edit pass: enable-key-vault-virtual-machine

Author: ShawnJackson

articles/cloud-services-extended-support/enable-key-vault-virtual-machine.md

@@ -1,6 +1,6 @@
 ---
-title: Apply the Key Vault VM Extension in Azure Cloud Services (extended support) 
-description: Enable KeyVault VM Extension for Cloud Services (extended support)
+title: Apply the Key Vault VM extension in Azure Cloud Services (extended support) 
+description: Learn about the Key Vault VM extension for Windows and how to enable it in Azure Cloud Services.
 ms.topic: how-to
 ms.service: cloud-services-extended-support
 author: shisriva
@@ -12,47 +12,49 @@ ms.custom:
 
 # Apply the Key Vault VM extension to Azure Cloud Services (extended support)
 
-## What is the Key Vault VM Extension?
-The Key Vault VM extension provides automatic refresh of certificates stored in an Azure Key Vault. Specifically, the extension monitors a list of observed certificates stored in key vaults, and upon detecting a change, retrieves, and installs the corresponding certificates. For more details, see [Key Vault VM extension for Windows](../virtual-machines/extensions/key-vault-windows.md).
+This article provides basic information about the Azure Key Vault VM extension for Windows and shows you how to enable it in Azure Cloud Services.
 
-## What's new in the Key Vault VM Extension?
-The Key Vault VM extension is now supported on the Azure Cloud Services (extended support) platform to enable the management of certificates end to end. The extension can now pull certificates from a configured Key Vault at a pre-defined polling interval and install them for use by the service. 
+## What is the Key Vault VM extension?
+The Key Vault VM extension provides automatic refresh of certificates stored in an Azure key vault. Specifically, the extension monitors a list of observed certificates stored in key vaults. When the extension detects a change, it retrieves and installs the corresponding certificates. For more information, see [Key Vault VM extension for Windows](../virtual-machines/extensions/key-vault-windows.md).
 
-## How can I leverage the Key Vault VM extension?
-The following tutorial will show you how to install the Key Vault VM extension on PaaSV1 services by first creating a bootstrap certificate in your vault to get a token from AAD that will help in the authentication of the extension with the vault. Once the authentication process is set up and the extension is installed all latest certificates will be pulled down automatically at regular polling intervals. 
+## What's new in the Key Vault VM extension?
+The Key Vault VM extension is now supported on the Azure Cloud Services (extended support) platform to enable the management of certificates end to end. The extension can now pull certificates from a configured key vault at a predefined polling interval and install them for the service to use. 
+
+## How can I use the Key Vault VM extension?
+The following procedure will show you how to install the Key Vault VM extension on Azure Cloud Services by first creating a bootstrap certificate in your vault to get a token from Azure Active Directory (Azure AD). That token will help in the authentication of the extension with the vault. After the authentication process is set up and the extension is installed, all the latest certificates will be pulled down automatically at regular polling intervals. 
 
 > [!NOTE]
-> The Key Vault VM extension downloads all the certificates in the windows certificate store or to the location provided by "certificateStoreLocation" property in the VM extension settings. Currently, the KV VM extension grants access to the private key of the certificate only to the local system admin account. 
+> The Key Vault VM extension downloads all the certificates in the Windows certificate store or to the location provided by the `certificateStoreLocation` property in the VM extension settings. Currently, the Key Vault VM extension grants access to the private key of the certificate only to the local system admin account. 
 
 
-## Prerequisites 
-To use the Azure Key Vault VM extension, you need to have an Azure Active Directory tenant. For more information on setting up a new Active Directory tenant, see [Setup your AAD tenant](../active-directory/develop/quickstart-create-new-tenant.md)
+### Prerequisites 
+To use the Azure Key Vault VM extension, you need to have an Azure AD tenant. For more information, see [Quickstart: Set up a tenant](../active-directory/develop/quickstart-create-new-tenant.md).
 
-## Enable the Azure Key Vault VM extension
+### Enable the Azure Key Vault VM extension
 
-1. [Generate a certificate](../key-vault/certificates/create-certificate-signing-request.md) in your vault and download the .cer for that certificate.
+1. [Generate a certificate](../key-vault/certificates/create-certificate-signing-request.md) in your vault and download the .cer file for that certificate.
 
-2. In the [Azure portal](https://portal.azure.com) navigate to **App Registrations**.
+2. In the [Azure portal](https://portal.azure.com), go to **App registrations**.
 
-    :::image type="content" source="media/app-registration-0.jpg" alt-text="Shows selecting app registration in the portal.":::
+    :::image type="content" source="media/app-registration-0.jpg" alt-text="Screenshot of resources available in the Azure portal, including app registrations.":::
 
 
-3. In the App Registrations page select **New Registration** on the top left corner of the page
+3. On the **App registrations** page, select **New registration**.
 
-    :::image type="content" source="media/app-registration-1.png" alt-text="Shows the app registration sin the Azure portal.":::
+    :::image type="content" source="media/app-registration-1.png" alt-text="Screenshot that shows the page for app registrations in the Azure portal.":::
 
-4. On the next page you can fill the form and complete the app creation.
+4. On the next page, fill out the form and complete the app creation.
 
-5. Upload the .cer of the certificate to the Azure Active Directory app portal.
+5. Upload the .cer file of the certificate to the Azure AD app portal.
 
-    - Optionally you can also leverage the [Key Vault Event Grid notification feature](https://azure.microsoft.com/updates/azure-key-vault-event-grid-integration-is-now-available/) to upload the certificate.  
+   Optionally, you can use the [Azure Event Grid notification feature for Key Vault](https://azure.microsoft.com/updates/azure-key-vault-event-grid-integration-is-now-available/) to upload the certificate.  
 
-6. Grant the Azure Active Directory app secret list/get permissions in Key Vault:
-    - If you are using RBAC preview, search for the name of the AAD app you created and assign it to the Key Vault Secrets User (preview) role.
-    - If you are using vault access policies, then assign **Secret-Get** permissions to the AAD app you created. For more information, see [Assign access policies](../key-vault/general/assign-access-policy-portal.md)
+6. Grant the Azure Active Directory app secret permissions in Key Vault:
+   
+    - If you're using a role-based access control (RBAC) preview, search for the name of the Azure AD app that you created and assign it to the Key Vault Secrets User (preview) role.
+    - If you're using vault access policies, assign **Secret-Get** permissions to the Azure AD app that you created. For more information, see [Assign access policies](../key-vault/general/assign-access-policy-portal.md).
 
-7. Install first 
-step and the Key Vault VM extension using the ARM template snippet for `cloudService` resource as shown below:
+7. Install the Key Vault VM extension by using the Azure Resource Manager template snippet for the `cloudService` resource:
 
     ```json
     {
@@ -109,7 +111,7 @@ step and the Key Vault VM extension using the ARM template snippet for `cloudSer
         }
     }
     ```
-    You might need to specify the certificate store for boot strap certificate in ServiceDefinition.csdef like below:
+    You might need to specify the certificate store for the bootstrap certificate in *ServiceDefinition.csdef*:
 
     ```xml
         <Certificates>
@@ -118,4 +120,4 @@ step and the Key Vault VM extension using the ARM template snippet for `cloudSer
     ```
 
 ## Next steps
-Further improve your deployment by [enabling monitoring in Cloud Services (extended support)](enable-alerts.md)
+Further improve your deployment by [enabling monitoring in Azure Cloud Services (extended support)](enable-alerts.md).