MicrosoftDocs
diff --git a/‎articles/active-directory/conditional-access/concept-conditional-access-conditions.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/conditional-access/concept-conditional-access-conditions.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/conditional-access/concept-conditional-access-grant.md
Lines changed: 14 additions & 14 deletions b/‎articles/active-directory/conditional-access/concept-conditional-access-grant.md
Lines changed: 14 additions & 14 deletions
@@ -48,7 +48,7 @@ Azure AD Conditional Access supports the following device platforms:
 If you block legacy authentication using the **Other clients** condition, you can also set the device platform condition.
 
 > [!IMPORTANT]
-> Microsoft recommends that you have a Conditional Access policy for unsupported device platforms. As an example, if you want to block access to your corporate resources from Chrome OS or any other unsupported clients, you should configure a policy with a Device platforms condition that includes any device and excludes supported device platforms and Grant control set to Block access.
+> Microsoft recommends that you have a Conditional Access policy for unsupported device platforms. As an example, if you want to block access to your corporate resources from **Chrome OS** or any other unsupported clients, you should configure a policy with a Device platforms condition that includes any device and excludes supported device platforms and Grant control set to Block access.
 
 ## Locations
 
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 11/04/2021
+ms.date: 01/27/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -53,7 +53,7 @@ Selecting this checkbox will require users to perform Azure AD Multi-Factor Auth
 
 ### Require device to be marked as compliant
 
-Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet specific compliance requirements. This policy compliance information is forwarded from Intune to Azure AD where Conditional Access can make decisions to grant or block access to resources. For more information about compliance policies, see the article [Set rules on devices to allow access to resources in your organization using Intune](/intune/protect/device-compliance-get-started).
+Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet specific compliance requirements. Policy compliance information is sent from Intune to Azure AD so Conditional Access can decide to grant or block access to resources. For more information about compliance policies, see the article [Set rules on devices to allow access to resources in your organization using Intune](/intune/protect/device-compliance-get-started).
 
 A device can be marked as compliant by Intune (for any device OS) or by third-party MDM system for Windows 10 devices. A list of supported third-party MDM systems can be found in the article [Support third-party device compliance partners in Intune](/mem/intune/protect/device-compliance-partners).
 
@@ -62,9 +62,9 @@ Devices must be registered in Azure AD before they can be marked as compliant. M
 **Remarks**
 
 - The **Require device to be marked as compliant** requirement:
-   - Only supports Windows Windows current (Windows 10+), iOS, Android and macOS devices registered with Azure AD and enrolled with Intune.
+   - Only supports Windows 10+, iOS, Android, and macOS devices registered with Azure AD and enrolled with Intune.
    - For devices enrolled with third-party MDM systems, see [Support third-party device compliance partners in Intune](/mem/intune/protect/device-compliance-partners).
-   - Conditional Access cannot consider Microsoft Edge in InPrivate mode as a compliant device.
+   - Conditional Access can’t consider Microsoft Edge in InPrivate mode as a compliant device.
 
 > [!NOTE]
 > On Windows 7, iOS, Android, macOS, and some third-party web browsers Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser the user is prompted to select the certificate. The end user must select this certificate before they can continue to use the browser.
@@ -73,19 +73,19 @@ Devices must be registered in Azure AD before they can be marked as compliant. M
 
 Organizations can choose to use the device identity as part of their Conditional Access policy. Organizations can require that devices are hybrid Azure AD joined using this checkbox. For more information about device identities, see the article [What is a device identity?](../devices/overview.md).
 
-When using the [device-code OAuth flow](../develop/v2-oauth2-device-code.md), the require managed device grant control or a device state condition are not supported. This is because the device performing authentication cannot provide its device state to the device providing a code and the device state in the token is locked to the device performing authentication. Use the require multi-factor authentication grant control instead.
+When using the [device-code OAuth flow](../develop/v2-oauth2-device-code.md), the require managed device grant control or a device state condition aren’t supported. This is because the device performing authentication can’t provide its device state to the device providing a code and the device state in the token is locked to the device performing authentication. Use the require multi-factor authentication grant control instead.
 
 **Remarks**
 
 - The **Require hybrid Azure AD joined device** requirement:
    - Only supports domain joined Windows down-level (pre Windows 10) and Windows current (Windows 10+) devices.
-   - Conditional Access cannot consider Microsoft Edge in InPrivate mode as a hybrid Azure AD joined device.
+   - Conditional Access can’t consider Microsoft Edge in InPrivate mode as a hybrid Azure AD joined device.
 
 ### Require approved client app
 
 Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. These approved client apps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile-device management (MDM) solution.
 
-In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the appropriate app store to install the required broker app.
+In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices. If a broker app isn’t installed on the device when the user attempts to authenticate, the user gets redirected to the appropriate app store to install the required broker app.
 
 The following client apps have been confirmed to support this setting:
 
@@ -126,16 +126,16 @@ The following client apps have been confirmed to support this setting:
 - The **Require approved client app** requirement:
    - Only supports the iOS and Android for device platform condition.
    - A broker app is required to register the device. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices.
-- Conditional Access cannot consider Microsoft Edge in InPrivate mode an approved client app.
-- Using Azure AD Application Proxy to enable the Power BI mobile app to connect to on premises Power BI Report Server is not supported with conditional access policies that require the Microsoft Power BI app as an approved client app.
+- Conditional Access can’t consider Microsoft Edge in InPrivate mode an approved client app.
+- Using Azure AD Application Proxy to enable the Power BI mobile app to connect to on premises Power BI Report Server isn’t supported with Conditional Access policies that require the Microsoft Power BI app as an approved client app.
 
 See the article, [How to: Require approved client apps for cloud app access with Conditional Access](app-based-conditional-access.md) for configuration examples.
 
 ### Require app protection policy
 
 In your Conditional Access policy, you can require an [Intune app protection policy](/intune/app-protection-policy) be present on the client app before access is available to the selected cloud apps. 
 
-In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.
+In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app isn’t installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.
 
 Applications are required to have the **Intune SDK** with **Policy Assurance** implemented and meet certain other requirements to support this setting. Developers implementing applications with the Intune SDK can find more information in the SDK documentation on these requirements.
 
@@ -167,24 +167,24 @@ The following client apps have been confirmed to support this setting:
 - Apps for app protection policy support the Intune mobile application management feature with policy protection.
 - The **Require app protection policy** requirements:
     - Only supports the iOS and Android for device platform condition.
-    - A broker app is required to register the device. On iOS, the broker app is Microsoft Authenticator and on Android, it is Intune Company Portal app.
+    - A broker app is required to register the device. On iOS, the broker app is Microsoft Authenticator and on Android, it’s Intune Company Portal app.
 
 See the article, [How to: Require app protection policy and an approved client app for cloud app access with Conditional Access](app-protection-based-conditional-access.md) for configuration examples.
 
 ### Require password change 
 
 When user risk is detected, using the user risk policy conditions, administrators can choose to have the user securely change the password using Azure AD self-service password reset. If user risk is detected, users can perform a self-service password reset to self-remediate, this process will close the user risk event to prevent unnecessary noise for administrators. 
 
-When a user is prompted to change their password, they will first be required to complete multi-factor authentication. You’ll want to make sure all of your users have registered for multi-factor authentication, so they are prepared in case risk is detected for their account.  
+When a user is prompted to change their password, they’ll first be required to complete multi-factor authentication. You’ll want to make sure all of your users have registered for multi-factor authentication, so they’re prepared in case risk is detected for their account.  
 
 > [!WARNING]
 > Users must have previously registered for self-service password reset before triggering the user risk policy. 
 
 Restrictions when you configure a policy using the password change control.  
 
 1. The policy must be assigned to ‘all cloud apps’. This requirement prevents an attacker from using a different app to change the user’s password and reset account risk, by signing into a different app. 
-1. Require password change cannot be used with other controls, like requiring a compliant device.  
-1. The password change control can only be used with the user and group assignment condition, cloud app assignment condition (which must be set to all) and user risk conditions. 
+1. Require password change can’t be used with other controls, like requiring a compliant device.  
+1. The password change control can only be used with the user and group assignment condition, cloud app assignment condition (which must be set to all), and user risk conditions. 
 
 ### Terms of use