fix for acrolinx

ceperezb · ceperezb · commit b65600ac17a5 · 2026-03-12T02:28:00.000-04:00
diff --git a/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/1-introduction-security-saas-paas-iaas.md b/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/1-introduction-security-saas-paas-iaas.md
@@ -10,12 +10,12 @@ Your organization operates a diverse Azure environment with IoT devices collecti
 
 By the end of this module, you're able to:
 
-- Specify security baselines for SaaS, PaaS, and IaaS services using the Microsoft Cloud Security Benchmark
-- Specify security requirements for IoT workloads including device authentication, network isolation, and threat detection
-- Specify security requirements for web workloads including WAF protection, identity controls, and secure deployment
-- Specify security requirements for containers and container orchestration including AKS cluster security, image security, and pod security standards
-- Evaluate solutions that include Azure AI services security using MCSB v2 AI-specific controls
-- Evaluate security for Microsoft Foundry workloads including identity controls, connection security, network isolation, and model governance
+- Specify security baselines for SaaS, PaaS, and IaaS services
+- Specify security requirements for IoT workloads
+- Specify security requirements for web workloads
+- Specify security requirements for containers and container orchestration
+- Specify security requirements for AI workloads
+- Evaluate security for Microsoft Foundry workloads
 
 ## Prerequisites
 
diff --git a/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/5-specify-security-requirements-containers-container-orchestration.md b/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/5-specify-security-requirements-containers-container-orchestration.md
@@ -4,7 +4,7 @@ Organizations increasingly adopt containers and container orchestration platform
 
 Access control for container orchestration platforms must address both the management plane and the data plane. Security architects should specify requirements for identity integration and role-based access.
 
-For cluster authentication specifications, require integration with Microsoft Entra ID to leverage your organization's existing identity governance. This integration enables:
+For cluster authentication specifications, require integration with Microsoft Entra ID to use your organization's existing identity governance. This integration enables:
 
 - Conditional access policies
 - Multifactor authentication
@@ -20,7 +20,7 @@ Specify requirements for service account management. Default service accounts sh
 
 ## Network security requirements
 
-Container orchestration platforms require network security at multiple layers. Traditional network security groups filter traffic at the infrastructure level, but container platforms need additional controls.
+Container orchestration platforms require network security at multiple layers. Traditional network security groups filter traffic at the infrastructure level, but container platforms need extra controls.
 
 Specify requirements for API server protection. Private clusters restrict API server access to private endpoints within your virtual network, eliminating public internet exposure. For scenarios requiring public access, define authorized IP ranges that can communicate with the API server.
 
@@ -88,7 +88,7 @@ Define requirements for container runtime security contexts:
 
 - Containers must not run as root unless explicitly required and approved.
 - Require read-only root filesystems where possible.
-- Restrict containers from mounting sensitive host paths or acquiring additional capabilities.
+- Restrict containers from mounting sensitive host paths or acquiring extra capabilities.
 - Use Linux security features such as **AppArmor** and **seccomp** to provide granular control over container actions and further limit the attack surface.
 
 ## Secrets management requirements
@@ -102,7 +102,7 @@ When specifying container and orchestration security requirements, prioritize:
 - Microsoft Entra ID integration with Kubernetes RBAC for identity and access control
 - Private clusters with network policies enforcing default-deny communication and egress traffic routed through Azure Firewall
 - Private container registries with vulnerability scanning at all lifecycle stages and minimal base images
-- Defender for Containers for runtime threat detection, binary drift detection, and security posture management integrated with Defender XDR and Sentinel
+- Defender for Containers for runtime threat detection, binary drift detection, and security posture management integrated with Defender XDR and Microsoft Sentinel
 - Azure Key Vault with Secrets Store CSI Driver for centralized secrets management
 - Pod Security Standards enforcing baseline or restricted configurations with AppArmor and seccomp hardening
 
diff --git a/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/6-evaluate-ai-services-security.md b/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/6-evaluate-ai-services-security.md
@@ -20,7 +20,7 @@ Responsibility allocation varies by deployment model. SaaS AI solutions like Mic
 
 When evaluating solutions, assess whether the architecture implements appropriate authentication and authorization mechanisms.
 
-Evaluate whether the solution uses Microsoft Entra ID for authentication rather than API keys. Entra ID enables conditional access policies, multifactor authentication, and centralized identity governance. API keys should be disabled where possible, as they cannot support fine-grained access control or user-level audit trails.
+Evaluate whether the solution uses Microsoft Entra ID for authentication rather than API keys. Microsoft Entra ID enables conditional access policies, multifactor authentication, and centralized identity governance. API keys should be disabled where possible, as they can't support fine-grained access control or user-level audit trails.
 
 Assess role-based access control configurations for least privilege. The **Cognitive Services OpenAI User** role provides inference-only access, while **Cognitive Services OpenAI Contributor** enables model deployment and management. Evaluate whether the proposed role assignments align with the principle of least privilege for each identity type.
 
@@ -36,7 +36,7 @@ Assess whether the solution uses private endpoints to eliminate public internet
 
 For AI platforms that provide managed virtual networks, evaluate whether the chosen isolation mode aligns with organizational security requirements and data classification. Platform-specific network isolation configurations, such as those for Microsoft Foundry, are covered in the next unit.
 
-Review network security group rules to verify traffic is restricted to necessary communications. Assess whether Azure Firewall provides additional filtering for internet-bound traffic.
+Review network security group rules to verify traffic are restricted to necessary communications. Assess whether Azure Firewall provides additional filtering for internet-bound traffic.
 
 ## Evaluate content safety controls
 
@@ -66,7 +66,7 @@ Beyond content filtering, AI applications require security controls specific to
 
 ### Model governance evaluation (MCSB AI-1)
 
-Assess whether the solution implements formal model approval processes enforced through Azure Policy. The built-in policy **Cognitive Services Deployments should only use approved Registry Models** restricts which models can be deployed by matching model asset IDs. Additionally, evaluate whether local API key authentication is disabled via policy, requiring Entra ID authentication. Evaluate model provenance tracking to ensure organizations can identify the source and modification history of deployed models. Unverified models may contain backdoors, poisoned training data, or supply chain compromises.
+Assess whether the solution implements formal model approval processes enforced through Azure Policy. The built-in policy **Cognitive Services Deployments should only use approved Registry Models** restricts which models can be deployed by matching model asset IDs. Additionally, evaluate whether local API key authentication is disabled via policy, requiring Microsoft Entra ID authentication. Evaluate model provenance tracking to ensure organizations can identify the source and modification history of deployed models. Unverified models may contain backdoors, poisoned training data, or supply chain compromises.
 
 ### Agent function privileges (MCSB AI-4)
 
@@ -135,7 +135,7 @@ Additionally evaluate traditional security controls:
 
 | Area | Key evaluation points |
 | ---- | --------------------- |
-| **Identity** | Microsoft Entra ID authentication, managed identities, Entra Agent ID, least privilege RBAC |
+| **Identity** | Microsoft Entra ID authentication, managed identities, Microsoft Entra Agent ID, least privilege RBAC |
 | **Network** | Private endpoints, managed virtual network isolation, NSG configurations |
 | **Data protection** | Customer-managed keys, Purview Data Security Posture Management, sensitivity labels, data residency compliance, diagnostic logging |
 | **Availability** | Quota monitoring, API Management gateway, DDoS protection |
diff --git a/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/6a-evaluate-foundry-platform-security.md b/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/6a-evaluate-foundry-platform-security.md
@@ -15,7 +15,7 @@ Foundry divides operations into control plane (resource management) and data pla
 
 ### Authentication method evaluation
 
-Foundry supports two authentication methods: Microsoft Entra ID and API keys. Evaluate whether the solution uses Entra ID for production workloads, which enables conditional access, managed identities, and granular RBAC. API keys remain available for rapid prototyping but lack per-user traceability and should be disabled via Azure Policy for production environments.
+Foundry supports two authentication methods: Microsoft Entra ID and API keys. Evaluate whether the solution uses Microsoft Entra ID for production workloads, which enables conditional access, managed identities, and granular RBAC. API keys remain available for rapid prototyping but lack per-user traceability and should be disabled via Azure Policy for production environments.
 
 ### RBAC assignment evaluation
 
@@ -43,16 +43,16 @@ Foundry connections define how the resource and projects authenticate to depende
 
 Evaluate whether connections use Microsoft Entra ID authentication rather than API keys. Foundry connections support the following authentication methods, with availability varying by connector type:
 
-- **Managed identity** (system or user-assigned) — preferred for keyless credential management
+- **Managed identity** (system or user-assigned)—preferred for keyless credential management
 - **Service principal** (client ID/secret or certificate)
-- **API key** — for services that don't support Entra ID
-- **SAS token** — for specific storage scenarios
+- **API key**—for services that don't support Microsoft Entra ID
+- **SAS token**—for specific storage scenarios
 
 ### Key Vault integration
 
 For connections that require secrets (API keys, connection strings), verify that a dedicated Azure Key Vault is configured through a Key Vault connection at the Foundry resource level. This dedicated vault should:
 
-- Store only Foundry-managed secrets — not be shared with other workload components
+- Store only Foundry-managed secrets—not be shared with other workload components
 - Have access restricted to the Foundry resource managed identity
 - Use Azure Monitor and activity logs for auditing create, update, and delete events on secrets
 
@@ -118,7 +118,7 @@ Foundry follows a shared responsibility model for vulnerability management. Micr
 Evaluate whether Azure Policy is configured to control model deployments at the Foundry resource level:
 
 - **Cognitive Services Deployments should only use approved Registry Models**: Restricts which models can deploy by matching model asset IDs. Prevents unauthorized or untested models from reaching production.
-- **Configure Azure AI Services resources to disable local key access**: Forces Entra ID authentication by disabling API key access at the resource level.
+- **Configure Azure AI Services resources to disable local key access**: Forces Microsoft Entra ID authentication by disabling API key access at the resource level.
 
 ### Model catalog evaluation
 
@@ -134,7 +134,7 @@ Verify that diagnostic settings are enabled for the Foundry resource, routing th
 - **RequestResponse**: API requests and model responses for compliance
 - **AllMetrics**: Usage metrics including token consumption and compute utilization
 
-Azure Monitor provides segmented metrics by scope — resource-level metrics for management operations and project-level metrics for agent activity and evaluation performance.
+Azure Monitor provides segmented metrics by scope—resource-level metrics for management operations and project-level metrics for agent activity and evaluation performance.
 
 ### Security monitoring integration
 
@@ -147,9 +147,9 @@ When evaluating Microsoft Foundry platform security, verify the solution address
 | Area | Key evaluation points |
 | ---- | --------------------- |
 | **Architecture** | Resource/project separation, project isolation boundaries, workload segmentation |
-| **Identity** | Entra ID authentication, API keys disabled, Foundry RBAC roles (Azure AI User, Project Manager, Account Owner, Owner), managed identities |
-| **Connections** | Entra ID preferred, dedicated Key Vault, project-scoped connections, lifecycle management |
-| **Network** | Public access disabled, private endpoints, managed VNet isolation mode, connected resource isolation |
+| **Identity** | Microsoft Entra ID authentication, API keys disabled, Foundry RBAC roles (Azure AI User, Project Manager, Account Owner, Owner), managed identities |
+| **Connections** | Microsoft Entra ID preferred, dedicated Key Vault, project-scoped connections, lifecycle management |
+| **Network** | Public access disabled, private endpoints, managed virtual network isolation mode, connected resource isolation |
 | **Data protection** | Customer-managed keys, project data isolation, vulnerability management |
 | **Model governance** | Azure Policy for approved models, disable local auth, model provenance tracking |
 | **Monitoring** | Diagnostic settings, Defender for Cloud, Azure Activity Log |
diff --git a/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/8-summary.md b/learn-pr/wwl-sci/specify-requirements-securing-saas-paas-iaas-services/includes/8-summary.md
@@ -2,12 +2,12 @@ In this module, you learned how security architects specify security requirement
 
 You learned how to:
 
-- Specify security baselines for SaaS, PaaS, and IaaS services using the shared responsibility model.
-- Specify security requirements for IoT workloads including device identity, network segmentation, and monitoring.
-- Specify security requirements for web workloads covering authentication, network protection, and application security.
-- Specify security requirements for containers and container orchestration including cluster security, image integrity, and runtime protection.
-- Evaluate security controls for AI services using MCSB v2 AI-specific controls and the AI shared responsibility model.
-- Evaluate security for Microsoft Foundry workloads including resource/project architecture, identity controls, connection security, network isolation, and model governance.
+- Specify security baselines for SaaS, PaaS, and IaaS services
+- Specify security requirements for IoT workloads
+- Specify security requirements for web workloads
+- Specify security requirements for containers and container orchestration
+- Specify security requirements for AI workloads
+- Evaluate security for Microsoft Foundry workloads
 
 ## Learn more
 
