Merge pull request #49689 from Orin-Thomas/orthomas-27Mar25-A

Minor updates to unit text

Author: PMEds28

learn-pr/advocates/intro-ai-agent-service-security-controls/includes/1-understand-azure-ai-agent-service.md

@@ -4,8 +4,8 @@ An AI Agent acts as a "smart" microservice that can be used to answer questions
 
 Because Azure AI Agent Service is a service fully managed by Microsoft, you can focus on building workflows and the agents that power them without needing to worry about scaling, security, or management of the underlying infrastructure for individual agents.
 
-As Azure AI Agent Service is a service managed by Microsoft and you don't need to worry about the underlying security of its moving parts, you should still apply standard security principals when you use the AI agent service. These principles include:
+As Azure AI Agent Service is a service managed by Microsoft and you don't need to worry about the underlying security of its moving parts, you should still apply standard security principles when you use the AI agent service. These principles include:
 
-- Restrict access to the service using role based access control. Ensure that only appropriate security principals can interact with the AI agent service.
+- Restrict access to the service using role based access control. Ensure that only appropriate security principals can interact with the AI agent service and institute the principle of least privilege.
 - Restrict the access of the AI Agent service. The AI Agent service is interacting with sensitive resources, such as organizational data. Ensure that the scope of this access is limited and that the AI Agent service and its tools only have necessary visibility of resources such as data stores.
 - Restrict network access to the AI Agent service and the network access of the AI agent service. Limit which network hosts can interact with the AI Agent service and control which network hosts the AI Agent service and it's associated tools are able to reach.

learn-pr/advocates/intro-ai-agent-service-security-controls/includes/4-agent-service-network-access.md

@@ -11,6 +11,6 @@ You have the following options when configuring network access:
 
 ![Screenshot of Azure AI Hub networking configuraiton in Azure portal.](../media/networking-configuration.png)
 
-To access your non-Azure resources located in a different virtual network or located entirely on-premises from your Azure AI Foundry's managed virtual network, you need to configure and deploy an Application Gateway. Through this Application Gateway, you can configure full end to end access to your resources. Once you configure the Application Gateway, you can create a private endpoint from the Azure AI Foundry hub's managed virtual network to the Application Gateway. With the private endpoint, the full end to end path is secured and not routed through the Internet.
+To access your non-Azure resources located in a different virtual network or located entirely on-premises from your Azure AI Foundry's managed virtual network, you need to configure and deploy an Application Gateway. Through this Application Gateway, you can configure full end to end access to your resources. Once you configure the Application Gateway, you can create a private endpoint from the Azure AI Foundry hub's managed virtual network to the Application Gateway. An Azure Private Endpoint enables private access to specific resources, such as Azure Foundry Hubs and their projects, without exposing them to the public internet, ensuring data remains isolated and secure.
 
 ![Architecture diagram of Application Gateway connection from Azure AI Foundary to external resources.](../media/ai-foundry-app-gateway.png)