Updates based on Sathya's review

James Green · James Green · commit 6839eefa0c58 · 2022-09-28T09:45:57.000+01:00
diff --git a/articles/private-5g-core/collect-required-information-for-private-mobile-network.md b/articles/private-5g-core/collect-required-information-for-private-mobile-network.md
@@ -42,25 +42,25 @@ As part of creating your private mobile network, you can provision one or more S
 
 If you want to provision SIMs as part of deploying your private mobile network:
 
-1. Choose one of the following encryption types for for the new SIM group to which all of the SIMs you provision will be added:  
+1. Choose one of the following encryption types for the new SIM group to which all of the SIMs you provision will be added:  
 Note that once the SIM group is created, the encryption type cannot be changed.
-    - Microsoft-managed keys (MMK) that automatically renew when needed.
+    - Microsoft-managed keys (MMK) that Microsoft manages internally for [Encryption at rest](/azure/security/fundamentals/encryption-atrest).
     - Customer-managed keys (CMK) that you must manually configure.  
     You must create a Key URI in your [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/) and a [User-assigned identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) with read, wrap, and unwrap access to the key.
-         - The key must be configured to have an activation and expiration date and we recommend that you enable automatic rotation for the key.
+         - The key must be configured to have an activation and expiration date and we recommend that you [configure cryptographic key auto-rotation in Azure Key Vault](https://learn.microsoft.com/azure/key-vault/keys/how-to-configure-key-rotation).
          - The SIM group accesses the key via the user-assigned identity.
          - For additional information on configuring CMK for a SIM group, see [Configure customer-managed keys](https://docs.microsoft.com/azure/cosmos-db/how-to-setup-cmk).
 
 1. Collect each of the values given in the following table for the SIM group you want to provision.
 
-   |Value  |Field name in Azure portal  | JSON file parameter name |
-   |---------|---------|---------|
-   |The name for the SIM group resource. The name must only contain alphanumeric characters, dashes, and underscores. |**SIM group name**|`simGroupName`|
-   |The region that the SIM group belongs to.|**Region**|`simGroupRegion`|
-   |The mobile network that the SIM group belongs to.|**Mobile network**|`simGroupMobileNetwork`|
-   |The chosen encryption type for the SIM group. Microsoft-managed keys (MMK) by default, or customer-managed keys (CMK).|**Encryption Type**|`simGroupEncryption`|
-   |The Azure Key Vault URI containing the customer-managed Key for the SIM group.|**Key URI**|`simGroupKeyURI`|
-   |The User-assigned identity for accessing the SIM group's customer-managed Key within the Azure Key Vault.|**User-assigned identity**|`simGroupUserAssignedIdentity`|
+   |Value  |Field name in Azure portal  |
+   |---------|---------|
+   |The name for the SIM group resource. The name must only contain alphanumeric characters, dashes, and underscores. |**SIM group name**|
+   |The region that the SIM group belongs to.|**Region**|
+   |The mobile network that the SIM group belongs to.|**Mobile network**|
+   |The chosen encryption type for the SIM group. Microsoft-managed keys (MMK) by default, or customer-managed keys (CMK).|**Encryption Type**|
+   |The Azure Key Vault URI containing the customer-managed Key for the SIM group.|**Key URI**|
+   |The User-assigned identity for accessing the SIM group's customer-managed Key within the Azure Key Vault.|**User-assigned identity**|
 
 1. Choose one of the following methods for provisioning your SIMs:
 
diff --git a/articles/private-5g-core/security.md b/articles/private-5g-core/security.md
@@ -30,14 +30,12 @@ Azure Private 5G Core packet core instances are deployed on Azure Stack Edge dev
 
 ## Customer-managed key encryption at rest
 
-In addition to Platform-Managed Keys, you have the option of using Microsoft Managed Keys (MMK) or Customer Managed Keys (CMK) when [creating a SIM group](manage-sim-groups.md#create-a-sim-group) or [when deploying a private mobile network](how-to-guide-deploy-a-private-mobile-network-azure-portal.md#deploy-your-private-mobile-network).
+In addition to the default [Encryption at rest](#encryption-at-rest) using Microsoft-Managed Keys (MMK), you can optionally use Customer Managed Keys (CMK) when [creating a SIM group](manage-sim-groups.md#create-a-sim-group) or [when deploying a private mobile network](how-to-guide-deploy-a-private-mobile-network-azure-portal.md#deploy-your-private-mobile-network) to encrypt data with your own key.
 
-If you elect to use a CMK, you will need to:
-
-- [create the CMK](https://learn.microsoft.com/azure/cosmos-db/how-to-setup-customer-managed-keys) with activation and expiration dates and make a note of the key's URI,
-- and [create a user-assigned identity](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp) with read, wrap, and unwrap access to the key within your [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/).
-
-Additionally, we recommend that you [configure cryptographic key auto-rotation in Azure Key Vault](https://learn.microsoft.com/azure/key-vault/keys/how-to-configure-key-rotation).  
+If you elect to use a CMK, you will need to create a Key URI in your [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/) and a [User-assigned identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) with read, wrap, and unwrap access to the key.
+    - The key must be configured to have an activation and expiration date and we recommend that you [configure cryptographic key auto-rotation in Azure Key Vault](https://learn.microsoft.com/azure/key-vault/keys/how-to-configure-key-rotation).
+    - The SIM group accesses the key via the user-assigned identity.
+    - For additional information on configuring CMK for a SIM group, see [Configure customer-managed keys](https://docs.microsoft.com/azure/cosmos-db/how-to-setup-cmk).
 
 > [!IMPORTANT]
 > Once a SIM group is created, you cannot change the encryption type. However, if the SIM group uses CMK, you can update the key used for encryption.
