MicrosoftDocs
diff --git a/‎articles/key-vault/includes/managed-hsm/billing-warning.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/key-vault/includes/managed-hsm/billing-warning.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/key-vault/managed-hsm/backup-restore.md‎
Lines changed: 31 additions & 31 deletions b/‎articles/key-vault/managed-hsm/backup-restore.md‎
Lines changed: 31 additions & 31 deletions
diff --git a/‎articles/key-vault/managed-hsm/hsm-protected-keys-byok.md‎
Lines changed: 13 additions & 13 deletions b/‎articles/key-vault/managed-hsm/hsm-protected-keys-byok.md‎
Lines changed: 13 additions & 13 deletions
@@ -9,4 +9,4 @@ ms.date: 03/13/2026
 ---
 
 > [!WARNING]
-> Managed HSM instances are considered always-in-use. If you choose to enable purge protection using the `--enable-purge-protection` flag, you are billed for the entirety of the retention period.
+> Managed HSM instances are always in use. If you enable purge protection by using the `--enable-purge-protection` flag, you pay for the entire retention period.
@@ -18,56 +18,56 @@ ms.author: mbaldwin
 > [!NOTE]
 > This feature is only available for the resource type managed HSM.
 
-Managed HSM supports creating a full backup of the entire contents of the HSM including all keys, versions, attributes, tags, and role assignments. The backup is encrypted with cryptographic keys associated with the HSM's security domain.
+Managed HSM supports creating a full backup of the entire contents of the HSM, including all keys, versions, attributes, tags, and role assignments. The backup process encrypts the data by using cryptographic keys associated with the HSM's security domain.
 
 Backup is a data plane operation. The caller initiating the backup operation must have permission to perform dataAction **Microsoft.KeyVault/managedHsm/backup/start/action**.
 
-Only following built-in roles have permission to perform full backup:
+Only the following built-in roles have permission to perform a full backup:
 - Managed HSM Administrator
 - Managed HSM Backup
 
-There are two ways to execute a full backup/restore:
-1. Assigning a User-Assigned Managed Identity (UAMI) to the Managed HSM service. You can back up and restore your MHSM using a user assigned managed identity regardless of whether your storage account has public network access or private network access enabled. If storage account is behind a private endpoint, the UAMI method works with trusted service bypass to allow for backup and restore.
-2. Using storage container SAS token with permissions `crdw`. Backing up and restoring using storage container SAS token requires your storage account to have public network access enabled.
+You can execute a full backup and restore operation in two ways:
+1. Assign a user-assigned managed identity (UAMI) to the Managed HSM service. You can back up and restore your MHSM by using a user-assigned managed identity regardless of whether your storage account has public network access or private network access enabled. If the storage account is behind a private endpoint, the UAMI method works with trusted service bypass to allow for backup and restore.
+1. Use a storage container SAS token with permissions `crdw`. Backing up and restoring by using a storage container SAS token requires your storage account to have public network access enabled.
 
-You must provide the following information to execute a full backup:
+To execute a full backup, provide the following information:
 - HSM name or URL
 - Storage account name
 - Storage account blob storage container
-- User assigned managed identity OR storage container SAS token with permissions `crdw`
+- User-assigned managed identity **OR** storage container SAS token with permissions `crdw`
 
 [!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
 
-#### Prerequisites if backing up and restoring using user assigned managed identity:
+#### Prerequisites for backing up and restoring by using user-assigned managed identity
 
-1. Ensure you have the Azure CLI version 2.56.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).
-2. Create a user assigned managed identity.
-3. Create a storage account (or use an existing storage account). The storage account cannot have an immutability policy applied to it.
-4. If public network access is disabled on your storage account, enable trusted service bypass on the storage account in the "Networking" tab, under "Exceptions."
-5. Provide 'storage blob data contributor' role access to the user assigned managed identity created in step 2, by going to the "Access Control" tab on the portal and selecting "Add Role Assignment". Then select "managed identity" and select the managed identity created in step 2 -> Review + Assign
-6. Create the Managed HSM and associate the managed identity:
+1. Ensure you have Azure CLI version 2.56.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).
+1. Create a user-assigned managed identity.
+1. Create a storage account (or use an existing storage account). The storage account can't have an immutability policy applied to it.
+1. If public network access is disabled on your storage account, enable trusted service bypass on the storage account in the **Networking** tab, under **Exceptions**.
+1. Provide **Storage Blob Data Contributor** role access to the user-assigned managed identity created in step 2, by going to the **Access Control** tab on the portal and selecting **Add Role Assignment**. Then select **managed identity** and select the managed identity created in step 2 -> **Review + Assign**
+1. Create the Managed HSM and associate the managed identity:
    ```azurecli-interactive
    az keyvault create --hsm-name ContosoMHSM -l mhsmlocation --retention-days 7 --administrators "initialadmin" --mi-user-assigned "/subscriptions/subid/resourcegroups/mhsmrgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/userassignedidentitynamefromstep2" 
    ```
- If you have an existing Managed HSM, associate the managed identity by updating the MHSM with the below command. 
+ If you have an existing Managed HSM, associate the managed identity by updating the MHSM with the following command. 
   ```azurecli-interactive
    az keyvault update-hsm --hsm-name ContosoMHSM --mi-user-assigned "/subscriptions/subid/resourcegroups/mhsmrgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/userassignedidentitynamefromstep2" 
    ```
 
 ## Full backup
 
-Backup is a long running operation but immediately returns a Job ID. You can check the status of backup process using this Job ID. The backup process creates a folder inside the designated container with a following naming pattern **`mhsm-{HSM_NAME}-{YYYY}{MM}{DD}{HH}{mm}{SS}`**, where HSM_NAME is the name of managed HSM being backed up and YYYY, MM, DD, HH, MM, mm, SS are the year, month, date, hour, minutes, and seconds of date/time in UTC when the backup command was received.
+Backup is a long running operation but it immediately returns a job ID. You can check the status of the backup process by using this job ID. The backup process creates a folder inside the designated container with the following naming pattern: **`mhsm-{HSM_NAME}-{YYYY}{MM}{DD}{HH}{mm}{SS}`**. In this pattern, `HSM_NAME` is the name of the managed HSM being backed up, and `YYYY`, `MM`, `DD`, `HH`, `mm`, and `SS` are the year, month, date, hour, minutes, and seconds of the date and time in UTC when the backup command was received.
 
 While the backup is in progress, the HSM might not operate at full throughput as some HSM partitions are busy performing the backup operation.
 
 > [!NOTE]
-> Backups to storage accounts with an immutability policy applied is not supported.
+> Backups to storage accounts with an immutability policy applied aren't supported.
 
-### Backup HSM using user assigned managed identity
+### Backup HSM by using user assigned managed identity
 ```azurecli-interactive
 az keyvault backup start --use-managed-identity true --hsm-name ContosoMHSM --storage-account-name contosostorage --blob-container-name contosostoragecontainer
   ```
-### Backup HSM using SAS token
+### Backup HSM by using SAS token
 
 ```azurecli-interactive
 # time for 500 minutes later for SAS token expiry
@@ -94,27 +94,27 @@ az keyvault backup start --hsm-name ContosoMHSM --storage-account-name contosost
 
 ## Full restore
 
-Full restore allows you to completely restore the contents of the HSM with a previous backup, including all keys, versions, attributes, tags, and role assignments. Everything currently stored in the HSM is wiped out, and it returns to the same state it was in when the source backup was created.
+Full restore restores the contents of the HSM from a previous backup, including all keys, versions, attributes, tags, and role assignments. The process removes everything currently stored in the HSM and returns it to the same state it was in when the source backup was created.
 
 > [!IMPORTANT]
-> Full restore is a destructive and disruptive operation. Therefore it is mandatory to complete a full backup of the HSM you are restoring to at least 30 minutes before a `restore` operation can be performed.
+> Full restore is a destructive and disruptive operation. Therefore, you must complete a full backup of the HSM you're restoring at least 30 minutes before a `restore` operation.
 
-Restore is a data plane operation. The caller starting the restore operation must have permission to perform dataAction **Microsoft.KeyVault/managedHsm/restore/start/action**. The source HSM where the backup was created and the destination HSM where the restore will be performed **must** have the same Security Domain. See more [about Managed HSM Security Domain](security-domain.md).
+Restore is a data plane operation. The caller starting the restore operation must have permission to perform dataAction **Microsoft.KeyVault/managedHsm/restore/start/action**. The source HSM where you created the backup and the destination HSM where you perform the restore **must** have the same Security Domain. See more [about Managed HSM Security Domain](security-domain.md).
 
-There are two ways to execute a full restore. You must provide the following information to execute a full restore:
+You can execute a full restore in two ways. To execute a full restore, provide the following information:
 - HSM name or URL
 - Storage account name
 - Storage account blob container
 - User assigned managed identity OR storage container SAS token with permissions `rl` 
 - Storage container folder name where the source backup is stored
 
-Restore is a long running operation but will immediately return a Job ID. You can check the status of the restore process using this Job ID. When the restore process is in progress, the HSM enters a restore mode and all data plane command (except check restore status) are disabled.
+Restore is a long running operation but it immediately returns a Job ID. You can check the status of the restore process by using this Job ID. When the restore process is in progress, the HSM enters a restore mode and all data plane commands (except check restore status) are disabled.
 
-### Restore HSM using user assigned managed identity
+### Restore HSM by using user assigned managed identity
 ```azurecli-interactive
 az keyvault restore start --hsm-name ContosoMHSM --storage-account-name contosostorage --blob-container-name contosostoragecontainer --backup-folder mhsm-backup-foldername --use-managed-identity true
   ```
-### Restore HSM using SAS token
+### Restore HSM by using SAS token
 
 ```azurecli-interactive
 # time for 500 minutes later for SAS token expiry
@@ -136,18 +136,18 @@ az keyvault restore start --hsm-name ContosoMHSM --storage-account-name contosos
 
 ## Selective key restore
 
-Selective key restore allows you to restore one individual key with all its key versions from a previous backup to an HSM. The key must be purged in order for selective key restore to work. If you are attempting to recover a soft-deleted key, use key recover. Learn more about [key recover](key-management.md).
+Selective key restore restores one key with all its key versions from a previous backup to an HSM. The key must be purged for selective key restore to work. If you're attempting to recover a soft-deleted key, use key recover. Learn more about [key recover](key-management.md).
 
-### Selective key restore using user assigned managed identity
+### Selective key restore by using user assigned managed identity
 ```
 az keyvault restore start --hsm-name ContosoMHSM --storage-account-name contosostorage --blob-container-name contosostoragecontainer --backup-folder mhsm-backup-foldername --use-managed-identity true --key-name rsa-key2
   ```
 
-### Selective key restore using SAS token
+### Selective key restore by using SAS token
 ```
 az keyvault restore start --hsm-name ContosoMHSM --storage-account-name contosostorage --blob-container-name contosostoragecontainer --storage-container-SAS-token $sas --backup-folder mhsm-ContosoMHSM-2020083120161860 --key-name rsa-key2
 ```
 
-## Next Steps
+## Next steps
 - See [Manage a Managed HSM using the Azure CLI](key-management.md).
-- Learn more about [Managed HSM Security Domain](security-domain.md)
+- Learn more about [Managed HSM Security Domain](security-domain.md).
@@ -13,14 +13,14 @@ ms.author: mbaldwin
 
 # Import HSM-protected keys to Managed HSM (BYOK)
 
- Azure Key Vault Managed HSM supports importing keys generated in your on-premises hardware security module (HSM); the keys will never leave the HSM protection boundary. This scenario often is referred to as *bring your own key (BYOK)*. Managed HSM uses the Marvell LiquidSecurity HSM adapters (FIPS 140-3 Level 3 validated) to protect your keys.
+ Azure Key Vault Managed HSM supports importing keys generated in your on-premises hardware security module (HSM). The keys never leave the HSM protection boundary. This scenario is often referred to as *bring your own key (BYOK)*. Managed HSM uses the Marvell LiquidSecurity HSM adapters (FIPS 140-3 Level 3 validated) to protect your keys.
 
 Use the information in this article to help you plan for, generate, and transfer your own HSM-protected keys to use with Managed HSM.
 
 > [!NOTE]
 > This import method is available only for [supported HSMs](#supported-hsms). 
 
-For more information, and for a tutorial to get started using Managed HSM, see [What is Managed HSM?](overview.md).
+For more information, and for a tutorial to get started using Managed HSM, see [What is Managed HSM?](overview.md)
 
 ## Overview
 
@@ -33,7 +33,7 @@ Here's an overview of the process. Specific steps to complete are described late
 * The target key is encrypted with a KEK, which stays encrypted until it's transferred to the Managed HSM. Only the encrypted version of your key leaves the on-premises HSM.
 * A KEK that's generated inside a Managed HSM isn't exportable. HSMs enforce the rule that no clear version of a KEK exists outside a Managed HSM.
 * The KEK must be in the same managed HSM where the target key will be imported.
-* When the BYOK file is uploaded to Managed HSM, a Managed HSM uses the KEK private key to decrypt the target key material and import it as an HSM key. This operation happens entirely inside the HSM. The target key always remains in the HSM protection boundary.
+* When you upload the BYOK file to Managed HSM, a Managed HSM uses the KEK private key to decrypt the target key material and import it as an HSM key. This operation happens entirely inside the HSM. The target key always remains in the HSM protection boundary.
 
 
 ## Prerequisites
@@ -42,18 +42,18 @@ Here's an overview of the process. Specific steps to complete are described late
 
 You also need:
 
-* The Azure CLI version 2.12.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).
+* Azure CLI version 2.12.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).
 * A managed HSM in the [supported HSMs list](#supported-hsms) in your subscription. To provision and activate a managed HSM, see [Quickstart: Provision and activate a managed HSM using Azure CLI](quick-create-cli.md).
 
 [!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
 
-To sign in to Azure using the CLI, type:
+To sign in to Azure by using the CLI, type:
 
 ```azurecli
 az login
 ```
 
-For more information on login options via the CLI, take a look at [sign in with Azure CLI](/cli/azure/authenticate-azure-cli)
+For more information on authentication options through the CLI, see [sign in with Azure CLI](/cli/azure/authenticate-azure-cli).
 
 ## Supported HSMs
 
@@ -87,15 +87,15 @@ For more information on login options via the CLI, take a look at [sign in with
 
 ### Step 1: Generate a KEK
 
-A KEK is an RSA key that's generated in a Managed HSM. The KEK is used to encrypt the key you want to import (the *target* key).
+A KEK is an RSA key that you generate in a Managed HSM. Use the KEK to encrypt the key you want to import (the *target* key).
 
 The KEK must be:
-- An RSA-HSM key (2,048-bit; 3,072-bit; or 4,096-bit)
-- Generated in the same managed HSM where you intend to import the target key
+- An RSA-HSM key (2,048-bit, 3,072-bit, or 4,096-bit)
+- Generated in the same Managed HSM where you intend to import the target key
 - Created with allowed key operations set to `import`
 
 > [!NOTE]
-> The KEK must have 'import' as the only allowed key operation. 'import' is mutually exclusive with all other key operations.
+> The KEK must have `import` as the only allowed key operation. `import` is mutually exclusive with all other key operations.
 
 Use the [az keyvault key create](/cli/azure/keyvault/key#az-keyvault-key-create) command to create a KEK that has key operations set to `import`. Record the key identifier (`kid`) that's returned from the following command. (You'll use the `kid` value in [Step 3](#step-3-generate-and-prepare-your-key-for-transfer).)
 
@@ -114,16 +114,16 @@ az keyvault key download --name KEKforBYOK --hsm-name ContosoMHSM --file KEKforB
 ```
 ---
 
-Transfer the KEKforBYOK.publickey.pem file to your offline computer. You'll need this file in the next step.
+Transfer the `KEKforBYOK.publickey.pem` file to your offline computer. You need this file in the next step.
 
 ### Step 3: Generate and prepare your key for transfer
 
-Refer to your HSM vendor's documentation to download and install the BYOK tool. Follow instructions from your HSM vendor to generate a target key, and then create a key transfer package (a BYOK file). The BYOK tool will use the `kid` from [Step 1](#step-1-generate-a-kek) and the KEKforBYOK.publickey.pem file you downloaded in [Step 2](#step-2-download-the-kek-public-key) to generate an encrypted target key in a BYOK file.
+To download and install the BYOK tool, see your HSM vendor's documentation. Follow the instructions from your HSM vendor to generate a target key, and then create a key transfer package (a BYOK file). The BYOK tool uses the `kid` from [Step 1](#step-1-generate-a-kek) and the `KEKforBYOK.publickey.pem` file you downloaded in [Step 2](#step-2-download-the-kek-public-key) to generate an encrypted target key in a BYOK file.
 
 Transfer the BYOK file to your connected computer.
 
 > [!NOTE] 
-> Importing RSA 1,024-bit keys is not supported. Importing EC-HSM P256K keys is supported.
+> Importing RSA 1,024-bit keys isn't supported. Importing EC-HSM P256K keys is supported.
 >
 > **Known issue**: Importing an RSA 4K target key from Luna HSMs is only supported with firmware 7.4.0 or newer.