fixing

Author: billmath

articles/active-directory/hybrid/how-to-connect-sso-faq.yml

@@ -41,15 +41,15 @@ sections:
       - question: |
           What applications take advantage of `domain_hint` or `login_hint` parameter capability of Seamless SSO?
         answer: |
-          Listed below is a non-exhaustive list of applications that can send these parameters to Azure AD, and therefore provides users a silent sign-on experience using Seamless SSO (i.e., no need for your users to input their usernames or passwords):
+          The table has a list of applications that can send these parameters to Azure AD. This action provides users a silent sign-on experience using Seamless SSO.:
           
           | Application name | Application URL to be used |
           | -- | -- |
           | Access panel | https:\//myapps.microsoft.com/contoso.com |
           | Outlook on Web | https:\//outlook.office365.com/contoso.com |
           | Office 365 portals | https:\//portal.office.com?domain_hint=contoso.com, https:\//www.office.com?domain_hint=contoso.com |
           
-          In addition, users get a silent sign-on experience if an application sends sign-in requests to Azure AD's endpoints set up as tenants - that is, https:\//login.microsoftonline.com/contoso.com/<..> or https:\//login.microsoftonline.com/<tenant_ID>/<..> - instead of Azure AD's common endpoint - that is, https:\//login.microsoftonline.com/common/<...>. Listed below is a non-exhaustive list of applications that make these types of sign-in requests.
+          In addition, users get a silent sign-on experience if an application sends sign-in requests to Azure AD's endpoints set up as tenants - that is, https:\//login.microsoftonline.com/contoso.com/<..> or https:\//login.microsoftonline.com/<tenant_ID>/<..> - instead of Azure AD's common endpoint - that is, https:\//login.microsoftonline.com/common/<...>. The table has a list of applications that make these types of sign-in requests.
           
           | Application name | Application URL to be used |
           | -- | -- |
@@ -70,25 +70,25 @@ sections:
         answer: |
           [Azure AD Join](../devices/overview.md) provides SSO to users if their devices are registered with Azure AD. These devices don't necessarily have to be domain-joined. SSO is provided using *primary refresh tokens* or *PRTs*, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Microsoft Edge browser. It also works on Chrome with the use of a browser extension.
           
-          You can use both Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.
+          You can use Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.
           
       - question: |
           I want to register non-Windows 10 devices with Azure AD, without using AD FS. Can I use Seamless SSO instead?
         answer: |
           Yes, this scenario needs version 2.1 or later of the [workplace-join client](https://www.microsoft.com/download/details.aspx?id=53554).
           
       - question: |
-          How can I roll over the Kerberos decryption key of the `AZUREADSSO` computer account?
+          How can I roll-over the Kerberos decryption key of the `AZUREADSSO` computer account?
         answer: |
-          It is important to frequently roll over the Kerberos decryption key of the `AZUREADSSO` computer account (which represents Azure AD) created in your on-premises AD forest.
+          It is important to frequently roll-over the Kerberos decryption key of the `AZUREADSSO` computer account (which represents Azure AD) created in your on-premises AD forest.
           
           >[!IMPORTANT]
-          >We highly recommend that you roll over the Kerberos decryption key at least every 30 days.
+          >We highly recommend that you roll-over the Kerberos decryption key at least every 30 days.
           
           Follow these steps on the on-premises server where you are running Azure AD Connect:
           
              > [!NOTE]
-             >You will need both domain administrator and global administrator or hybrid identity administrator credentials for the steps below.
+             >You will need domain administrator and global administrator/hybrid identity administrator credentials for the steps.
              >If you are not a domain admin and you were assigned permissions by the domain admin, you should call `Update-AzureADSSOForest -OnPremCredentials $creds -PreserveCustomPermissionsOnDesktopSsoAccount`
           
              **Step 1. Get list of AD forests where Seamless SSO has been enabled**
@@ -132,7 +132,7 @@ sections:
           
              After completing the wizard, Seamless SSO will be disabled on your tenant. However, you will see a message on screen that reads as follows:
           
-             "Single sign-on is now disabled, but there are additional manual steps to perform in order to complete clean-up. [Learn more](tshoot-connect-sso.md#step-3-disable-seamless-sso-for-each-active-directory-forest-where-youve-set-up-the-feature)"
+             "Single sign-on is now disabled, but there are other manual steps to perform in order to complete clean-up. [Learn more](tshoot-connect-sso.md#step-3-disable-seamless-sso-for-each-active-directory-forest-where-youve-set-up-the-feature)"
           
              To complete the clean-up process, follow steps 2 and 3 on the on-premises server where you are running Azure AD Connect.
           
@@ -143,7 +143,7 @@ sections:
              1. First, download, and install [Azure AD PowerShell](/powershell/azure/active-directory/overview).
              2. Navigate to the `$env:ProgramFiles"\Microsoft Azure Active Directory Connect"` folder.
              3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-             4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Adminstrator credentials.
+             4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Administrator credentials.
              5. Call `Enable-AzureADSSO -Enable $false`.
              
              At this point Seamless SSO is disabled but the domains will remain configured in case you would like to enable Seamless SSO back. If you would like to remove the domains from Seamless SSO configuration completely, call the following cmdlet after you completed step 5 above: `Disable-AzureADSSOForest -DomainFqdn <fqdn>`.
@@ -153,12 +153,12 @@ sections:
           
              **Step 2. Get list of AD forests where Seamless SSO has been enabled**
           
-             Follow tasks 1 through 4 below if you have disabled Seamless SSO using Azure AD Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5 below.
+             Follow tasks 1 through 4 if you have disabled Seamless SSO using Azure AD Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5.
           
              1. First, download, and install [Azure AD PowerShell](/powershell/azure/active-directory/overview).
              2. Navigate to the `$env:ProgramFiles"\Microsoft Azure Active Directory Connect"` folder.
              3. Import the Seamless SSO PowerShell module using this command: `Import-Module .\AzureADSSO.psd1`.
-             4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Adminstrator credentials.
+             4. Run PowerShell as an Administrator. In PowerShell, call `New-AzureADSSOAuthenticationContext`. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Administrator credentials.
              5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
           
              **Step 3. Manually delete the `AZUREADSSO` computer account from each AD forest that you see listed.**