minor updates

Author: Mark Dalton Gray

articles/operator-nexus/howto-set-up-defender-for-cloud-security.md

@@ -58,17 +58,17 @@ To set up a Defender for Servers plan:
 
 ### Grant MDE Onboarding Permissions
 
-To enable the Microsoft Defender for Endpoint (MDE) agent on baremetal machines within your Nexus Cluster, you must grant the nc-platform-extension identity of the cluster the ability to onboard the MDE agent on your behalf.
+To enable the Microsoft Defender for Endpoint (MDE) agent on baremetal machines within your Nexus Cluster, you must grant the nc-platform-extension identity of the cluster permission to onboard the MDE agent on your behalf.
 
 The nc-platform-extension identity does not exist prior to deploying the Operator Nexus cluster. The following example must be performed after the Cluster is deployed.
 
-The required permission is ```Microsoft.Security/mdeOnboardings/read```. Assign this permission to the nc-platform-extension identity using the built-in role ```Security Reader``` or a custom role with the same permission can be created.
+The required permission is ```Microsoft.Security/mdeOnboardings/read```. Assign this permission to the nc-platform-extension identity using the built-in role ```Security Reader``` or a custom role with the same permission.
 
 > [!IMPORTANT]
 > The user or identity creating the role assignment must have the ```Microsoft.Authorization/roleAssignments/write``` permission at the subscription level.
 > Executing the the commands to show the principal ID object ID requires the Microsoft Entra role assignment of Directory Reader or equivalent.
 
-Below is an example bash script using the az CLI for granting the nc-platform-extension identity the ability to onboard the MDE agent on your behalf.
+Below is an example bash script using the Azure CLI for granting the nc-platform-extension identity permission to onboard the MDE agent on your behalf.
 
 ```bash
 #!/usr/bin/env bash
@@ -134,9 +134,9 @@ az role assignment create \
 echo "Done. Security Reader role assignment created"
 ```
 
-In the event the required permissions are not granted, the MDE onboarding reconcilliation logic will continue to attempt to onboard the MDE agent on your behalf until the permissions are granted. When the permissions are granted, the MDE onboarding reconcilliation logic during the next rotation will complete successfully with no additional action required.
+While the required permissions are not assigned, the MDE onboarding reconcilliation logic will continue to attempt to onboard the MDE agent until the permissions are granted. After permission assignment is complete, the MDE onboarding reconcilliation will complete successfully with no additional action required.
 
-Reconcilliation of the MDE onboarding status is an exponential backoff process. The first retry attempt will be made after 10 minutes, the second after 20 minutes, and the third after 40 minutes. If three failures occur, the MDE onboarding reconcilliation logic will wait 10 minutes before attempting to onboard the MDE agent again (which will restart the exponential backoff process).
+Reconcilliation of the MDE onboarding status is an exponential backoff process. The first retry attempt will be made after 10 minutes, the second after 20 minutes, and the third after 40 minutes. If three failures occur, the reconcilliation will wait 10 minutes before attempting to onboard the MDE agent again (which will restart the exponential backoff process).
 
 > [!IMPORTANT]
 > MDE Agent reconilliation runs independently on each of the baremetal machines in the cluster. As such the exact time it takes to onboard the MDE agent on all baremetal machines in the cluster will vary depending on the number of baremetal machines in the cluster and the initial time of the first onboarding attempt.