final updates

Author: OWinfreyATL

articles/active-directory/privileged-identity-management/groups-role-settings.md

@@ -78,7 +78,7 @@ To enforce this requirement, you need to:
 :::image type="content" source="media/pim-for-groups/pim-group-21.png" alt-text="Screenshot of the Edit role settings Member page." lightbox="media/pim-for-groups/pim-group-21.png":::
 
 > [!NOTE]
-> If PIM settings have “**On activation, require Azure AD Conditional Access authentication context**” configured, Conditional Access policies define what conditions user needs to meet in order to satisfy the access requirements. This means that security principals with permissions to manage Conditional Access policies such as Conditional Access Administrators or Security Administrator may change requirements, remove them, or block eligible users from activating their group membership/ownership. Security principals that can manage Conditional Access policies should be considered highly privileged and protected accordingly.
+> If PIM settings have “**On activation, require Azure AD Conditional Access authentication context**” configured, Conditional Access policies define what conditions user needs to meet in order to satisfy the access requirements. This means that security principals with permissions to manage Conditional Access policies such as Conditional Access Administrators or Security Administrators may change requirements, remove them, or block eligible users from activating their group membership/ownership. Security principals that can manage Conditional Access policies should be considered highly privileged and protected accordingly.
 
 > [!NOTE]
 > We recommend creating and enabling Conditional Access policy for the authentication context before the authentication context is configured in PIM settings. As a backup protection mechanism, if there are no Conditional Access policies in the tenant that target authentication context configured in PIM settings, during group membership/ownership activation, Azure AD Multi-Factor Authentication is required as the [On activation, require multi-factor authentication](groups-role-settings.md#on-activation-require-multi-factor-authentication) setting would be set. This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy is created, due to a configuration mistake. This backup protection mechanism will not be triggered if the Conditional Access policy is turned off, in report-only mode, or has eligible users excluded from the policy. 

articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md

@@ -81,7 +81,7 @@ To enforce this requirement, you need to:
 
 > [!NOTE]
 > **“On activation, require Azure AD Conditional Access authentication context”** setting defines authentication context, requirements for which the user will need to satisfy when they activate the role. After the role is activated, this does not prevent users from using another browsing session, device, location, etc. to use permissions. For example, users may use an Intune compliant device to activate the role, then after the role is activated sign-in to the same user account from another device that is not Intune compliant, and use the previously activated role from there. 
-> To protect from this situation, in addition to the Conditional Access policy that is scoped to authentication context and “*All users*”, create two Conditional Access policies: 
+> To protect from this situation, create two Conditional Access policies: 
 >1. The first Conditional Access policy targeted to authentication context. It should have “*All users*” or eligible users in its scope. This policy will specify requirements the user needs to meet to activate the role. 
 >1. The second Conditional Access policy targeted to directory roles. This policy will specify requirements users need to meet to sign-in with directory role activated. 
 >