azure subscriptions to be monitored and managed, setup is simple with few moving parts to configure. Below is what is required to configure onboarding:
+Given that Permissions Management is hosted on Azure and you are onboarding your Azure subscriptions to be monitored and managed, setup is simple with few moving parts to configure. Below is what is required to configure onboarding:
 
 1. When your tenant is onboarded, an application is created in the tenant.
 1. This app requires 'reader' permissions on the subscriptions

articles/active-directory/cloud-infrastructure-entitlement-management/media/ui-dashboard/pci-heat-map.PNG

@@ -20,11 +20,11 @@ This article describes how to onboard a Google Cloud Platform (GCP) project on P
 
 ## Explanation
 
-For GCP, permissions management is scoped to a *GCP project*. A GCP project is a logical collection of your resources in GCP, somewhat analogous to a subscription in Azure, albeit with further configurations you can perform e.g. application registrations.
+For GCP, permissions management is scoped to a *GCP project*. A GCP project is a logical collection of your resources in GCP, somewhat analogous to a subscription in Azure, albeit with further configurations you can perform such as application registrations and OIDC configurations.
 
 <!-- Diagram from Gargi-->
 
-There are several moving parts across GCP and Azure which are required to be configured before onboarding.
+There are several moving parts across GCP and Azure, which are required to be configured before onboarding.
 
 1. An AAD OIDC App
 1. An Workload Identity in GCP
@@ -60,13 +60,13 @@ Choose from 3 options to manage GCP projects.
 
 #### Option 1: Automatically manage 
 
-This option allows projects to be automatically detected and monitored without additional configuration. Steps to detect list of projects and onboard for collection:  
+This option allows projects to be automatically detected and monitored without extra configuration. Steps to detect list of projects and onboard for collection:  
 
 Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope. 
 
-Once done, the steps are listed in the screen to do this manually in the GPC console, or programatically with the gcloud CLI.
+Once done, the steps are listed in the screen to do configure this manually in the GPC console, or programatically with the gcloud CLI.
 
-Once this has been configured, click next, then 'Verify Now & Save'.
+Once everything has been configured, click next, then 'Verify Now & Save'.
 
 Any current or future projects found get onboarded automatically. 
 

articles/active-directory/cloud-infrastructure-entitlement-management/media/ui-dashboard/ui-dashboard.png

@@ -34,6 +34,7 @@ Permissions Management  allows customers to address three key use cases: *discov
 
 Permissions Management has been designed in such a way that we recommended your organization sequentially 'step-through' each of the below phases in order to gain insights into permissions across the organization. This is because you generally cannot action what is yet to be discovered, likewise you cannot continually evaluate what is yet to be remediated.
 
+:::image type="content" source="media/overview/discover-remediate-monitor.png" alt-text="Use case for Permissions Management." lightbox="media/overview/discover-remediate-monitor.png":::
 
 ### Discover
 

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md

@@ -16,6 +16,8 @@ ms.author: kenwith
 
 Permissions Management provides a summary of key statistics and data about your authorization system regularly. This information is available for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
 
+:::image type="content" source="media/ui-dashboard/ui-dashboard.png" alt-text="An example of the Permissions Management dashboard, highlighting key statistics to investigate." lightbox="media/ui-dashboard/ui-dashboard.png":::
+
 ## View metrics related to avoidable risk
 
 The data provided by Permissions Management includes metrics related to avoidable risk. These metrics allow the Permissions Management administrator to identify areas where they can reduce risks related to the principle of least permissions.
@@ -74,6 +76,8 @@ The Permissions Management **Dashboard** displays the following information:
 
 ## The PCI heat map
 
+:::image type="content" source="media/ui-dashboard/pci-heat-map.png" alt-text="An example of the PCI heatmap showing hundreds of identities which require investigation." lightbox="media/ui-dashboard/pci-heat-map.png":::
+
 The **Permission Creep Index**  heat map shows the incurred risk of users with access to high-risk permissions, and provides information about:
 
 - Users who were given access to high-risk permissions but aren't actively using them. *High-risk permissions* include the ability to modify or delete information in the authorization system.