Incorporating feedback into freshness pass

schaffererin · schaffererin · commit 44c6d9ec337a · 2023-01-23T13:31:57.000-08:00
diff --git a/articles/aks/managed-aad.md b/articles/aks/managed-aad.md
@@ -3,7 +3,7 @@ title: Use Azure AD in Azure Kubernetes Service
 description: Learn how to use Azure AD in Azure Kubernetes Service (AKS) 
 services: container-service
 ms.topic: article
-ms.date: 01/03/2023
+ms.date: 01/23/2023
 ms.author: miwithro
 ---
 
@@ -20,8 +20,8 @@ Learn more about the Azure AD integration flow in the [Azure AD documentation](c
 ## Limitations
 
 * AKS-managed Azure AD integration can't be disabled.
-* Changing a AKS-managed Azure AD integrated cluster to legacy AAD is not supported.
-* Clusters without Kubernetes RBAC enabled aren't supported for AKS-managed Azure AD integration.
+* Changing an AKS-managed Azure AD integrated cluster to legacy Azure AD is not supported.
+* Clusters without Kubernetes RBAC enabled aren't supported with AKS-managed Azure AD integration.
 
 ## Prerequisites
 
@@ -156,7 +156,7 @@ Download user credentials again to access your cluster by following the steps [h
 
 ## Upgrading to AKS-managed Azure AD integration
 
-If your cluster uses legacy Azure AD integration, you can upgrade to AKS-managed Azure AD integration.
+If your cluster uses legacy Azure AD integration, you can upgrade to AKS-managed Azure AD integration by running the following command:
 
 ```azurecli-interactive
 az aks update -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id> [--aad-tenant-id <id>]
@@ -181,17 +181,17 @@ In order to access the cluster, follow the steps [here][access-cluster] to updat
 
 ## Non-interactive sign in with kubelogin
 
-There are some non-interactive scenarios, such as continuous integration pipelines, that aren't currently available with `kubectl`. You can use [`kubelogin`](https://github.com/Azure/kubelogin) to access the cluster with non-interactive service principal sign-in.
+There are some non-interactive scenarios, such as continuous integration pipelines, that aren't currently available with `kubectl`. You can use [`kubelogin`](https://github.com/Azure/kubelogin) to connect to the cluster with a non-interactive service principal credential.
 
 ## Disable local accounts
 
-When deploying an AKS cluster, local accounts are enabled by default. Even when enabling RBAC or Azure AD integration, `--admin` access still exists, essentially as a non-auditable backdoor option. AKS offers the ability to disable local accounts via a flag, `disable-local-accounts`. A field, `properties.disableLocalAccounts`, has also been added to the managed cluster API to indicate whether the feature has been enabled on the cluster.
+When you deploy an AKS cluster, local accounts are enabled by default. Even when enabling RBAC or Azure AD integration, `--admin` access still exists as a non-auditable backdoor option. You can disable local accounts using the parameter `disable-local-accounts`. The `properties.disableLocalAccounts` field has been added to the managed cluster API to indicate whether the feature is enabled or not on the cluster.
 
 > [!NOTE]
 >
-> * On clusters with Azure AD integration enabled, users belonging to a group specified by `aad-admin-group-object-ids` will still be able to gain access via non-admin credentials. On clusters without Azure AD integration enabled and `properties.disableLocalAccounts` set to `true`, obtaining both user and admin credentials will fail.
+> * On clusters with Azure AD integration enabled, users assigned to an Azure AD administrators group specified by `aad-admin-group-object-ids` can still gain access using non-administrator credentials. On clusters without Azure AD integration enabled and `properties.disableLocalAccounts` set to `true`, any attempt to authenticate with user or admin credentials will fail.
 >
-> * After disabling local accounts users on an already existing AKS cluster where users might have used local account/s, admin must [rotate the cluster certificates](certificate-rotation.md), in order to revoke the certificates those users might have access to.  If this is a new cluster then no action is required.
+> * After disabling local user accounts on an existing AKS cluster where users might have authenticated with local accounts, the administrator must [rotate the cluster certificates](certificate-rotation.md) to revoke certificates they might have had access to. If this is a new cluster, no action is required.
 
 ### Create a new cluster without local accounts
 
@@ -221,7 +221,7 @@ Operation failed with status: 'Bad Request'. Details: Getting static credential
 
 ### Disable local accounts on an existing cluster
 
-To disable local accounts on an existing AKS cluster, use the [`az aks update`][az-aks-update] command with the `disable-local-accounts` flag.
+To disable local accounts on an existing AKS cluster, use the [`az aks update`][az-aks-update] command with the `disable-local-accounts` parameter.
 
 ```azurecli-interactive
 az aks update -g <resource-group> -n <cluster-name> --enable-aad --aad-admin-group-object-ids <aad-group-id> --disable-local-accounts
@@ -247,7 +247,7 @@ Operation failed with status: 'Bad Request'. Details: Getting static credential
 
 ### Re-enable local accounts on an existing cluster
 
-AKS also offers the ability to re-enable local accounts on an existing cluster with the `enable-local` flag.
+AKS supports enabling a disabled local account on an existing cluster with the `enable-local` parameter.
 
 ```azurecli-interactive
 az aks update -g <resource-group> -n <cluster-name> --enable-aad --aad-admin-group-object-ids <aad-group-id> --enable-local
@@ -280,40 +280,41 @@ When integrating Azure AD with your AKS cluster, you can also use [Conditional A
 
 Complete the following steps to create an example Conditional Access policy to use with AKS:
 
-1. At the top of the Azure portal, search for and select Azure Active Directory.
-2. In the menu for Azure Active Directory on the left-hand side, select *Enterprise applications*.
-3. In the menu for Enterprise applications on the left-hand side, select *Conditional Access*.
-4. In the menu for Conditional Access on the left-hand side, select *Policies* then *New policy*.
+1. In the Azure portal, navigate to the **Azure Active Directory** page.
+2. From the left-hand pane, select **Enterprise applications**.
+3. On the **Enterprise applications** page, from the left-hand pane select **Conditional Access**.
+4. On the **Conditional Access** page, from the left-hand pane select **Policies** and then select **New policy**.
     :::image type="content" source="./media/managed-aad/conditional-access-new-policy.png" alt-text="Adding a Conditional Access policy":::
-5. Enter a name for the policy such as *aks-policy*.
-6. Select *Users and groups*, then under *Include* select *Select users and groups*. Choose the users and groups where you want to apply the policy. For this example, choose the same Azure AD group that has administration access to your cluster.
+5. Enter a name for the policy, for example **aks-policy**.
+6. Under **Assignments** select **Users and groups**. Choose your users and groups you want to apply the policy to. In this example, choose the same Azure AD group that has administrator access to your cluster.
     :::image type="content" source="./media/managed-aad/conditional-access-users-groups.png" alt-text="Selecting users or groups to apply the Conditional Access policy":::
-7. Select *Cloud apps or actions*, then under *Include* select *Select apps*. Search for *Azure Kubernetes Service* and select *Azure Kubernetes Service AAD Server*.
+7. Under **Cloud apps or actions > Include**, select **Select apps**. Search for **Azure Kubernetes Service** and then select **Azure Kubernetes Service AAD Server**.
     :::image type="content" source="./media/managed-aad/conditional-access-apps.png" alt-text="Selecting Azure Kubernetes Service AD Server for applying the Conditional Access policy":::
-8. Under *Access controls*, select *Grant*. Select *Grant access* then *Require device to be marked as compliant*.
+8. Under **Access controls > Grant**, select **Grant access**, **Require device to be marked as compliant**, and select **Select**.
     :::image type="content" source="./media/managed-aad/conditional-access-grant-compliant.png" alt-text="Selecting to only allow compliant devices for the Conditional Access policy":::
-9. Under *Enable policy*, select *On* then *Create*.
+9. Confirm your settings and set **Enable policy** to **On**.
     :::image type="content" source="./media/managed-aad/conditional-access-enable-policy.png" alt-text="Enabling the Conditional Access policy":::
+10. Select **Create** to create and enable your policy.
 
-Once you've created the Conditional Access policy, use the following steps to verify it has been successfully listed:
+After creating the Conditional Access policy, perform the following steps to verify it has been successfully listed.
 
-1. Get the user credentials to access the cluster, for example:
+11. To get the user credentials to access the cluster, run the following command:
 
     ```azurecli-interactive
      az aks get-credentials --resource-group myResourceGroup --name myManagedCluster
     ```
 
-2. Follow the instructions to sign in.
+12. Follow the instructions to sign in.
 
-3. Use the `kubectl get nodes` command to view nodes in the cluster.
+13. View nodes in the cluster with the `kubectl get nodes` command:
 
     ```azurecli-interactive
     kubectl get nodes
     ```
 
-4. Follow the instructions to sign in again. Notice there's an error message stating you're successfully logged in, but your admin requires the device requesting access to be managed by your Azure AD to access the resource.
+14. In the Azure portal, navigate to **Azure Active Directory**. From the left-hand pane select **Enterprise applications**, and then under **Activity** select **Sign-ins**.
 
-5. In the Azure portal, navigate to Azure Active Directory, select *Enterprise applications* then under *Activity* select *Sign-ins*. Notice an entry at the top with a *Status* of *Failed* and a *Conditional Access* of *Success*. Select the entry then select *Conditional Access* in *Details*. Notice your Conditional Access policy is listed.
+15. Notice in the top of the results an event with a status of **Failed**, and under the **Conditional Access** column, a status of **Success**. Select the event and then select **Conditional Access** tab. Notice your Conditional Access policy is listed.
     :::image type="content" source="./media/managed-aad/conditional-access-sign-in-activity.png" alt-text="Failed sign-in entry due to Conditional Access policy":::
 
 ## Configure just-in-time cluster access with Azure AD and AKS
@@ -325,26 +326,26 @@ Another option for cluster access control is to use Privileged Identity Manageme
 
 To integrate just-in-time access requests with an AKS cluster using AKS-managed Azure AD integration, complete the following steps:
 
-1. At the top of the Azure portal, search for and select *Azure Active Directory*.
-1. Take note of the Tenant ID, referred to for the rest of these instructions as `<tenant-id>`.
+1. In the Azure portal, navigate to **Azure Active Directory**.
+1. Select **Properties**. Scroll down to the **Tenant ID** field. Your tenant ID will be in the box. Note this value as it's referenced later in a step as `<tenant-id>`.
     :::image type="content" source="./media/managed-aad/jit-get-tenant-id.png" alt-text="In a web browser, the Azure portal screen for Azure Active Directory is shown with the tenant's ID highlighted.":::
-2. In the Azure Active Directory menu on the left-hand side under *Manage*, select *Groups*, then *New Group*.
+2. From the left-hand pane, under **Manage**, select **Groups** and then select **New group**.
     :::image type="content" source="./media/managed-aad/jit-create-new-group.png" alt-text="Shows the Azure portal Active Directory groups screen with the 'New Group' option highlighted.":::
-3. Make sure a Group Type of *Security* is selected and enter a group name, such as *myJITGroup*. Under *Azure AD Roles can be assigned to this group (Preview)*, select *Yes*. Finally, select *Create*.
+3. Verify the group type **Security** is selected and specify a group name, such as **myJITGroup**. Under the option **Azure AD roles can be assigned to this group (Preview)**, select **Yes** and then select **Create**.
     :::image type="content" source="./media/managed-aad/jit-new-group-created.png" alt-text="Shows the Azure portal's new group creation screen.":::
-4. You'll be brought back to the *Groups* page. Select your newly created group and take note of the Object ID, referred to for the rest of these instructions as `<object-id>`.
+4. On the **Groups** page, select the group you just created and note the Object ID. This will be referenced in a later step as `<object-id>`.
     :::image type="content" source="./media/managed-aad/jit-get-object-id.png" alt-text="Shows the Azure portal screen for the just-created group, highlighting the Object Id":::
-5. Deploy an AKS cluster with AKS-managed Azure AD integration by using the `<tenant-id>` and `<object-id>` values from earlier:
+5. Create the AKS cluster with AKS-managed Azure AD integration using the `az aks create` command with the `--aad-admin-group-objects-ids` and `--aad-tenant-id parameters` and include the values noted in the steps earlier.
     ```azurecli-interactive
     az aks create -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <object-id> --aad-tenant-id <tenant-id>
     ```
-6. Back in the Azure portal, in the *Activity* menu on the left-hand side, select *Privileged Access (Preview)* and *Enable Privileged Access*.
+6. In the Azure portal, select **Activity** from the left-hand pane. Select **Privileged Access (Preview)** and then select **Enable Privileged Access**.
     :::image type="content" source="./media/managed-aad/jit-enabling-priv-access.png" alt-text="The Azure portal's Privileged access (Preview) page is shown, with 'Enable privileged access' highlighted":::
-7. Select *Add Assignments* to begin granting access.
+7. To grant access, select **Add assignments**.
     :::image type="content" source="./media/managed-aad/jit-add-active-assignment.png" alt-text="The Azure portal's Privileged access (Preview) screen after enabling is shown. The option to 'Add assignments' is highlighted.":::
-8. Select a role of *member*, and select the users and groups to whom you wish to grant cluster access. These assignments can be modified at any time by a group admin. When you're ready to move on, select *Next*.
+8. From the **Select role** drop-down list, select the users and groups you want to grant cluster access. These assignments can be modified at any time by a group administrator. Then select **Next**.
     :::image type="content" source="./media/managed-aad/jit-adding-assignment.png" alt-text="The Azure portal's Add assignments Membership screen is shown, with a sample user selected to be added as a member. The option 'Next' is highlighted.":::
-9. Choose an assignment type of *Active*, the desired duration, and provide a justification. When you're ready to proceed, select *Assign*. For more on assignment types, see [Assign eligibility for a privileged access group (preview) in Privileged Identity Management][aad-assignments].
+9.  Under **Assignment type**, select **Active** and then specify the desired duration. Provide a justification and then select **Assign**. For more information about assignment types, see [Assign eligibility for a privileged access group (preview) in Privileged Identity Management][aad-assignments].
     :::image type="content" source="./media/managed-aad/jit-set-active-assignment-details.png" alt-text="The Azure portal's Add assignments Setting screen is shown. An assignment type of 'Active' is selected and a sample justification has been given. The option 'Assign' is highlighted.":::
 
 Once the assignments have been made, verify just-in-time access is working by accessing the cluster. For example:
