Update mfa-enforcement.md

nehakulkarni123 · web-flow · commit d830728878b4 · 2025-07-23T19:39:51.000-07:00
diff --git a/articles/governance/policy/tutorials/mfa-enforcement.md b/articles/governance/policy/tutorials/mfa-enforcement.md
@@ -31,26 +31,27 @@ Select Policy under Azure services. If you don't see it, type 'Policy' in the se
   > [!NOTE]
   > To enable safe rollout of policy enforcement, we recommend using [Azure Policy’s resource selectors](https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors) to gradually rollout policy enforcement across your resources.
 - Click 'Expand' on the 'Resource Selectors' section of the Basics tab.
-- Click 'Add a resource selector' 
+- Click 'Add a resource selector'
+  
 :::image type="content" source="../media/multifactor-enforcement/policy-resource-selectors.png" alt-text="Screenshot of Azure Policy Assignment Creation View." border="false":::
 - Add a name for your selector
 - Toggle resourceLocation to enable it.
-- Pick a few low-risk regions that you’d like to enforce on. The policy assignment evaluates Azure resources in those regions.
+- Pick a few low-risk regions that you’d like to enforce on. The policy assignment will evaluate Azure resources in those regions.
 - You can update this assignment later to add more regions by adding more resourceLocation selectors or updating the existing resourceLocation selector to add more regions.
   
 :::image type="content" source="../media/multifactor-enforcement/resource-selector-creation.png" alt-text="Screenshot of Azure Policy Selector Creation View." border="false":::
 
 ### 5. Select a Policy Definition
 - Click on Policy definition under 'Basics'.
 - Browse or search for the multifactor policy definition – there are 2 of them. Pick one for now:
-- [[Preview]: Users must authenticate with multifactor authentication to delete resources - Microsoft Azure](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetail.ReactView/id/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdb4a9d17-db75-4f46-9fcb-9f9526604417/version/1.0.0-preview/scopes/%5B%22%2Fsubscriptions%2F12015272-f077-4945-81de-a5f607d067e1%22%2C%22%2Fsubscriptions%2F0ba674a6-9fde-43b4-8370-a7e16fdf0641%22%5D/contextRender/)
-- [[Preview]: Users must authenticate with multifactor authentication to create or update resources - Microsoft Azure](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetail.ReactView/id/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4e6c27d5-a6ee-49cf-b2b4-d8fe90fa2b8b/version/1.0.0-preview/scopes/%5B%22%2Fsubscriptions%2F12015272-f077-4945-81de-a5f607d067e1%22%2C%22%2Fsubscriptions%2F0ba674a6-9fde-43b4-8370-a7e16fdf0641%22%5D/contextRender/)
+  - [[Preview]: Users must authenticate with multifactor authentication to delete resources - Microsoft Azure](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetail.ReactView/id/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdb4a9d17-db75-4f46-9fcb-9f9526604417/version/1.0.0-preview/scopes/%5B%22%2Fsubscriptions%2F12015272-f077-4945-81de-a5f607d067e1%22%2C%22%2Fsubscriptions%2F0ba674a6-9fde-43b4-8370-a7e16fdf0641%22%5D/contextRender/).
+  - [[Preview]: Users must authenticate with multifactor authentication to create or update resources - Microsoft Azure](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetail.ReactView/id/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4e6c27d5-a6ee-49cf-b2b4-d8fe90fa2b8b/version/1.0.0-preview/scopes/%5B%22%2Fsubscriptions%2F12015272-f077-4945-81de-a5f607d067e1%22%2C%22%2Fsubscriptions%2F0ba674a6-9fde-43b4-8370-a7e16fdf0641%22%5D/contextRender/).
 - Select the policy definition from the list.
   
 :::image type="content" source="../media/multifactor-enforcement/policy-definition-selection.png" alt-text="Screenshot of Azure Policy Definition Search View." border="false":::
 
 ### 6. Configure More Assignment Details
-- Under 'Basics', enter a Name for your policy assignment. Optionally, you may add a Description to help others understand the purpose of this assignment.
+- Under 'Basics', enter a name for your policy assignment. Optionally, you may add a description to help others understand the purpose of this assignment.
 - Under 'Basics', enforcement mode should be set to enabled (this mode is set by default, no action needed).
 - Go to the 'Parameters' tab. Uncheck 'only show parameters that require input or review'. The parameter value should be at the preselected value 'AuditAction' or 'Audit' (depending on the definition chosen in step 4).
 - Under the 'Non-compliance messages' tab, configure a custom message that any user sees if they're blocked from deleting a resource because of this enforcement:
@@ -74,20 +75,20 @@ _Sample Text: To resolve this error, set up MFA at aka.ms/setupMFA. If you set u
 
 
 ## Update the policy assignment to enforcement
-You can set enforcement by updating the 'Effect' of the policy assignment.
-- Go to the policy assignment under [Policy|Assignments](https://portal.azure.com/?subscriptionId=617eb244-7791-4c21-98c5-77f840a7e4ef#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Overview/scope/%2Fsubscriptions%2F617eb244-7791-4c21-98c5-77f840a7e4ef). Click 'Edit assignment'.
+You can enable enforcement by updating the 'Effect' of the policy assignment.
+- Go to the policy assignment under [Policy Assignments](https://portal.azure.com/?subscriptionId=617eb244-7791-4c21-98c5-77f840a7e4ef#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Overview/scope/%2Fsubscriptions%2F617eb244-7791-4c21-98c5-77f840a7e4ef). Click 'Edit assignment'.
 - In the 'Basics' tab, you’ll see 'Overrides'. Click expand.
 - Click 'Add a policy effect override'
-- In the drop-down menu, update the 'Override Value' to 'DenyAction' or 'Deny' (depending on the policy definition chosen at Step 4).
-- For 'Selected Resources', pick a few low-risk regions that you’d like to enforce on. The policy assignment will only evaluate Azure resources in those regions.
+- In the drop-down menu, update the `Override Value` to 'DenyAction' or 'Deny' (depending on the policy definition chosen at Step 4).
+- For `Selected Resources`, pick a few low-risk regions that you’d like to enforce on. The policy assignment will only evaluate Azure resources in those regions.
 :::image type="content" source="../media/multifactor-enforcement/overrides-example.png" alt-text="Screenshot of Azure Policy Overrides Creation." border="false":::
 - Click 'Review + save', then 'Create'.
-- Once you have confirmed no unexpected impact for this initial application, you may update the existing override to add other regions, then monitor for any impact. Repeat this step as many times as needed to eventually add all regions.
+- Once you have confirmed no unexpected impact, you may update the existing override to add other regions.
 
 ## User Experience during Preview
 
 ## Audit Mode
-Discover audit events in your activity log when this policy assignment is applied in audit mode and they attempt to create, update, or delete a resource without authenticating with MFA.
+Discover audit events in your activity log when this policy assignment is applied in audit mode. Each event represents a resource create, update or delete that was performed by a user who did not authenticate with MFA.
 
 You can view activity Log events in Azure portal and other supported clients. Here's a sample query that can be used in CLI:
 
@@ -98,11 +99,11 @@ jq -r '"ResourceName\tResourceId\tPolicyDefinitionDisplayName", (.[] as $event |
 column -t -s $'\t'`
 
 ## Enforcement Mode
-You can expect the following experience when this policy assignment is applied in enforcement mode and they attempt to create, update, or delete a resource without authenticating with MFA.
+Discover deny events in your activity log when this policy assignment is applied in enforcement mode. Each deny event represents a resource create, update or delete that was attempted by a user who did not authenticate with MFA.
 
 The next section shows the experience from some select clients when the policy assignment is applied in enforcement mode and a user account attempts to create, update, or delete a resource without being authenticated with MFA.
   > [!NOTE]
-  > In preview timeframe, the error messages displayed to the user may differ depending on the client and command being run. This error messaging continues to improve to be consistent across clients used as this feature matures to GA availability.
+  > In preview timeframe, the error messages displayed to the user may differ depending on the client and command being run. 
 ### Azure Portal
 When you attempt to perform a create, update, or delete operation without an MFA-authenticated token, Azure portal may return:
 
