MicrosoftDocs
diff --git a/‎articles/resource-mover/tutorial-move-region-encrypted-virtual-machines.md
Lines changed: 22 additions & 22 deletions b/‎articles/resource-mover/tutorial-move-region-encrypted-virtual-machines.md
Lines changed: 22 additions & 22 deletions
@@ -11,7 +11,7 @@ ms.custom: mvc
 #Customer intent: As an Azure admin, I want to move Azure VMs to a different Azure region.
 ---
 
-# Tutorial: Move encrypted Azure VMs across regions
+# Move encrypted Azure VMs across regions
 
 Azure Resource Mover helps you move Azure resources between Azure regions. This article discusses how to move encrypted Azure virtual machines (VMs) to a different Azure region by using [Azure Resource Mover](overview.md). 
 
@@ -28,20 +28,20 @@ In this tutorial, you learn how to:
  
 
 > [!NOTE]
-> This tutorial shows the quickest path for trying out a scenario. It uses only the default options. 
+> Tutorials show the quickest path for trying out a scenario, and use default options where possible.
 
 ## Sign in to Azure
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin and sign in to the [Azure portal](https://portal.azure.com).
 
 ## Prerequisites
 
-Before you begin, verify the following prerequisites:
+Before you begin, verify the following:
 
 | Requirement |Details |
 |------------ | -------|
-|**Subscription permissions** | Check to ensure that you have *Owner* access on the subscription that contains the resources you want to move.<br/><br/> *Why do I need Owner access?* The first time you add a resource for a specific source and destination pair in an Azure subscription, Resource Mover creates a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types), formerly known as the Managed Service Identity (MSI). This identity is trusted by the subscription. Before you can create the identity and assign it the required roles (*Contributor* and *User access administrator* in the source subscription), the account you use to add resources needs *Owner* permissions in the subscription. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD roles](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles).|
-| **VM support** | Check to ensure that the VMs you want to move are supported by doing the following:<li>[Verify](support-matrix-move-region-azure-vm.md#windows-vm-support) supported Windows VMs.<li>[Verify](support-matrix-move-region-azure-vm.md#linux-vm-support) supported Linux VMs and kernel versions.<li>Check supported [compute](support-matrix-move-region-azure-vm.md#supported-vm-compute-settings), [storage](support-matrix-move-region-azure-vm.md#supported-vm-storage-settings), and [networking](support-matrix-move-region-azure-vm.md#supported-vm-networking-settings) settings.|
+|**Subscription permissions** | Ensure that you have *Owner* access on the subscription that contains the resources you want to move.<br/><br/> *Why do I need Owner access?* The first time you add a resource for a specific source and destination pair in an Azure subscription, Resource Mover creates a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types), formerly known as the Managed Service Identity (MSI). This identity is trusted by the subscription. Before you can create the identity and assign it the required roles (*Contributor* and *User access administrator* in the source subscription), the account you use to add resources needs *Owner* permissions in the subscription. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD roles](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles).|
+| **VM support** | Ensure that the VMs you want to move are supported by doing the following:<li>[Verify](support-matrix-move-region-azure-vm.md#windows-vm-support) supported Windows VMs.<li>[Verify](support-matrix-move-region-azure-vm.md#linux-vm-support) supported Linux VMs and kernel versions.<li>Check supported [compute](support-matrix-move-region-azure-vm.md#supported-vm-compute-settings), [storage](support-matrix-move-region-azure-vm.md#supported-vm-storage-settings), and [networking](support-matrix-move-region-azure-vm.md#supported-vm-networking-settings) settings.|
 | **Key vault requirements (Azure Disk Encryption)** | If you have Azure Disk Encryption enabled for VMs, you require a key vault in both the source and destination regions. For more information, see [Create a key vault](../key-vault/general/quick-create-portal.md).<br/><br/> For the key vaults in the source and destination regions, you require these permissions:<li>Key permissions: Key Management Operations (Get, List) and Cryptographic Operations (Decrypt and Encrypt)<li>Secret permissions: Secret Management Operations (Get, List, and Set)<li>Certificate (List and Get)|
 | **Disk encryption set (server-side encryption with CMK)** | If you're using VMs with server-side encryption that uses a CMK, you require a disk encryption set in both the source and destination regions. For more information, see [Create a disk encryption set](../virtual-machines/disks-enable-customer-managed-keys-portal.md#set-up-your-disk-encryption-set).<br/><br/> Moving between regions isn't supported if you're using a hardware security module (HSM keys) for customer-managed keys.|
 | **Target region quota** | The subscription needs enough quota to create the resources you're moving in the target region. If it doesn't have a quota, [request additional limits](../azure-resource-manager/management/azure-subscription-service-limits.md).|
@@ -50,7 +50,7 @@ Before you begin, verify the following prerequisites:
 
 ## Verify permissions in the key vault
 
-If you're moving VMs that have Azure Disk Encryption enabled, you must run a script as mentioned in the [Copy the keys to the destination key vault](#copy-the-keys-to-the-destination-key-vault) section. The users who execute the script should have appropriate permissions to do so. To understand which permissions are required, refer to the following table. You'll find the options for changing the permissions by going to the key vault in the Azure portal. Under **Settings**, select **Access policies**.
+If you're moving VMs that have Azure Disk Encryption enabled, you must run a [script](#copy-the-keys-to-the-destination-key-vault). The users who execute the script should have appropriate permissions to do so. To understand which permissions are required, refer to the [following table](#source-region-key-vault). You'll find the options for changing the permissions by going to the key vault in the Azure portal. Under **Settings**, select **Access policies**.
 
 :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/key-vault-access-policies.png" alt-text="Screenshot of the 'Access policies' link on the key vault Settings pane." lightbox="./media/tutorial-move-region-encrypted-virtual-machines/key-vault-access-policies.png":::
 
@@ -84,6 +84,8 @@ Keys <br></br> If you're using a KEK, you require these permissions in addition
 
 In addition to the preceding permissions, in the destination key vault, you must add permissions for the [Managed System Identity](./common-questions.md#how-is-managed-identity-used-in-resource-mover) that Resource Mover uses to access the Azure resources on your behalf. 
 
+### Add permissions to Managed System Identity
+
 **To add permissions for the Managed System Identity (MSI), follow these steps:**
 
 1. Under **Settings**, select **Add Access policies**. 
@@ -98,7 +100,7 @@ In addition to the preceding permissions, in the destination key vault, you must
 
 ### Copy the keys to the destination key vault
 
-Copy the encryption secrets and keys from the source key vault to the destination key vault by using a [script](https://raw.githubusercontent.com/AsrOneSdk/published-scripts/master/CopyKeys/CopyKeys.ps1) that we provide. 
+Copy the encryption secrets and keys from the source key vault to the destination key vault by using the provided [script](https://raw.githubusercontent.com/AsrOneSdk/published-scripts/master/CopyKeys/CopyKeys.ps1). 
 
 To copy the keys from the source key vault to the destination key vault, follow these steps:
 
@@ -114,11 +116,7 @@ To run the script, do the following:
 1. Copy the contents of the script to a local file, and name it *Copy-keys.ps1*.
 1. Run the script.
 1. Sign in to the Azure portal.
-1. Under **User Inputs** window, select the following:
-    1. source subscription, 
-    1. resource group, the source VM, 
-    1. the target location, 
-    1. the target vaults for disk and key encryption.
+1. Under **User Inputs** window, select the source subscription, resource group, the source VM, the target location, and the target vaults for disk and key encryption.
 
     :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/script-input.png" alt-text="Screenshot of the 'User Inputs' window for entering the script values." :::
 
@@ -158,7 +156,7 @@ To select the resources, do the following:
 
     :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/source-target.png" alt-text="Page to select source and destination region.." :::
 
-1. On the **Resources to move** tab, select **Select resources** button to open a new tab with available VMs list.
+1. On the **Resources to move** tab, select the **Select resources** option to open a new tab with available VMs list.
 
     :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/select-resources.png" alt-text="Screenshot of the 'Move resources' pane and 'Select resources' button.]." :::
 
@@ -176,7 +174,7 @@ To select the resources, do the following:
     :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/review.png" alt-text="Screenshot of the pane for reviewing source and destination settings." :::
 
 1. Select **Proceed** to begin adding the resources.
-1. Select the notifications icon to track progress. After the process finishes successfully, on the **Notifications** pane, select **Added resources for move**.
+1. Select the notifications icon to track the progress. After the process finishes successfully, on the **Notifications** pane, select **Added resources for move**.
 
     :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/added-resources-notification.png" alt-text="Screenshot of the 'Notifications' pane for confirming that resources were added successfully." lightbox="./media/tutorial-move-region-encrypted-virtual-machines/added-resources-notification.png":::
 
@@ -205,7 +203,7 @@ To resolve dependencies before the move, follow these steps:
     :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/add-dependencies.png" alt-text="Screenshot of the 'Add dependencies' button." lightbox="./media/tutorial-move-region-encrypted-virtual-machines/add-dependencies.png":::
 
 
-1. On the **Add dependencies** pane, keep the default **Show all dependencies** option.
+1. On the **Add dependencies** pane, retain the default **Show all dependencies** option.
 
     - **Show all dependencies** iterates through all the direct and indirect dependencies for a resource. For example, for a VM, it shows the NIC, virtual network, network security groups (NSGs), and so on.
     - **Show first-level dependencies only** shows only direct dependencies. For example, for a VM it shows the NIC but not the virtual network.
@@ -222,9 +220,9 @@ To resolve dependencies before the move, follow these steps:
 
 You must manually assign destination resources that are associated with encryption.
 
-- If you're moving a VM that has Azure Disk Encryption enabled, the key vault in your destination region appears as a dependency.
-- If you're moving a VM with server-side encryption that uses CMKs, the disk encryption set in the destination region appears as a dependency. 
-- Because this tutorial demonstrates moving a VM that has Azure Disk Encryption enabled and that uses a CMK, both the destination key vault and the disk encryption set show up as dependencies.
+If you're moving a VM that has Azure Disk Encryption enabled, the key vault in your destination region appears as a dependency. If you're moving a VM with server-side encryption that uses CMKs, the disk encryption set in the destination region appears as a dependency. 
+
+Because this tutorial demonstrates moving a VM that has Azure Disk Encryption enabled and that uses a CMK, both the destination key vault and the disk encryption set show up as dependencies.
 
 **To assign the destination resources manually, do the following:**
 
@@ -261,11 +259,11 @@ During the preparation process, Resource Mover generates Azure Resource Manager
 
 To prepare to move the source resource group, do the following:
 
-1. On the **Across regions** tab, select the source resource group, and select **Prepare**.
+1. In the **Across regions** tab, select the source resource group, and select **Prepare**.
 
     :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/prepare-resource-group.png" alt-text="Screenshot of the 'Prepare' button on the 'Prepare resources' pane." lightbox="./media/tutorial-move-region-encrypted-virtual-machines/prepare-resource-group.png":::
 
-1. On **Prepare resources**, select **Prepare**.
+1. In **Prepare resources**, select **Prepare**.
 
 > [!NOTE]
 > After you've prepared the move, the resource group status changes to *Initiate move pending*. 
@@ -379,7 +377,9 @@ You can configure the following settings after the move process:
 After the move, you can optionally delete resources in the source region. 
 
 1. On the **Across regions** pane, select each source resource that you want to delete, and select **Delete source**.
-1. In **Delete source**, review what you intend to delete and, in **Confirm delete**, type **yes**. The action is irreversible, so check carefully!
+1. In **Delete source**, review what you intend to delete and, in **Confirm delete**, type **yes**. 
+    > [!Caution]
+    > The action is irreversible, so check carefully!
 1. After you type **yes**, select **Delete source**.
 
 > [!NOTE]
@@ -404,5 +404,5 @@ To delete your resources, do the following:
 
 ## Next steps
 
-See [Moving Azure SQL databases and elastic pools to another region](./tutorial-move-region-sql.md).
+[Learn more](./tutorial-move-region-sql.md) about moving Azure SQL databases and elastic pools to another region.