MicrosoftDocs
diff --git a/‎CONTRIBUTING.md
Lines changed: 9 additions & 7 deletions b/‎CONTRIBUTING.md
Lines changed: 9 additions & 7 deletions
diff --git a/‎articles/active-directory/conditional-access/resilience-defaults.md
Lines changed: 8 additions & 5 deletions b/‎articles/active-directory/conditional-access/resilience-defaults.md
Lines changed: 8 additions & 5 deletions
diff --git a/‎articles/active-directory/develop/security-best-practices-for-app-registration.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/security-best-practices-for-app-registration.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/devices/enterprise-state-roaming-enable.md
Lines changed: 14 additions & 15 deletions b/‎articles/active-directory/devices/enterprise-state-roaming-enable.md
Lines changed: 14 additions & 15 deletions
@@ -2,27 +2,29 @@
 
 Thank you for taking the time to contribute to the Microsoft Azure documentation.
 
-This guide covers some general topics related to contribution and refers to the [contributors guide](https://docs.microsoft.com/contribute) for more detailed explanations when required.
+This guide covers some general topics related to contribution and refers to the [contributor guide](https://docs.microsoft.com/contribute) for more detailed explanations when required.
 
 ## Code of Conduct
 
 This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/), or contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
+
+For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
 
 ## How can I contribute?
 
-There are many ways to contribute to the documentation, review the sections below to find out which one is right for you.
+There are many ways to contribute to the documentation. Review the following sections to find out which one is right for you.
 
-### Reporting Bugs and Suggesting Enhancements
+### Reporting bugs and suggesting enhancements
 
 Please use the Feedback tool at the bottom of any article to submit bugs and suggestions.
 
 ![Feedback Tool](media/feedback-tool.png)
 
 ### Editing in GitHub
 
-Follow the guidance for [Quick edits to existing documents](/contribute/#quick-edits-to-existing-documents) in our contributors guide.
+Follow the guidance for [Quick edits to existing documents](https://docs.microsoft.com/contribute/#quick-edits-to-existing-documents) in our contributor guide.
+
+### Pull requests
 
-### Pull Request
+Review the guidance for [pull requests](https://docs.microsoft.com/contribute/how-to-write-workflows-major#pull-request-processing) and the contribution workflow in our contributor guide.
 
-Review the guidance for [Pull Requests](/contribute/how-to-write-workflows-major#pull-request-processing) in our contributors guide.
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 09/13/2021
+ms.date: 02/25/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -15,7 +15,7 @@ ms.reviewer: dawoo
 
 ms.collection: M365-identity-device-management
 ---
-# Conditional Access: Resilience defaults (Preview)
+# Conditional Access: Resilience defaults
 
 If there was an outage of the primary authentication service, the Azure Active Directory (Azure AD) Backup Authentication Service may automatically issue access tokens to applications for existing sessions. This functionality may significantly increase Azure AD resilience, because reauthentications for existing sessions account for more than 90% of authentications to Azure AD. The Backup Authentication Service doesn't support new sessions or authentications by guest users.
 
@@ -24,7 +24,10 @@ For authentications protected by Conditional Access, policies are reevaluated be
 1.	Which Conditional Access policies apply?
 1.	For policies that do apply, were the required controls are satisfied?
 
-During an outage, not all conditions can be evaluated in real time by the Backup Authentication Service to determine whether a Conditional Access policy should apply. Conditional Access resilience defaults are a new session control that lets admins decide whether to block authentications during an outage whenever a policy condition cannot be evaluated in real-time or allow policies to be evaluated using data collected at the beginning of the user’s session. 
+During an outage, not all conditions can be evaluated in real time by the Backup Authentication Service to determine whether a Conditional Access policy should apply. Conditional Access resilience defaults are a new session control that lets admins decide between:
+
+- Whether to block authentications during an outage whenever a policy condition can’t be evaluated in real-time.
+- Allow policies to be evaluated using data collected at the beginning of the user’s session. 
 
 > [!IMPORTANT]
 > Resilience defaults are automatically enabled for all new and existing policies, and Microsoft highly recommends leaving the resilience defaults enabled to mitigate the impact of an outage. Admins may disable resilience defaults for individual Conditional Access policies. 
@@ -58,7 +61,7 @@ When resilience defaults are enabled, the Backup Authentication Service may use
 
 ## Resilience defaults disabled
 
-When resilience defaults are disabled, the Backup Authentication Service won't use data collected at the beginning of the session to evaluate conditions. During an outage, if a policy condition cannot be evaluated in real-time, access will be denied.
+When resilience defaults are disabled, the Backup Authentication Service won't use data collected at the beginning of the session to evaluate conditions. During an outage, if a policy condition can’t be evaluated in real-time, access will be denied.
 
 **Example**: A policy with resilience defaults disabled requires all global admins accessing the Azure portal to do MFA. Before an outage, if a user who isn't a global admin accesses the Azure portal, the policy wouldn't apply, and the user would be granted access without being prompted for MFA. During an outage, the Backup Authentication Service would reevaluate the policy to determine whether the user should be prompted for MFA. **Since the Backup Authentication Service cannot evaluate role membership in real-time, it would block the user from accessing the Azure Portal.**
 
@@ -67,7 +70,7 @@ When resilience defaults are disabled, the Backup Authentication Service won't u
 
 ## Testing resilience defaults
 
-It isn't possible to conduct a dry run using the Backup Authentication Service or simulate the result of a policy with resilience defaults enabled or disabled at this time. Azure AD will conduct monthly exercises using the Backup Authentication Service and the sign-in logs will display if the Backup Authentication Service was used to issue the access token.
+It isn't possible to conduct a dry run using the Backup Authentication Service or simulate the result of a policy with resilience defaults enabled or disabled at this time. Azure AD will conduct monthly exercises using the Backup Authentication Service. The sign-in logs will display if the Backup Authentication Service was used to issue the access token.
 
 ## Configuring resilience defaults
 
 
@@ -49,7 +49,7 @@ It's important to keep Redirect URIs of your application up to date. A lapse in
 
 ## Implicit flow token configuration
 
-Scenarios that require **implicit flow** can now use **Auth code flow** to reduce the risk of compromise associated with implicit grant flow misuse. If you configured your application registration to get Access tokens using implicit flow, but don't actively use it, we recommend you turn off the setting to protect from misuse.
+Scenarios that required **implicit flow** can now use **Auth code flow** to reduce the risk of compromise associated with implicit grant flow misuse. If you configured your application registration to get Access tokens using implicit flow, but don't actively use it, we recommend you turn off the setting to protect from misuse.
 
 ![access tokens used for implicit flows](media/active-directory-application-registration-best-practices/implict-grant-flow.png)
 
 
@@ -11,14 +11,13 @@ ms.date: 02/15/2022
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
-ms.reviewer: na
+ms.reviewer: guovivian
 ms.custom: references_regions
 ms.collection: M365-identity-device-management
 ---
 # Enable Enterprise State Roaming in Azure Active Directory
 
-Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security
-(EMS) license. For more information on how to get an Azure AD subscription, see the [Azure AD product page](https://azure.microsoft.com/services/active-directory).
+Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license. For more information on how to get an Azure AD subscription, see the [Azure AD product page](https://azure.microsoft.com/services/active-directory).
 
 When you enable Enterprise State Roaming, your organization is automatically granted a free, limited-use license for Azure Rights Management protection from Azure Information Protection. This free subscription is limited to encrypting and decrypting enterprise settings and application data synced by Enterprise State Roaming. You must have [a paid subscription](https://azure.microsoft.com/services/information-protection/) to use the full capabilities of the Azure Rights Management service.
 
@@ -27,17 +26,17 @@ When you enable Enterprise State Roaming, your organization is automatically gra
 
 ## To enable Enterprise State Roaming
 
-1. Sign in to [Azure AD admin center](https://aad.portal.azure.com/).
-1. Select **Azure Active Directory** > **Devices** > **Enterprise State Roaming**.
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. Browse to **Azure Active Directory** > **Devices** > **Enterprise State Roaming**.
 1. Select **Users may sync settings and app data across devices**. For more information, see [how to configure device settings](./device-management-azure-portal.md).
 
    ![image of device setting labeled Users may sync settings and app data across devices](./media/enterprise-state-roaming-enable/device-settings.png)
 
-For a Windows 10 or newer device to use the Enterprise State Roaming service, the device must authenticate using an Azure AD identity. For devices that are joined to Azure AD, the user’s primary sign-in identity is their Azure AD identity, so no additional configuration is required. For devices that use on-premises Active Directory, the IT admin must [Configure hybrid Azure Active Directory joined devices](./hybrid-azuread-join-plan.md). 
+For a Windows 10 or newer device to use the Enterprise State Roaming service, the device must authenticate using an Azure AD identity. For devices that are joined to Azure AD, the user’s primary sign-in identity is their Azure AD identity, so no other configuration is required. For devices that use on-premises Active Directory, the IT admin must [Configure hybrid Azure Active Directory joined devices](./hybrid-azuread-join-plan.md). 
 
 ## Data storage
 
-Enterprise State Roaming data is hosted in one or more [Azure regions](https://azure.microsoft.com/regions/) that best align with the country/region value set in the Azure Active Directory instance. Enterprise State Roaming data is partitioned based on three major geographic regions: North America, EMEA, and APAC. Enterprise State Roaming data for the tenant is locally located with the geographical region, and is not replicated across regions.  For example:
+Enterprise State Roaming data is hosted in one or more [Azure regions](https://azure.microsoft.com/regions/) that best align with the country/region value set in the Azure Active Directory instance. Enterprise State Roaming data is partitioned based on three major geographic regions: North America, EMEA, and APAC. Enterprise State Roaming data for the tenant is locally located with the geographical region, and isn't replicated across regions. For example:
 
 | Country/region value | has their data hosted in |
 | -------------------- | ------------------------ |
@@ -46,7 +45,7 @@ Enterprise State Roaming data is hosted in one or more [Azure regions](https://a
 | An APAC country/region such as Australia or New Zealand | One or more of the Azure regions within Asia |
 | South American and Antarctica regions | One or more Azure regions within the US |
 
-The country/region value is set as part of the Azure AD directory creation process and cannot be subsequently modified. If you need more details on your data storage location, file a ticket with [Azure support](https://azure.microsoft.com/support/options/).
+The country/region value is set as part of the Azure AD directory creation process and can’t be modified later. If you need more details on your data storage location, file a ticket with [Azure support](https://azure.microsoft.com/support/options/).
 
 ## View per-user device sync status
 
@@ -60,27 +59,27 @@ Follow these steps to view a per-user device sync status report.
 
 ## Data retention
 
-Data synced to the Microsoft cloud using Enterprise State Roaming is retained until it is manually deleted or until the data in question is determined to be stale. 
+Data synced to the Microsoft cloud using Enterprise State Roaming is retained until it's manually deleted or until the data is determined to be stale. 
 
 ### Explicit deletion
 
-Explicit deletion is when an Azure admin deletes a user or a directory or otherwise requests explicitly that data is to be deleted.
+Explicit deletion is when an administrator deletes a user, directory, or requests explicitly that data is to be deleted.
 
 * **User deletion**: When a user is deleted in Azure AD, the user account roaming data is deleted after 90 to 180 days. 
 * **Directory deletion**: Deleting an entire directory in Azure AD is an immediate operation. All the settings data associated with that directory is deleted after 90 to 180 days. 
 * **On request deletion**: If the Azure AD admin wants to manually delete a specific user’s data or settings data, the admin can file a ticket with [Azure support](https://azure.microsoft.com/support/). 
 
 ### Stale data deletion
 
-Data that has not been accessed for one year (“the retention period”) will be treated as stale and may be deleted from the Microsoft cloud. The retention period is subject to change but will not be less than 90 days. The stale data may be a specific set of Windows/application settings or all settings for a user. For example:
+Data that hasn't been accessed for one year (“the retention period”) will be treated as stale and may be deleted from the Microsoft cloud. The retention period is subject to change but won't be less than 90 days. The stale data may be a specific set of Windows/application settings or all settings for a user. For example:
 
-* If no devices access a particular settings collection (for example, an application is removed from the device, or a settings group such as “Theme” is disabled for all of a user’s devices), then that collection becomes stale after the retention period and may be deleted. 
-* If a user has turned off settings sync on all their devices, then none of the settings data will be accessed, and all the settings data for that user will become stale and may be deleted after the retention period. 
-* If the Azure AD directory admin turns off Enterprise State Roaming for the entire directory, then all users in that directory will stop syncing settings, and all settings data for all users will become stale and may be deleted after the retention period. 
+* If no devices access a particular settings collection like language, then that collection becomes stale after the retention period and may be deleted. 
+* If a user has turned off settings sync on all their devices, then none of the settings data will be accessed. All the settings data for that user will become stale and may be deleted after the retention period. 
+* If the Azure AD directory admin turns off Enterprise State Roaming for the entire directory, then all users in that directory will stop syncing settings. All settings data for all users will become stale and may be deleted after the retention period. 
 
 ### Deleted data recovery
 
-The data retention policy is not configurable. Once the data is permanently deleted, it is not recoverable. However, The settings data is deleted only from the Microsoft cloud, not from the end-user device. If any device later reconnects to the Enterprise State Roaming service, the settings are again synced and stored in the Microsoft cloud.
+The data retention policy isn't configurable. Once the data is permanently deleted, it isn't recoverable. However, The settings data is deleted only from the Microsoft cloud, not from the end-user device. If any device later reconnects to the Enterprise State Roaming service, the settings are again synced and stored in the Microsoft cloud.
 
 ## Next steps