more updates

Author: omondiatieno

articles/active-directory/manage-apps/grant-admin-consent.md

@@ -1,6 +1,6 @@
 ---
 title: Grant tenant-wide admin consent to an application 
-description: Learn how to grant tenant-wide consent to an application so that end-users are not prompted for consent when signing in to an application.
+description: Learn how to grant tenant-wide consent to an application so that end-users aren't prompted for consent when signing in to an application.
 services: active-directory
 author: eringreenlee
 manager: CelesteDG
@@ -25,7 +25,7 @@ When you grant tenant-wide admin consent to an application, you give the applica
 
 By default, granting tenant-wide admin consent to an application will allow all users to access the application unless otherwise restricted. To restrict which users can sign-in to an application, configure the app to [require user assignment](application-properties.md#assignment-required) and then [assign users or groups to the application](assign-user-or-group-access-portal.md). 
 
-Granting tenant-wide admin consent may revoke any permissions which had previously been granted tenant-wide for that application. Permissions which have previously been granted by users on their own behalf will not be affected.
+Granting tenant-wide admin consent may revoke any permissions that had previously been granted tenant-wide for that application. Permissions that have previously been granted by users on their own behalf won't be affected.
 
 ## Prerequisites
 
@@ -90,7 +90,7 @@ As always, carefully review the permissions an application requests before grant
 
 In the following example, you'll grant delegated permissions defined by a resource enterprise application to a client enterprise application on behalf of all users.
 
-In the example, the resource enterprise application is Microsoft Graph of object ID `7ea9e944-71ce-443d-811c-71e8047b557a`. The Microsoft Graph defines the delegated permissions `User.Read.All` and `Group.Read.All`. The consentType is AllPrincipals, indicating that you're consenting on behalf of all users in the tenant. The object ID of the client enterprise application is `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a941`.
+In the example, the resource enterprise application is Microsoft Graph of object ID `7ea9e944-71ce-443d-811c-71e8047b557a`. The Microsoft Graph defines the delegated permissions, `User.Read.All` and `Group.Read.All`. The consentType is `AllPrincipals`, indicating that you're consenting on behalf of all users in the tenant. The object ID of the client enterprise application is `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a941`.
 
 > [!CAUTION] 
 > Be careful! Permissions granted programmatically are not subject to review or confirmation. They take effect immediately.
@@ -131,7 +131,7 @@ New-MgOauth2PermissionGrant -BodyParameter $params |
   ```      
 ## Grant admin consent for application permissions
 
-In the following example you grant the Microsoft Graph enterprise application (the principal of ID `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94`) an app role (application permission) of ID `df021288-bdef-4463-88db-98f22de89214` that's exposed by a resource enterprise application of ID `7ea9e944-71ce-443d-811c-71e8047b557a`.
+In the following example, you grant the Microsoft Graph enterprise application (the principal of ID `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94`) an app role (application permission) of ID `df021288-bdef-4463-88db-98f22de89214` that's exposed by a resource enterprise application of ID `7ea9e944-71ce-443d-811c-71e8047b557a`.
 
 1. Connect to Microsoft Graph PowerShell:
 
@@ -168,7 +168,7 @@ Use [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) to gr
 
 In the following example, you'll grant delegated permissions defined by a resource enterprise application to a client enterprise application on behalf of all users.
 
-In the example, the resource enterprise application is Microsoft Graph of object ID `7ea9e944-71ce-443d-811c-71e8047b557a`. The Microsoft Graph defines the delegated permissions `User.Read.All` and `Group.Read.All`. The consentType is AllPrincipals, indicating that you're consenting on behalf of all users in the tenant. The object ID of the client enterprise application is `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a941`.
+In the example, the resource enterprise application is Microsoft Graph of object ID `7ea9e944-71ce-443d-811c-71e8047b557a`. The Microsoft Graph defines the delegated permissions, `User.Read.All` and `Group.Read.All`. The consentType is `AllPrincipals`, indicating that you're consenting on behalf of all users in the tenant. The object ID of the client enterprise application is `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a941`.
 
 > [!CAUTION] 
 > Be careful! Permissions granted programmatically are not subject to review or confirmation. They take effect immediately.
@@ -199,7 +199,7 @@ In the example, the resource enterprise application is Microsoft Graph of object
    ```
 ## Grant admin consent for application permissions
 
-In the following example you grant the Microsoft Graph enterprise application (the principal of ID `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94`) an app role (application permission) of ID `df021288-bdef-4463-88db-98f22de89214` that's exposed by a resource enterprise application of ID `7ea9e944-71ce-443d-811c-71e8047b557a`.
+In the following example, you grant the Microsoft Graph enterprise application (the principal of ID `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94`) an app role (application permission) of ID `df021288-bdef-4463-88db-98f22de89214` that's exposed by a resource enterprise application of ID `7ea9e944-71ce-443d-811c-71e8047b557a`.
 
 1. Retrieve the app roles defined by Microsoft graph in your tenant. Identify the app role that you'll grant the client enterprise application. In this example, the app role ID is `df021288-bdef-4463-88db-98f22de89214`
 
@@ -219,7 +219,6 @@ In the following example you grant the Microsoft Graph enterprise application (t
       "appRoleId": "df021288-bdef-4463-88db-98f22de89214"
    }
    ```
-
 :::zone-end
 
 ## Next steps

articles/active-directory/manage-apps/manage-application-permissions.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/23/2021
+ms.date: 11/07/2022
 ms.author: jawoods
 ms.reviewer: phsignor
 zone_pivot_groups: enterprise-apps-minus-graph
@@ -18,11 +18,11 @@ ms.collection: M365-identity-device-management
 
 ---
 
-# Review permissions granted to applications
+# Review permissions granted to enterprise applications
 
 In this article, you'll learn how to review permissions granted to applications in your Azure Active Directory (Azure AD) tenant. You may need to review permissions when you've detected a malicious application or the application has been granted more permissions than is necessary.
 
-The steps in this article apply to all applications that were added to your Azure Active Directory (Azure AD) tenant via user or admin consent. For more information on consenting to applications, see [Azure Active Directory consent framework](../develop/consent-framework.md).
+The steps in this article apply to all applications that were added to your Azure Active Directory (Azure AD) tenant via user or admin consent. For more information on consenting to applications, see [User and admin consent](user-admin-consent-overview.md).
 
 ## Prerequisites
 
@@ -32,7 +32,7 @@ To review permissions granted to applications, you need:
 - One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator.
 - A Service principal owner who isn't an administrator is able to invalidate refresh tokens.
 
-## Review application permissions
+## Review permissions
 
 :::zone pivot="portal"
 
@@ -53,6 +53,9 @@ Each option generates PowerShell scripts that enable you to control user access
 
 :::zone pivot="aad-powershell"
 
+## Revoke permissions
+
+
 Using the following Azure AD PowerShell script revokes all permissions granted to an application.
 
 ```powershell
@@ -72,7 +75,7 @@ $spOAuth2PermissionsGrants | ForEach-Object {
 # Get all application permissions for the service principal
 $spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }
 
-# Remove all delegated permissions
+# Remove all application permissions
 $spApplicationPermissions | ForEach-Object {
     Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
 }
@@ -107,7 +110,7 @@ $sp = Get-MgServicePrincipal -ServicePrincipalID "$ServicePrincipalID"
 
 Example: Get-MgServicePrincipal -ServicePrincipalId '22c1770d-30df-49e7-a763-f39d2ef9b369'
 
-# Get all application permissions for the service principal
+# Get all delegated permissions for the service principal
 $spOAuth2PermissionsGrants= Get-MgOauth2PermissionGrant -All| Where-Object { $_.clientId -eq $sp.Id }
 
 # Remove all delegated permissions