Requested changes added

Author: Tristan Desktop

articles/active-directory/cloud-infrastructure-entitlement-management/media/ui-dashboard/pci-heat-map.PNG renamed to articles/active-directory/cloud-infrastructure-entitlement-management/media/ui-dashboard/pci-heat-map.png

@@ -20,14 +20,14 @@ This article describes how to onboard an Amazon Web Services (AWS) account on Pe
 
 ## Explanation
 
-There are several moving parts across AWS and Azure which are required to be configured before onboarding.
-
-1. An AAD OIDC App
-1. An AWS OIDC account
-1. An (optional) AWS Master account
-1. An (optional) AWS Central logging account
-1. An AWS OIDC role
-1. An AWS Cross Account role assumed by OIDC role
+There are several moving parts across AWS and Azure, which are required to be configured before onboarding.
+
+* An Azure AD OIDC App
+* An AWS OIDC account
+* An (optional) AWS Master account
+* An (optional) AWS Central logging account
+* An AWS OIDC role
+* An AWS Cross Account role assumed by OIDC role
 
 
 <!-- diagram from gargi -->
@@ -113,15 +113,15 @@ There are several moving parts across AWS and Azure which are required to be con
 
 Select **Enable AWS SSO checkbox**, if the AWS account access is configured through AWS SSO. 
 
-Choose from 3 options to manage AWS accounts. 
+Choose from three options to manage AWS accounts. 
 
 #### Option 1: Automatically manage 
 
-Choose this option to automatically detect and add to monitored account list, without additional configuration. Steps to detect list of accounts and onboard for collection: 
+Choose this option to automatically detect and add to the monitored account list, without extra configuration. Steps to detect list of accounts and onboard for collection: 
 
 - Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs. 
 - If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details. 
-- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. This creates a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection. 
+- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. These actions create a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection. 
 
 Any current or future accounts found get onboarded automatically. 
 
@@ -173,7 +173,7 @@ This option detects all AWS accounts that are accessible through OIDC role acces
 
 - Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs. 
 - If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details. 
-- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. This creates a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection. 
+- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. These actions create a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection. 
 - Click Verify and Save. 
 - Navigate to newly create Data Collector row under AWSdata collectors. 
 - Click on Status column when the row has “Pending” status 

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md

@@ -20,11 +20,11 @@ This article describes how to onboard a Microsoft Azure subscription or subscrip
 
 ## Explanation
 
-Given that Permissions Management is hosted on Azure and you are onboarding your Azure subscriptions to be monitored and managed, setup is simple with few moving parts to configure. Below is what is required to configure onboarding:
+The Permissions Management service is built on Azure, and given you're onboarding your Azure subscriptions to be monitored and managed, setup is simple with few moving parts to configure. Below is what is required to configure onboarding:
 
-1. When your tenant is onboarded, an application is created in the tenant.
-1. This app requires 'reader' permissions on the subscriptions
-1. For controller functionality, the app requires 'User Access Administrator' to create and implement right-size roles
+* When your tenant is onboarded, an application is created in the tenant.
+* This app requires 'reader' permissions on the subscriptions
+* For controller functionality, the app requires 'User Access Administrator' to create and implement right-size roles
 
 ## Prerequisites
 
@@ -42,11 +42,11 @@ To add Permissions Management to your Azure AD tenant:
 
 ### 1. Add Azure subscription details
 
-Choose from 3 options to manage Azure subscriptions. 
+Choose from three options to manage Azure subscriptions. 
 
 #### Option 1: Automatically manage 
 
-This option allows subscriptions to be automatically detected and monitored without extra configuration.A key benefit of automatic management is that any current or future subscriptions found get onboarded automatically. Steps to detect list of subscriptions and onboard for collection:  
+This option allows subscriptions to be automatically detected and monitored without further work required. A key benefit of automatic management is that any current or future subscriptions found will be onboarded automatically. The steps to detect a list of subscriptions and onboard for collection are as follows:  
 
 - Firstly, grant Reader role to Cloud Infrastructure Entitlement Management application at management group or subscription scope. To do this:  
 
@@ -70,13 +70,13 @@ To view status of onboarding after saving the configuration:
 
 You have the ability to specify only certain subscriptions to manage and monitor with MEPM (up to 10 per collector). Follow the steps below to configure these subscriptions to be monitored: 
 
-1. For each subscription you wish to manage, ensure that the ‘Reader’ role has been granted to Cloud Infrastructure Entitlement Management application for this subscription. 
+1. For each subscription you wish to manage, ensure that the ‘Reader’ role has been granted to Cloud Infrastructure Entitlement Management application for the subscription. 
 1. In the EPM portal, click the cog on the top right-hand side. 
 1. Navigate to data collectors tab 
 1. Ensure 'Azure' is selected
 1. Click ‘Create Configuration’ 
 1. Select ‘Enter Authorization Systems’ 
-1. Under the Subscription IDs section, enter a desired subscription ID into the input box. Click the “+” up to 9 additional times, putting a single subscription ID into each respective input box. 
+1. Under the Subscription IDs section, enter a desired subscription ID into the input box. Click the “+” up to nine extra times, putting a single subscription ID into each respective input box. 
 1. Once you have input all of the desired subscriptions, click next 
 1. Click ‘Verify Now & Save’ 
 1. Once the access to read and collect data is verified, collection will begin. 

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md

@@ -20,16 +20,16 @@ This article describes how to onboard a Google Cloud Platform (GCP) project on P
 
 ## Explanation
 
-For GCP, permissions management is scoped to a *GCP project*. A GCP project is a logical collection of your resources in GCP, somewhat analogous to a subscription in Azure, albeit with further configurations you can perform such as application registrations and OIDC configurations.
+For GCP, permissions management is scoped to a *GCP project*. A GCP project is a logical collection of your resources in GCP, like a subscription in Azure, albeit with further configurations you can perform such as application registrations and OIDC configurations.
 
 <!-- Diagram from Gargi-->
 
 There are several moving parts across GCP and Azure, which are required to be configured before onboarding.
 
-1. An AAD OIDC App
-1. An Workload Identity in GCP
-1. OAuth2 confidential client grant utilized
-1. A GCP service account with permissions to collect
+* An Azure AD OIDC App
+* A Workload Identity in GCP
+* OAuth2 confidential client grants utilized
+* A GCP service account with permissions to collect
 
 
 ## Onboard a GCP project
@@ -59,11 +59,11 @@ Choose from 3 options to manage GCP projects.
 
 #### Option 1: Automatically manage 
 
-This option allows projects to be automatically detected and monitored without extra configuration. Steps to detect list of projects and onboard for collection:  
+The automatically manage option allows projects to be automatically detected and monitored without extra configuration. Steps to detect list of projects and onboard for collection:  
 
 Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope. 
 
-Once done, the steps are listed in the screen to do configure this manually in the GPC console, or programatically with the gcloud CLI.
+Once done, the steps are listed in the screen, which shows how to further configure in the GPC console, or programatically with the gcloud CLI.
 
 Once everything has been configured, click next, then 'Verify Now & Save'.
 
@@ -94,7 +94,7 @@ To view status of onboarding after saving the configuration:
 This option detects all projects that are accessible by the Cloud Infrastructure Entitlement Management application.  
 
 - Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope
-- Once done, the steps are listed in the screen to do this manually in the GPC console, or programatically with the gcloud CLI
+- Once done, the steps are listed in the screen to do configure manually in the GPC console, or programatically with the gcloud CLI
 - Click Next
 - Click 'Verify Now & Save' 
 - Navigate to newly create Data Collector row under GCP data collectors

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md

@@ -15,13 +15,13 @@ ms.author: kenwith
 
 ## Overview
 
-Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
+Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
 
 Permissions Management  detects, automatically right-sizes, and continuously monitors unused and excessive permissions.
 
 Organizations have to consider permissions management as a central piece of their Zero Trust security to implement least privilege access across their entire infrastructure:
 
-- Organizations are increasingly adopting multi-cloud strategy and are struggling with the lack of visibility and the increasing complexity of managing access permissions.
+- Organizations are increasingly adopting multicloud strategy and are struggling with the lack of visibility and the increasing complexity of managing access permissions.
 - With the proliferation of identities and cloud services, the number of high-risk cloud permissions is exploding, expanding the attack surface for organizations.
 - IT security teams are under increased pressure to ensure access to their expanding cloud estate is secure and compliant.
 - The inconsistency of cloud providers' native access management models makes it even more complex for Security and Identity to manage permissions and enforce least privilege access policies across their entire environment.
@@ -32,7 +32,7 @@ Organizations have to consider permissions management as a central piece of thei
 
 Permissions Management  allows customers to address three key use cases: *discover*, *remediate*, and *monitor*.
 
-Permissions Management has been designed in such a way that we recommended your organization sequentially 'step-through' each of the below phases in order to gain insights into permissions across the organization. This is because you generally cannot action what is yet to be discovered, likewise you cannot continually evaluate what is yet to be remediated.
+Permissions Management has been designed in such a way that we recommended you 'step-through' each of the below phases in order to gain insights into permissions across the organization. This is because you generally can't action what is yet to be discovered, likewise you can't continually evaluate what is yet to be remediated.
 
 :::image type="content" source="media/overview/discover-remediate-monitor.png" alt-text="Use case for Permissions Management." lightbox="media/overview/discover-remediate-monitor.png":::
 
@@ -65,7 +65,7 @@ Permissions Management  deepens Zero Trust security strategies by augmenting the
 - Automate least privilege access: Use access analytics to ensure identities have the right permissions, at the right time.
 - Unify access policies across infrastructure as a service (IaaS) platforms: Implement consistent security policies across your cloud infrastructure.
 
-Once your organization has explored and implemented the discover, remediation and monitor phases, you have established one of the core pillars of a modern zero-trust security strategy.
+Once your organization has explored and implemented the discover, remediation and monitor phases, you've established one of the core pillars of a modern zero-trust security strategy.
 
 ## Next steps