update

msmbaldwin · msmbaldwin · commit bd0908b9ac82 · 2026-01-20T06:51:44.000-08:00
diff --git a/articles/cloud-hsm/authentication.md b/articles/cloud-hsm/authentication.md
@@ -15,7 +15,7 @@ Authentication is a crucial aspect of securely accessing and operating within Az
 
 ## Cloud HSM CLI authentication
 
-You can authenticate by using CLI tools like `azcloudhsm_util` in either interactive mode or single-command mode. In interactive mode, use the `login` command. For single-command mode, include `singlecmd` and parameters for `loginHSM`. We advise you to securely store your HSM credentials when your application isn't using them.
+You can authenticate by using CLI tools like `azcloudhsm_util` in either interactive mode or single-command mode. In interactive mode, use the `loginHSM` command. For single-command mode, include `singlecmd` and parameters for `loginHSM`. We advise you to securely store your HSM credentials when your application isn't using them.
 
 ### Interactive mode
 
diff --git a/articles/key-vault/keys/how-to-configure-key-rotation.md b/articles/key-vault/keys/how-to-configure-key-rotation.md
@@ -14,65 +14,68 @@ ms.author: mbaldwin
 
 # Configure cryptographic key auto-rotation in Azure Key Vault
 
-## Overview
-Automated cryptographic key rotation in [Key Vault](../general/overview.md) allows users to configure Key Vault to automatically generate a new key version at a specified frequency. To configure rotation you can use key rotation policy, which can be defined on each individual key. 
+By automating cryptographic key rotation in [Key Vault](../general/overview.md), you can set up Key Vault to automatically create a new key version at a chosen frequency. To set up rotation, use the key rotation policy, which you can define for each individual key. 
 
-Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.
+To follow cryptographic best practices, rotate encryption keys at least every two years.
 
-For more information about how objects in Key Vault are versioned, see [Key Vault objects, identifiers, and versioning](../general/about-keys-secrets-certificates.md#objects-identifiers-and-versioning). For a comprehensive understanding of autorotation concepts across different asset types in Azure Key Vault, see [Understanding autorotation in Azure Key Vault](../general/autorotation.md).
+For more information about how Key Vault versions objects, see [Key Vault objects, identifiers, and versioning](../general/about-keys-secrets-certificates.md#objects-identifiers-and-versioning). For a comprehensive understanding of autorotation concepts across different asset types in Azure Key Vault, see [Understanding autorotation in Azure Key Vault](../general/autorotation.md).
 
 ## Integration with Azure services
-This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers end-to-end rotation. 
+
+This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Check the specific Azure service documentation to see if the service supports end-to-end rotation. 
+
+> [!NOTE]
+> When you rotate customer-managed keys that Azure services use, the time it takes for each service to detect and apply the new key version varies (from one hour to 24 hours or more). Consult the specific Azure service documentation for guidance on when you can safely disable the old key version after rotation.
 
 For more information about data encryption in Azure, see:
 - [Azure Encryption at Rest](/azure/security/fundamentals/encryption-atrest#azure-encryption-at-rest-components)
 - [Azure services data encryption support table](/azure/security/fundamentals/encryption-models#supporting-services)
 
 ## Pricing
 
-There's an additional cost per scheduled key rotation. For more information, see [Azure Key Vault pricing page](https://azure.microsoft.com/pricing/details/key-vault/)
+There's an extra cost for each scheduled key rotation. For more information, see the [Azure Key Vault pricing page](https://azure.microsoft.com/pricing/details/key-vault/).
 
 ## Permissions required
 
-Key Vault key rotation feature requires key management permissions. You can assign a "Key Vault Crypto Officer" role to manage rotation policy and on-demand rotation.
+The Key Vault key rotation feature requires key management permissions. Assign the **Key Vault Crypto Officer** role to manage the rotation policy and on-demand rotation.
 
-For more information on how to use Azure RBAC for Key Vault and assign Azure roles, see [Use an Azure RBAC to control access to keys, certificates and secrets](../general/rbac-guide.md)
+For more information on how to use Azure RBAC for Key Vault and assign Azure roles, see [Use an Azure RBAC to control access to keys, certificates and secrets](../general/rbac-guide.md).
 
 > [!NOTE]
-> If you use an access policies permission model, it is required to set 'Rotate', 'Set Rotation Policy', and 'Get Rotation Policy' key permissions to manage rotation policy on keys. 
+> If you use the access policies permission model, set the 'Rotate', 'Set Rotation Policy', and 'Get Rotation Policy' key permissions to manage the rotation policy on keys. 
 
 ## Key rotation policy
 
-The key rotation policy allows users to configure rotation and Event Grid notifications near expiry notification.
+The key rotation policy allows you to configure rotation and Event Grid notifications for near expiry notification.
 
 Key rotation policy settings:
 
--   Expiry time: key expiration interval. It's used to set expiration date on newly rotated key. It doesn't affect a current key.
--   Enabled/disabled: flag to enable or disable rotation for the key
+-   Expiry time: key expiration interval. It sets the expiration date on the newly rotated key. It doesn't affect the current key.
+-   Enabled/disabled: flag to enable or disable rotation for the key.
 -   Rotation types:
-    -   Automatically renew at a given time after creation (default)
+    -   Automatically renew at a given time after creation (default).
     -   Automatically renew at a given time before expiry. It requires 'Expiry Time' set on rotation policy and 'Expiration Date' set on the key.
--   Rotation time: key rotation interval, the minimum value is seven days from creation and seven days from expiration time
+-   Rotation time: key rotation interval. The minimum value is seven days from creation and seven days from expiration time.
 -   Notification time: key near expiry event interval for Event Grid notification. It requires 'Expiry Time' set on rotation policy and 'Expiration Date' set on the key. 
 
 > [!IMPORTANT]
-> Key rotation generates a new key version of an existing key with new key material. Target services should use versionless key uri to automatically refresh to latest version of the key. Ensure that your data encryption solution stores versioned key uri with data to point to the same key material for decrypt/unwrap as was used for encrypt/wrap operations to avoid disruption to your services. All Azure services are currently following that pattern for data encryption.
+> Key rotation generates a new key version of an existing key with new key material. Target services should use versionless key URI to automatically refresh to the latest version of the key. Ensure that your data encryption solution stores versioned key URI with data to point to the same key material for decrypt/unwrap as was used for encrypt/wrap operations to avoid disruption to your services. All Azure services currently follow that pattern for data encryption.
 
 :::image type="content" source="../media/keys/key-rotation/key-rotation-1.png" alt-text="Rotation policy configuration":::
 
 ## Configure key rotation policy
 
-Configure key rotation policy during key creation.
+Configure the key rotation policy during key creation.
 
 :::image type="content" source="../media/keys/key-rotation/key-rotation-2.png" alt-text="Configure rotation during key creation":::
 
-Configure rotation policy on existing keys.
+Configure the rotation policy on existing keys.
 
 :::image type="content" source="../media/keys/key-rotation/key-rotation-3.png" alt-text="Configure rotation on existing key":::
 
 ### Azure CLI
 
-Save  key rotation policy to a file. Key rotation policy example:
+Save the key rotation policy to a file. Here's an example of a key rotation policy:
 
 ```json
 {
@@ -109,51 +112,53 @@ az keyvault key rotation-policy update --vault-name <vault-name> --name <key-nam
 
 ### Azure PowerShell
 
-Set rotation policy using Azure Powershell [Set-AzKeyVaultKeyRotationPolicy](/powershell/module/az.keyvault/set-azkeyvaultkeyrotationpolicy) cmdlet. 
+Set the rotation policy by using the Azure PowerShell [Set-AzKeyVaultKeyRotationPolicy](/powershell/module/az.keyvault/set-azkeyvaultkeyrotationpolicy) cmdlet. 
 
 ```powershell
 Set-AzKeyVaultKeyRotationPolicy -VaultName <vault-name> -KeyName <key-name> -ExpiresIn (New-TimeSpan -Days 720) -KeyRotationLifetimeAction @{Action="Rotate";TimeAfterCreate= (New-TimeSpan -Days 540)}
 ```
+
 ## Rotation on demand
 
-Key rotation can be invoked manually.
+You can manually invoke key rotation.
 
 ### Portal
-Click 'Rotate Now' to invoke rotation.
+
+Select **Rotate Now** to start the rotation process.
 
 :::image type="content" source="../media/keys/key-rotation/key-rotation-4.png" alt-text="Rotation on-demand":::
 
 ### Azure CLI
 
-Use Azure CLI [az keyvault key rotate](/cli/azure/keyvault/key#az-keyvault-key-rotate) command to rotate key.
+Use the Azure CLI [az keyvault key rotate](/cli/azure/keyvault/key#az-keyvault-key-rotate) command to rotate a key.
 
 ```azurecli
 az keyvault key rotate --vault-name <vault-name> --name <key-name>
 ```
 
 ### Azure PowerShell
 
-Use Azure PowerShell [Invoke-AzKeyVaultKeyRotation](/powershell/module/az.keyvault/invoke-azkeyvaultkeyrotation) cmdlet.
+Use the Azure PowerShell [Invoke-AzKeyVaultKeyRotation](/powershell/module/az.keyvault/invoke-azkeyvaultkeyrotation) cmdlet to rotate a key.
 
 ```powershell
 Invoke-AzKeyVaultKeyRotation -VaultName <vault-name> -Name <key-name>
 ```
 
 ## Configure key near expiry notification
 
-Configuration of expiry notification for Event Grid key near expiry event. In case when automated rotation cannot be used, like when a key is imported from local HSM, you can configure near expiry notification as a reminder for manual rotation or as a trigger to custom automated rotation through integration with Event Grid. You can configure notification with days, months and years before expiry to trigger near expiry event. 
+You can configure an expiry notification for the Event Grid key near expiry event. If automated rotation can't be used, like when a key is imported from local HSM, you can configure near expiry notification as a reminder for manual rotation or as a trigger to custom automated rotation through integration with Event Grid. You can set the notification to trigger the near expiry event days, months, or years before the key expires. 
 
 :::image type="content" source="../media/keys/key-rotation/key-rotation-5.png" alt-text="Configure Notification":::
 
 For more information about Event Grid notifications in Key Vault, see
-[Azure Key Vault as Event Grid source](/azure/event-grid/event-schema-key-vault?tabs=event-grid-event-schema)
+[Azure Key Vault as Event Grid source](/azure/event-grid/event-schema-key-vault?tabs=event-grid-event-schema).
 
-## Configure key rotation with ARM template
+## Configure key rotation by using ARM template
 
-Key rotation policy can also be configured using ARM templates.
+You can configure the key rotation policy by using ARM templates.
 
 > [!NOTE]
-> It requires 'Key Vault Contributor' role on Key Vault configured with Azure RBAC to deploy key through control plane.
+> To deploy a key through the control plane, you need the **Key Vault Contributor** role on the Key Vault configured with Azure RBAC.
 
 ```json
 {
@@ -238,25 +243,25 @@ Key rotation policy can also be configured using ARM templates.
 
 ## Configure key rotation policy governance
 
-Using the Azure Policy service, you can govern the key lifecycle and ensure that all keys are configured to rotate within a specified number of days.
+By using the Azure Policy service, you can govern the key lifecycle and ensure that all keys are configured to rotate within a specified number of days.
 
 ### Create and assign policy definition
 
-1. Navigate to Policy resource
+1. Go to the Policy resource.
 1. Select **Assignments** under **Authoring** on the left side of the Azure Policy page.
 1. Select **Assign policy** at the top of the page. This button opens to the Policy assignment page.
 1. Enter the following information:
-    - Define the scope of the policy by choosing the subscription and resource group over which the policy will be enforced. Select by clicking the three-dot button at on **Scope** field.
+    - Define the scope of the policy by choosing the subscription and resource group over which the policy is enforced. Select by clicking the three-dot button at on **Scope** field.
     - Select the name of the policy definition: "[Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.
 ](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd8cf8476-a2ec-4916-896e-992351803c44)"
     - Go to the **Parameters** tab at the top of the page.
         - Set **The maximum days to rotate** parameter to desired number of days for example, 730.
         - Define the desired effect of the policy (Audit, or Disabled). 
-1. Fill out any additional fields. Navigate the tabs clicking on **Previous** and **Next** buttons at the bottom of the page.
-1. Select **Review + create**
-1. Select **Create**
+1. Fill out any additional fields. Navigate the tabs by clicking on **Previous** and **Next** buttons at the bottom of the page.
+1. Select **Review + create**.
+1. Select **Create**.
 
-Once the built-in policy is assigned, it can take up to 24 hours to complete the scan. After the scan is completed, you can see compliance results like below.
+After you assign the built-in policy, it can take up to 24 hours to complete the scan. When the scan finishes, you can see compliance results like the following.
 
 :::image type="content" source="../media/keys/key-rotation/key-rotation-policy.png" alt-text="Screenshot of key rotation policy compliance." lightbox="../media/keys/key-rotation/key-rotation-policy.png":::
 
