making some changes, fixing typos, trying to simplify some wording

Author: barclayn

articles/active-directory/governance/conditional-access-exclusion.md

@@ -3,7 +3,7 @@ title: Manage users excluded from Conditional Access policies - Azure AD
 description: Learn how to use Azure Active Directory (Azure AD) access reviews to manage users that have been excluded from Conditional Access policies
 services: active-directory
 documentationcenter: ''
-author: msaburnley
+author: barclayn
 manager: daveba
 editor: markwahl-msft
 ms.service: active-directory
@@ -12,38 +12,45 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 09/25/2018
-ms.author: ajburnle
+ms.date: 04/22/2020
+ms.author: barclayn
 ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
 ---
 
 # Use Azure AD access reviews to manage users excluded from Conditional Access policies
 
-In an ideal world, all users would follow the access polices to secure access to your organization's resources. However, sometimes there are business cases that require you to make exceptions. This article describes some examples where exclusions might be required and how you, as the IT administrator, can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly using Azure Active Directory (Azure AD) access reviews.
+In an ideal world, all users follow the access policies to secure access to your organization's resources. However, sometimes there are business cases that require you to make exceptions. This article goes over some examples of situations where exclusions may be necessary. You, as the IT administrator, can manage this task, avoid oversight of policy exceptions, and provide auditors with proof that these exceptions are reviewed regularly using Azure Active Directory (Azure AD) access reviews.
 
 > [!NOTE]
 > A valid Azure AD Premium P2, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. For more information, see [Azure Active Directory editions](../fundamentals/active-directory-whatis.md).
 
 ## Why would you exclude users from policies?
 
-As an IT administrator, you might use [Azure AD Conditional Access](../conditional-access/overview.md) to require users to authenticate using multi-factor authentication (MFA) or sign in from a trusted network or device. During the deployment planning, you find out that some of these requirements cannot be met by all users. For example, there are users who work from a remote office that is not part of your internal network or there is an executive who uses an old phone that is not supported. The business requires that these users be allowed to sign in and do their job, therefore, they are excluded from the Conditional Access policies.
+Let's say that as the administrator you decide to use [Azure AD Conditional Access](../conditional-access/overview.md) to require,  multi-factor authentication (MFA) and limit authentication requests to specific networks or devices. During deployment planning, you realize that not all users can meet these requirements. For example, you may have users who work from remote offices not part of your internal network. You may also have to accommodate  users connecting using unsupported devices while waiting for those devices to be replaced. In short, the business needs these users to sign in and do their job so you exclude them from Conditional Access policies.
 
-As another example, you might use [named locations](../conditional-access/location-condition.md) in Conditional Access to configure a set of counties and regions from which you don't want to allow users to access their tenant.
+As another example, you may be using [named locations](../conditional-access/location-condition.md) in Conditional Access to specify a set of countries and regions from which you don't want to allow users to access their tenant.
 
 ![Named locations in Conditional Access](./media/conditional-access-exclusion/named-locations.png)
 
-However, in some cases, users might have a legitimate reason to sign in from these blocked countries/regions. For example, users might be traveling for work or personal reasons. In this example, the Conditional Access policy to block these countries/regions could have a dedicated cloud security group for the users who are excluded from the policy. Users who need access while traveling, can add themselves to the group using [Azure AD self-service Group management](../users-groups-roles/groups-self-service-management.md).
+Unfortunately, some users may still have a valid reason to sign in from these blocked countries/regions. For example, users could be traveling for work and  need to access corporate resources. In this case, the Conditional Access policy to block these countries/regions could use a cloud security group for the excluded users from the policy. Users who need access while traveling, can add themselves to the group using [Azure AD self-service Group management](../users-groups-roles/groups-self-service-management.md).
 
-Another example might be that you have a Conditional Access policy that [blocks legacy authentication for the vast majority of your users](https://cloudblogs.microsoft.com/enterprisemobility/2018/06/07/azure-ad-conditional-access-support-for-blocking-legacy-auth-is-in-public-preview/). Microsoft strongly recommends that you block the use of legacy protocols in your tenant to improve your security posture. However, if you have some users that absolutely need to use legacy authentication methods to access your resources via Office 2010 or IMAP/SMTP/POP based clients, then you can exclude these users from the policy that block legacy authentication methods.
+Another example might be that you have a Conditional Access policy [blocking legacy authentication for the vast majority of your users](https://cloudblogs.microsoft.com/enterprisemobility/2018/06/07/azure-ad-conditional-access-support-for-blocking-legacy-auth-is-in-public-preview/). However, if you have some users that absolutely need to use legacy authentication methods to access your resources via Office 2010 or IMAP/SMTP/POP based clients, then you can exclude these users from the policy that block legacy authentication methods.
+
+>[!NOTE]
+>Microsoft strongly recommends that you block the use of legacy protocols in your tenant to improve your security posture. 
 
 ## Why are exclusions challenging?
 
-In Azure AD, you can scope a Conditional Access policy to a set of users. You can also exclude some of these users by selecting Azure AD roles, individual users, or guests of users. It is important to remember that when these exclusions are configured, the policy intent can't be enforced for those users. If these exclusions were configured as either a list of individual users or via a legacy on-premises security group, then it limits the visibility of this exclusion list (users may not know of its existence) and the IT administrator's control over it (users can join the security group to by-pass the policy). Additionally, users that qualified for the exclusion at one time may no longer need it or be eligible for it.
+In Azure AD, you can scope a Conditional Access policy to a set of users. You can also configure exclusions by selecting Azure AD roles, individual users, or guests users. It is important to remember that when exclusions are configured, the policy intent can't be enforced on excluded users. If exclusions are configured using list of users or using legacy on-premises security groups, they limit the visibility into the exclusions. As a result:
+
+- Users may not know that they are being excluded
+- Users can join the security group to by-pass the policy so the IT administrator's control over the exceptions would be affected.
+- Also, users who qualified for the exclusion at one time may no longer qualify for it.
 
-At the beginning of an exclusion, there is a short list of users who bypass the policy. Over time, more and more users are excluded, and the list grows. At some point, there is a need to review the list and confirm that each of these users should still be excluded. Managing the list from a technical point of view, can be relatively easy, but who makes the business decisions and how do you make sure it is all auditable?
+Frequently at the beginning of an exclusion, there is a short list of users who bypass the policy. Over time, more and more users are excluded, and the list grows. At some point, you need to review the list and confirm that each of these users should still be excluded. Managing the list from a technical point of view, can be relatively easy, but who makes the business decisions and how do you make sure it is all auditable?
 
-However, if you configure the exclusion to the Conditional Access policy using an Azure AD group, then you can use access reviews as a compensating control, to drive visibility, and reduce the number of users who have an exception.
+However, if you configure the exclusion to the Conditional Access policy using an Azure AD group, you can then use access reviews as a compensating control, to drive visibility, and reduce the number of users who have are exempt.
 
 ## How to create an exclusion group in a Conditional Access policy
 
@@ -99,17 +106,17 @@ Let's say you have a Conditional Access policy that blocks access from certain c
 > [!NOTE]
 > A Global administrator or User administrator role is required to create access reviews.
 
-1. The review will reoccur every week.
+1. The review will happen every week.
 
-2. Will never end in order to make sure you're keeping this exclusion group the most up-to-date.
+2. Will never end in order to make sure you're keeping this exclusion group the most up to date.
 
 3. All members of this group will be in scope for the review.
 
-4. Each user will have to self-attest that they still need to have access from these blocked countries/regions, therefore they still need to be a member of the group.
+4. Each user will need to self-attest that they still need access from these blocked countries/regions, therefore they still need to be a member of the group.
 
-5. If the user doesn't respond to the review request, they will be automatically removed from the group, and therefore, can no longer access the tenant while traveling to these countries/regions.
+5. If the user doesn't respond to the review request, they will be automatically removed from the group, and they will no longer have access the tenant while traveling to these countries/regions.
 
-6. Enable mail notifications so users are notified about the start and completion of the access review.
+6. Enable email notifications to let users know about the start and completion of the access review.
 
     ![Create an access review pane for example 1](./media/conditional-access-exclusion/create-access-review-1.png)
 
@@ -149,7 +156,7 @@ Now that you have everything in place, group, Conditional Access policy, and acc
 
     ![Access reviews audit logs listing actions](./media/conditional-access-exclusion/access-reviews-audit-logs.png)
 
-As an IT administrator, you know that managing exclusion groups to your policies is sometimes inevitable. However, maintaining these groups, reviewing them on a regular basis by the business owner or the users themselves, and auditing these changes can made easier with Azure AD access reviews.
+As an IT administrator, you know that managing exclusion groups to your policies is sometimes inevitable. However, maintaining these groups, reviewing them on a regular basis by the business owner or the users themselves, and auditing these changes can be made easier with Azure AD access reviews.
 
 ## Next steps