Changes recommended by commentors and acrolinx

kenieva · kenieva · commit e385c387de33 · 2022-11-29T10:18:19.000-08:00
diff --git a/articles/governance/policy/concepts/effects.md b/articles/governance/policy/concepts/effects.md
@@ -53,7 +53,7 @@ manages the evaluation and outcome and reports the results back to Azure Policy.
   resource is prevented.
 - **Audit** is evaluated. 
 - **Manual** is evaluated. 
-- **AuditIfNotExist** is evaluated. 
+- **AuditIfNotExists** is evaluated. 
 - **denyAction** is evaluated last. 
 
 After the Resource Provider returns a success code on a Resource Manager mode request,
@@ -389,7 +389,7 @@ definitions as `constraintTemplate` is deprecated.
   - An _array_ of
     [Kubernetes namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
     to limit policy evaluation to.
-  - An empty or missing value causes policy evaluation to include all namespaces, except those
+  - An empty or missing value causes policy evaluation to include all namespaces, except the ones
     defined in _excludedNamespaces_.
 - **excludedNamespaces** (required)
   - An _array_ of
@@ -455,25 +455,23 @@ location of the Constraint template to use in Kubernetes to limit the allowed co
 ```
 ## DenyAction (preview)
 
-`DenyAction` is used to block request based on intended action to resources. The only supported action today is `DELETE`. This effect will help prevent any accidential deletion of critical resources.
+`DenyAction` is used to block requests on intended action to resources. The only supported action today is `DELETE`. This effect will help prevent any accidental deletion of critical resources.
 
 ### DenyAction evaluation
 
-When submitting a request to a matched resource in a Resource Manager mode, `denyAction` prevents the request
-from succeeding. The request is returned as a `403 (Forbidden)`. In the
-portal, the Forbidden can be viewed as a status on the deployment that was prevented by the policy
+When a request call with an applicable action name and targeted scope is submitted, `denyAction` prevents the request from succeeding. The request is returned as a `403 (Forbidden)`. In the portal, the Forbidden can be viewed as a status on the deployment that was prevented by the policy
 assignment. 
 
 `Microsoft.Authorization/policyAssignments`, `Microsoft.Authorization/denyAssignments`, `Microsoft.Blueprint/blueprintAssignments`, `Microsoft.Resources/deploymentStacks`, and `Microsoft.Authorization/locks` are all exempt from DenyAction enforcement to prevent lockout scenarios. 
 
 **Subscription deletion**
-Policy will not block removal of resources that happens during a subscription deletion. 
+Policy won't block removal of resources that happens during a subscription deletion. 
 
 **Resource group deletion** 
-Policy will evaluate resources that support location and tags against `DenyAction` policies during a resource group deletion. Only policies that have the `cascadeBehaviors` set to `deny` in the policy rule will block a resource group deletion. Policy will not block removal of resources that do not support location and tags nor any policy with `mode:all`. 
+Policy will evaluate resources that support location and tags against `DenyAction` policies during a resource group deletion. Only policies that have the `cascadeBehaviors` set to `deny` in the policy rule will block a resource group deletion. Policy won't block removal of resources that don't support location and tags nor any policy with `mode:all`. 
 
 **Cascade Deletion** 
-Cascade Deletion ocurs when deleting of a parent resources is implicately deletes all its child resources. Policy will not block removal of child resources when an deletion action targets the parent resources. For example, `Microsoft.Insights/diagnosticSettings` is a child resource of `Microsoft.Storage/storageaccounts`. If a `denyAction` policy targets `Microsoft.Insights/diagnosticSettings`, a delete call to the diagnostic setting (child) will fail, but a delete to the storage account (parent) will implictely delete the diagnostic setting (child). 
+Cascade Deletion occurs when deleting of a parent resource is implicitly deletes all its child resources. Policy won't block removal of child resources when a delete action targets the parent resources. For example, `Microsoft.Insights/diagnosticSettings` is a child resource of `Microsoft.Storage/storageaccounts`. If a `denyAction` policy targets `Microsoft.Insights/diagnosticSettings`, a delete call to the diagnostic setting (child) will fail, but a delete to the storage account (parent) will implicitly delete the diagnostic setting (child). 
 
 [!INCLUDE [policy-denyAction](../../../../includes/azure-policy-denyAction.md)]
 
@@ -491,7 +489,7 @@ The **details** property of the DenyAction effect has all the subproperties that
   - Default value is `deny`. 
 
 ### DenyAction example
-Example: Deny deletion of database accounts where tag environment equals prod. 
+Example: Deny any delete calls targeting database accounts that have a tag environment that equals prod. Since cascade behavior is set to deny, block any DELETE call that targets a resource group with an applicable database account. 
 
 ```json
 {
@@ -689,7 +687,7 @@ logs, and the policy effect don't occur. For more information, see
 
 ## Manual (preview)
 
-The new `manual` (preview) effect enables you to self-attest the compliance of resources or scopes. Unlike other policy definitions that actively scan for evaluation, the Manual effect allows for manual changes to the compliance state. To change the compliance of a resource or scope targeted by a manual policy, you'll need to create an [attestation](attestation-structure.md). The [best practice](attestation-structure.md#best-practices) is to design manual policies that target the scope which defines the boundary of resources whose compliance need attesting.
+The new `manual` (preview) effect enables you to self-attest the compliance of resources or scopes. Unlike other policy definitions that actively scan for evaluation, the Manual effect allows for manual changes to the compliance state. To change the compliance of a resource or scope targeted by a manual policy, you'll need to create an [attestation](attestation-structure.md). The [best practice](attestation-structure.md#best-practices) is to design manual policies that target the scope that defines the boundary of resources whose compliance need attesting.
 
 > [!NOTE]
 > During Public Preview, support for manual policy is available through various Microsoft Defender
diff --git a/articles/governance/policy/concepts/evaluate-impact.md b/articles/governance/policy/concepts/evaluate-impact.md
@@ -6,7 +6,7 @@ ms.topic: conceptual
 ---
 # Evaluate the impact of a new Azure Policy definition
 
-Azure Policy is a powerful tool for managing your Azure resources to business standards and to meet
+Azure Policy is a powerful tool for managing your Azure resources to meet business standards
 compliance needs. When people, processes, or pipelines create or update resources, Azure Policy
 reviews the request. When the policy definition effect is [Modify](./effects.md#modify),
 [Append](./effects.md#deny), or [DeployIfNotExists](./effects.md#deployifnotexists), Policy alters
@@ -109,8 +109,7 @@ setup appropriate
 [Azure Monitor alerts and notifications](../../../azure-monitor/alerts/alerts-overview.md) for
 when non-compliant devices are identified. It's also recommended to evaluate the policy definition
 and related assignments on a scheduled basis to validate the policy definition is meeting business
-policy and compliance needs. Policies should be removed if no longer needed. Policies also need
-updating from time to time as the underlying Azure resources evolve and add new properties and
+policy and compliance needs. Policies should be removed if no longer needed. Policies also need to update from time to time as the underlying Azure resources evolve and add new properties and
 capabilities.
 
 ## Next steps
diff --git a/includes/azure-policy-denyAction.md b/includes/azure-policy-denyAction.md
@@ -8,7 +8,7 @@ ms.date: 11/28/2022
 ms.author: kenieva
 ---
 
-This table describes if a resource will be protected from deletion given the resource applicable to the assigned denyAction policy and the targeted scope of the DELETE call. In the conetext of this table, an indexed  is a resource that supports tags and locations. Non-indexed is a resource that does not support tags or locations. For more information on indexed and non-indexed resourxe, please reference [definition modes](../articles/governance/policy/concepts/definition-structure.md). Child resources are resources that exist only within the context of another resource. For example, an virtual machines extension resource is a child of the virtual machine, whom is the parent resource. 
+This table describes if a resource will be protected from deletion given the resource applicable to the assigned denyAction policy and the targeted scope of the DELETE call. In the context of this table, an indexed  is a resource that supports tags and locations. Non-indexed is a resource that doesn't support tags or locations. For more information on indexed and non-indexed resources,  reference [definition modes](../articles/governance/policy/concepts/definition-structure.md). Child resources are resources that exist only within the context of another resource. For example, a virtual machines extension resource is a child of the virtual machine, whom is the parent resource. 
 
 | Resource applicable to DenyAction definition | Delete call targeted scope | Action taken |
 |---|---|---|
