edit pass: linux-aad-and-overview-aad

paulth1 · paulth1 · commit 70e5dce32c73 · 2019-11-15T15:37:17.000-08:00
diff --git a/articles/virtual-machines/linux/disk-encryption-linux-aad.md b/articles/virtual-machines/linux/disk-encryption-linux-aad.md
@@ -49,15 +49,15 @@ Use the [az vm encryption enable](/cli/azure/vm/encryption#az-vm-encryption-enab
 
 -  **Encrypt a running VM by using a client secret:**
     
-         ```azurecli-interactive
+     ```azurecli-interactive
          az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --aad-client-id "<my spn created with CLI/my Azure AD ClientID>"  --aad-client-secret "My-AAD-client-secret" --disk-encryption-keyvault "MySecureVault" --volume-type [All|OS|Data]
-         ```
+     ```
 
 - **Encrypt a running VM by using KEK to wrap the client secret:**
     
-         ```azurecli-interactive
+     ```azurecli-interactive
          az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --aad-client-id "<my spn created with CLI which is the Azure AD ClientID>"  --aad-client-secret "My-AAD-client-secret" --disk-encryption-keyvault  "MySecureVault" --key-encryption-key "MyKEK_URI" --key-encryption-keyvault "MySecureVaultContainingTheKEK" --volume-type [All|OS|Data]
-         ```
+     ```
 
    >[!NOTE]
    > The syntax for the value of the disk-encryption-keyvault parameter is the full identifier string: 
@@ -66,22 +66,22 @@ https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id].
 
 - **Verify that the disks are encrypted:** To check on the encryption status of an IaaS VM, use the [az vm encryption show](/cli/azure/vm/encryption#az-vm-encryption-show) command. 
 
-         ```azurecli-interactive
+     ```azurecli-interactive
          az vm encryption show --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup"
-         ```
+     ```
 
 - **Disable encryption:** To disable encryption, use the [az vm encryption disable](/cli/azure/vm/encryption#az-vm-encryption-disable) command. Disabling encryption is only allowed on data volumes for Linux VMs.
     
-         ```azurecli-interactive
+     ```azurecli-interactive
          az vm encryption disable --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup" --volume-type DATA
-         ```
+     ```
 
 ### <a name="bkmk_RunningLinuxPSH"> </a> Enable encryption on an existing or running Linux VM by using PowerShell
 Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvmdiskencryptionextension) cmdlet to enable encryption on a running IaaS virtual machine in Azure. Take a [snapshot](snapshot-copy-managed-disk.md) or make a backup of the VM with [Azure Backup](../../backup/backup-azure-vms-encryption.md) before the disks are encrypted. The -skipVmBackup parameter is already specified in the PowerShell scripts to encrypt a running Linux VM.
 
 - **Encrypt a running VM by using a client secret:** The following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. The resource group, VM, key vault, Azure AD app, and client secret should have already been created as prerequisites. Replace MyVirtualMachineResourceGroup, MyKeyVaultResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. Modify the -VolumeType parameter to specify which disks you're encrypting.
 
-        ```azurepowershell
+     ```azurepowershell
          $VMRGName = 'MyVirtualMachineResourceGroup';
          $KVRGname = 'MyKeyVaultResourceGroup';
          $vmName = 'MySecureVM';
@@ -94,10 +94,10 @@ Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvm
          $sequenceVersion = [Guid]::NewGuid();
     
          Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType '[All|OS|Data]' -SequenceVersion $sequenceVersion -skipVmBackup;
-        ```
+     ```
 - **Encrypt a running VM by using KEK to wrap the client secret:** Azure Disk Encryption lets you specify an existing key in your key vault to wrap disk encryption secrets that were generated while enabling encryption. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to the key vault. Modify the -VolumeType parameter to specify which disks you're encrypting. 
 
-         ```azurepowershell
+     ```azurepowershell
          $KVRGname = 'MyKeyVaultResourceGroup';
          $VMRGName = 'MyVirtualMachineResourceGroup';
          $aadClientID = 'My-AAD-client-ID';
@@ -111,7 +111,7 @@ Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvm
          $sequenceVersion = [Guid]::NewGuid();
     
          Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType '[All|OS|Data]' -SequenceVersion $sequenceVersion -skipVmBackup;
-         ```
+     ```
 
   >[!NOTE]
   > The syntax for the value of the disk-encryption-keyvault parameter is the full identifier string: 
@@ -121,15 +121,15 @@ Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvm
     
 - **Verify that the disks are encrypted:** To check on the encryption status of an IaaS VM, use the [Get-AzVmDiskEncryptionStatus](/powershell/module/az.compute/get-azvmdiskencryptionstatus) cmdlet. 
     
-         ```azurepowershell-interactive 
+     ```azurepowershell-interactive 
          Get-AzVmDiskEncryptionStatus -ResourceGroupName MyVirtualMachineResourceGroup -VMName MySecureVM
-         ```
+     ```
     
 - **Disable disk encryption:** To disable the encryption, use the [Disable-Azure​RmVMDisk​Encryption](/powershell/module/az.compute/disable-azvmdiskencryption) cmdlet. Disabling encryption is only allowed on data volumes for Linux VMs.
      
-         ```azurepowershell-interactive 
+     ```azurepowershell-interactive 
          Disable-AzVMDiskEncryption -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM'
-         ```
+     ```
 
 
 ### <a name="bkmk_RunningLinux"> </a> Enable encryption on an existing or running IaaS Linux VM with a template
@@ -263,23 +263,23 @@ In contrast to Powershell syntax, the CLI doesn't require you to provide a uniqu
 
 -  **Encrypt a running VM by using a client secret:** 
     
-         ```azurecli-interactive
+     ```azurecli-interactive
          az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --aad-client-id "<my spn created with CLI/my Azure AD ClientID>"  --aad-client-secret "My-AAD-client-secret" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"
-         ```
+     ```
 
 - **Encrypt a running VM by using KEK to wrap the client secret:**
 
-         ```azurecli-interactive
+     ```azurecli-interactive
          az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --aad-client-id "<my spn created with CLI which is the Azure AD ClientID>"  --aad-client-secret "My-AAD-client-secret" --disk-encryption-keyvault  "MySecureVault" --key-encryption-key "MyKEK_URI" --key-encryption-keyvault "MySecureVaultContainingTheKEK" --volume-type "Data"
-         ```
+     ```
 
 ### Enable encryption on a newly added disk with Azure PowerShell
  When you use Powershell to encrypt a new disk for Linux, a new sequence version needs to be specified. The sequence version has to be unique. The following script generates a GUID for the sequence version. 
  
 
 -  **Encrypt a running VM by using a client secret:** The following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. The resource group, VM, key vault, Azure AD app, and client secret should have already been created as prerequisites. Replace MyVirtualMachineResourceGroup, MyKeyVaultResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. The -VolumeType parameter is set to data disks and not the OS disk. If the VM was previously encrypted with a volume type of "OS" or "All," then the -VolumeType parameter should be changed to All so that both the OS and the new data disk will be included.
 
-         ```azurepowershell
+     ```azurepowershell
          $KVRGname = 'MyKeyVaultResourceGroup';
          $VMRGName = 'MyVirtualMachineResourceGroup'; 
          $vmName = 'MySecureVM';
@@ -292,10 +292,10 @@ In contrast to Powershell syntax, the CLI doesn't require you to provide a uniqu
          $sequenceVersion = [Guid]::NewGuid();
     
          Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType 'data' –SequenceVersion $sequenceVersion;
-         ```
+     ```
 - **Encrypt a running VM by using KEK to wrap the client secret:** Azure Disk Encryption lets you specify an existing key in your key vault to wrap disk encryption secrets that were generated while enabling encryption. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to the key vault. The -VolumeType parameter is set to data disks and not the OS disk. If the VM was previously encrypted with a volume type of "OS" or "All," then the -VolumeType parameter should be changed to All so that both the OS and the new data disk will be included.
 
-         ```azurepowershell
+     ```azurepowershell
          $KVRGname = 'MyKeyVaultResourceGroup';
          $VMRGName = 'MyVirtualMachineResourceGroup';
          $vmName = 'MyExtraSecureVM';
@@ -310,7 +310,7 @@ In contrast to Powershell syntax, the CLI doesn't require you to provide a uniqu
          $sequenceVersion = [Guid]::NewGuid();
     
          Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType 'data' –SequenceVersion $sequenceVersion;
-         ```
+     ```
 
 
 >[!NOTE]
@@ -337,7 +337,7 @@ You can disable encryption by using Azure PowerShell, the Azure CLI, or a Resour
 - **Disable encryption with a Resource Manager template:** To disable encryption, use the [Disable encryption on a running Linux VM](https://aka.ms/decrypt-linuxvm) template.
          1. Select **Deploy to Azure**.
          2. Select the subscription, resource group, location, VM, legal terms, and agreement.
-         3. Select **Purchase** to disable disk encryption on a running Windows VM.
+         3. Select **Purchase** to disable disk encryption on a running Windows VM. 
 
 
 ## Next steps
