Update howto-windows-laps-with-azuread.md

Author: SanDeo-MSFT

articles/active-directory/devices/howto-windows-laps-with-azuread.md

@@ -23,16 +23,16 @@ ms.collection: M365-identity-device-management
 > Azure AD support for Windows LAPS is currently in PREVIEW.
 > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
-Every Windows device comes with a built-in local administrator account that you must secure and protect to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises [LAPS](https://www.microsoft.com/download/details.aspx?id=46899) product for local administrator password management of their domain joined Windows machines. With Azure AD support for Windows LAPS, we are providing a consistent experience for both Azure AD joined and hybrid Azure AD joined devices.
+Every Windows device comes with a built-in local administrator account that you must secure and protect to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises [LAPS](https://www.microsoft.com/download/details.aspx?id=46899) product for local administrator password management of their domain joined Windows machines. With Azure AD support for Windows LAPS, we're providing a consistent experience for both Azure AD joined and hybrid Azure AD joined devices.
 
 Azure AD support for LAPS includes the following capabilities:
 
 - **Enabling Windows LAPS with Azure AD** - Enable a tenant wide policy and a client-side policy to backup local administrator password to Azure AD.
 - **Local administrator password management** - Configure client-side policies to set account name, password age, length, complexity, manual password reset and so on.
-- **Recovering local administrator password** - Use API/Portal eperiences for local administrator password recovery.
-- **Enumerating all Windows LAPS enabled devices** - Use API/Portal eperiences to enumerate all Windows devices in Azure AD enabled with Windows LAPS.
+- **Recovering local administrator password** - Use API/Portal experiences for local administrator password recovery.
+- **Enumerating all Windows LAPS enabled devices** - Use API/Portal experiences to enumerate all Windows devices in Azure AD enabled with Windows LAPS.
 - **Authorization of local administrator password recovery** - Use role based access control (RBAC) policies with custom roles and administrative units.
-- **Auditing local administrator password update and recovery** - Use audit logs API/Portal experinces to monitor password update and recovery events.
+- **Auditing local administrator password update and recovery** - Use audit logs API/Portal experiences to monitor password update and recovery events.
 - **Conditional Access policies for local administrator password recovery** - Configure Conditional Access policies on directory roles that have the authorization of password recovery.
 
 > [!NOTE]  
@@ -68,32 +68,32 @@ This feature is now available on the following Windows OS platforms with the spe
 
 To enable Windows LAPS with Azure AD, you must:
 
-1. In the **Azure AD Devices** menu, select **Device settings**, and then select **Yes** for Enable Local Administartor Password Solution (LAPS) setting and click **Save**. You also have the option to use MS Graph API [Update deviceRegistrationPolicy](https://learn.microsoft.com/graph/api/deviceregistrationpolicy-update?view=graph-rest-beta&preserve-view=true).
+1. In the **Azure AD Devices** menu, select **Device settings**, and then select **Yes** for Enable Local Administrator Password Solution (LAPS) setting and click **Save**. You also have the option to use MS Graph API [Update deviceRegistrationPolicy](https://learn.microsoft.com/graph/api/deviceregistrationpolicy-update?view=graph-rest-beta&preserve-view=true).
 2. Configure client-side policy and set **BackUpDirectory** to be Azure AD.
-- If you are using Microsoft Intune to manage client side policies, see [Manage Windows LAPS using Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/windows-laps-policy)
-- If you are using Group Policy Objects (GPO) to manage client side policies, see [Windows LAPS Group Policy](https://learn.microsoft.com/windows-server/identity/laps/laps-management-policy-settings#windows-laps-group-policy)
+- If you're using Microsoft Intune to manage client side policies, see [Manage Windows LAPS using Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/windows-laps-policy)
+- If you're using Group Policy Objects (GPO) to manage client side policies, see [Windows LAPS Group Policy](https://learn.microsoft.com/windows-server/identity/laps/laps-management-policy-settings#windows-laps-group-policy)
 
 > [!NOTE]  
 > The preferred option to configure Windows LAPS policy for Azure AD joined devices is to use [Manage Windows LAPS using Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/windows-laps-policy). However, if your devices are Azure AD joined but you're not using Microsoft Intune or Microsoft Intune is not supported (e.g. Windows Server 2019/2022), you can still deploy Windows LAPS for Azure AD. In this scenario, you must deploy policy manually (for example, either by using direct registry modification or by using Local Computer Group Policy). For more information, see [Configure Windows LAPS policy settings](https://learn.microsoft.com/windows-server/identity/laps/laps-management-policy-settings).
 
 ## LAPS password management
-To configure LAPS password management policies for your Azure AD joined devices, you can use Microsoft Intune or any other MDM provider of your choide. If you are using Microsoft Intune to manage client side policies, see [Manage Windows LAPS using Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/windows-laps-policy)
-To configure LAPS password management for your hybrid Azure AD joined devices, you can use GPO if such devices are not [co-managed](https://learn.microsoft.com/mem/configmgr/comanage/overview) with Microsoft Intune. If you are using GPO, see [Windows LAPS Group Policy](https://learn.microsoft.com/windows-server/identity/laps/laps-management-policy-settings#windows-laps-group-policy).
+To configure LAPS password management policies for your Azure AD joined devices, you can use Microsoft Intune or any other MDM provider of your choice. If you're using Microsoft Intune to manage client side policies, see [Manage Windows LAPS using Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/windows-laps-policy)
+To configure LAPS password management for your hybrid Azure AD joined devices, you can use GPO if such devices aren't [co-managed](https://learn.microsoft.com/mem/configmgr/comanage/overview) with Microsoft Intune. If you're using GPO, see [Windows LAPS Group Policy](https://learn.microsoft.com/windows-server/identity/laps/laps-management-policy-settings#windows-laps-group-policy).
 
 ## Recovering local administrator password
-To view local administrator password for a Windows device joined to Azure AD, you need to be garnted the *deviceLocalCredentials.Read.All* permission and you must be assigned one of the following roles:
+To view local administrator password for a Windows device joined to Azure AD, you need to be granted the *deviceLocalCredentials.Read.All* permission, and you must be assigned one of the following roles:
 
 - Global Administrator
 - Cloud Device Administrator
 - Intune Service Administrator
 
-You can also use MS Graph API [Get deviceLocalCredentialInfo](https://learn.microsoft.com/graph/api/devicelocalcredentialinfo-get?view=graph-rest-beta&preserve-view=true) to recover local administrative password. If you use the MS Graph API, the password returned is in Base64 encoded value that you will need to decode before using it.
+You can also use MS Graph API [Get deviceLocalCredentialInfo](https://learn.microsoft.com/graph/api/devicelocalcredentialinfo-get?view=graph-rest-beta&preserve-view=true) to recover local administrative password. If you use the MS Graph API, the password returned is in Base64 encoded value that you need to decode before using it.
 
 ## Enumerating all Windows LAPS enable devices
 
 To enumerate all Windows LAPS enabled devices with Azure AD, you can use Azure AD portal by going to **Azure AD Devices | Overview** page and selecting **Local administrator password recovery (Preview)** menu.
 
-You can also use MS Graph API to list all devices in Azure AD enbled with Windows LAPS.
+You can also use MS Graph API to list all devices in Azure AD enabled with Windows LAPS.
 
 ## Authorization of local administrator password recovery
 Other than the built-in Azure AD roles of Global Administrator, Cloud Device Administrator and Intune Administrator that are granted *device.LocalCredentials.Read.All*, you can use Azure AD custom roles or administrative units to authorize local administrator password recovery. For example,
@@ -103,7 +103,7 @@ Other than the built-in Azure AD roles of Global Administrator, Cloud Device Adm
   You can create an Azure AD [custom role](https://learn.microsoft.com/azure/active-directory/roles/custom-create), you need to assign *microsoft.directory/deviceLocalCredentials/password/read* permission to authorize local administrator password recovery.
 
   > [!NOTE]  
-  > Since Microsoft Entra portal is not yet enabled to show permissions for LAPS, you will need to create a custom role and grant permissions using [MS Graph API](https://learn.microsoft.com/azure/active-directory/roles/custom-create#create-a-role-with-the-microsoft-graph-api) or [Powershell](https://learn.microsoft.com/azure/active-directory/roles/custom-create#create-a-role-using-powershell)
+  > Since Microsoft Entra portal is not yet enabled to show permissions for LAPS, you will need to create a custom role and grant permissions using [MS Graph API](https://learn.microsoft.com/azure/active-directory/roles/custom-create#create-a-role-with-the-microsoft-graph-api) or [PowerShell](https://learn.microsoft.com/azure/active-directory/roles/custom-create#create-a-role-using-powershell)
 
   Once you have created the custom role, you can assign it to users using Microsoft Entra portal, MS Graph API or Powershell.
 
@@ -112,24 +112,24 @@ Other than the built-in Azure AD roles of Global Administrator, Cloud Device Adm
  You can also create an Azure AD [administrative unit](https://learn.microsoft.com/azure/active-directory/roles/administrative-units), add devices and assign Cloud Device Administrator role with administrative unit scope to authorize local administrator password recovery.
 
   > [!NOTE]  
-  > Since Microsoft Entra portal is not yet enabled to assign custom role (you would create to authorize local administartor password recovery) with administrative unit, you will need to use [MS Graph API](https://learn.microsoft.com/azure/active-directory/roles/admin-units-manage#microsoft-graph-api) or [Powershell](https://learn.microsoft.com/azure/active-directory/roles/admin-units-manage#microsoft-graph-powershell)
+  > Since Microsoft Entra portal is not yet enabled to assign custom role (you would create to authorize local administartor password recovery) with administrative unit, you will need to use [MS Graph API](https://learn.microsoft.com/azure/active-directory/roles/admin-units-manage#microsoft-graph-api) or [PowerShell](https://learn.microsoft.com/azure/active-directory/roles/admin-units-manage#microsoft-graph-powershell)
 
 ## Auditing local administrator password update and recovery
-To view audit events for local adminsitartor password update, you can go to **Azure AD Devices | Overview** page, select **Audit** logs, then use **Activity** filter and Search for **Update device local administrator password** to view the audit events.
+To view audit events for local administrator password update, you can go to **Azure AD Devices | Overview** page, select **Audit** logs, then use **Activity** filter and Search for **Update device local administrator password** to view the audit events.
 
-To view audit events for local adminsitartor password recovery, you can go to **Azure AD Devices | Overview** page, select **Audit** logs, then use **Activity** filter and Search for **Recover device local administrator password** to view the audit events.
+To view audit events for local administrator password recovery, you can go to **Azure AD Devices | Overview** page, select **Audit** logs, then use **Activity** filter and Search for **Recover device local administrator password** to view the audit events.
 
 ## Conditional Access policies for local administrator password recovery
-To configure Conditional Access for local administartor passwrod recovery you will need to assign policy with user scope to built-in roles such as Global Administrator, Cloud Device Administrator and Intune Administrator that when granted *deviceLocalCredential.Read.All* permission have the ability to recover local administrator password for any Windows device joined to Azure AD and enabled with Windows LAPS. You can find more details on [Conditional Access USer Assignments](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups)
+To configure Conditional Access for local administrator password recovery, you need to assign policy with user scope to built-in roles such as Global Administrator, Cloud Device Administrator and Intune Administrator that when granted *deviceLocalCredential.Read.All* permission have the ability to recover local administrator password for any Windows device joined to Azure AD and enabled with Windows LAPS. You can find more details on [Conditional Access User Assignments](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups)
 
 > [!NOTE]  
 > Other role types including administrative unit-scoped roles and custom roles aren't supported
 
 ## Licensing requirements
 
 ### Azure Active Directory subscription
-  **Azure Active Directory Free**, when you are using basic Windows LAPS with Microsoft Entra (Azure AD) features such as enabling LAPS using device settings, storing encrypted local administrator password, password recovery and audit logsis the free version of Azure AD that’s included when you subscribe to Intune. With Azure AD Free, you can use all the features of LAPS.
-  **Azure Active Directory Premium**, when you are using premium experiences to improve security with capabilities such as Conditional Access, Custom Roles and Administrative Units 
+  **Azure Active Directory Free**, when you're using basic Windows LAPS with Microsoft Entra (Azure AD) features such as enabling LAPS using device settings, storing encrypted local administrator password, password recovery and audit logs.
+  **Azure Active Directory Premium**, when you're using premium experiences to improve security with capabilities such as Conditional Access, Custom Roles and Administrative Units.
 
 ### Microsoft Intune subscription
   **Microsoft Intune Plan 1**, which is the basic Intune subscription. You can also use Windows LAPS with a free trial subscription for Intune.
@@ -141,7 +141,7 @@ To configure Conditional Access for local administartor passwrod recovery you wi
 
 No.
 
-### Is Windows LAPS with Azure AD supported for Azure AD registered (aka Workplace Join) devices?
+### Is Windows LAPS with Azure AD supported for Azure AD registered devices?
 
 No.