WIP

MicrosoftGuyJFlo · MicrosoftGuyJFlo · commit 0d9c4f098e03 · 2023-01-03T15:54:20.000-05:00
diff --git a/articles/active-directory/conditional-access/plan-conditional-access.md b/articles/active-directory/conditional-access/plan-conditional-access.md
@@ -23,7 +23,7 @@ Planning your Conditional Access deployment is critical to achieving your organi
 
 With this evaluation and enforcement, Conditional Access defines the basis of [Microsoft’s Zero Trust security posture management](https://www.microsoft.com/security/business/zero-trust).
 
-![Conditional Access overview](./media/plan-conditional-access/conditional-access-overview-how-it-works.png)
+![Diagram showing a high level Conditional Access overview](./media/plan-conditional-access/conditional-access-overview-how-it-works.png)
 
 Microsoft provides [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) that ensure a basic level of security enabled in tenants that don't have Azure AD Premium. With Conditional Access, you can create policies that provide the same protection as security defaults, but with granularity. Conditional Access and security defaults aren't meant to be combined as creating Conditional Access policies will prevent you from enabling security defaults.
 
@@ -140,7 +140,7 @@ Access control: Block access <br>
 
 Now when User B attempts to access the **PAYROLL APP** they're blocked.
 
-![Access token issuance diagram](media/plan-conditional-access/CA-policy-token-issuance.png)
+![Diagram showing access token issuance](media/plan-conditional-access/CA-policy-token-issuance.png)
 
 ## Recommendations
 
@@ -181,11 +181,11 @@ If you rely on a single access control such as multifactor authentication or a n
 * Who it applies to
 * When it applies (if applicable)
 
-![Screenshot that shows the naming standards for policies.](media/plan-conditional-access/11.png)
+![Diagram showing the example naming standards for policies.](media/plan-conditional-access/11.png)
 
 **Example**: A policy to require MFA for marketing users accessing the Dynamics CRP app from external networks might be:
 
-![Naming standard](media/plan-conditional-access/naming-example.png)
+![Diagram showing a naming standard](media/plan-conditional-access/naming-example.png)
 
 A descriptive name helps you to keep an overview of your Conditional Access implementation. The Sequence Number is helpful if you need to reference a policy in a conversation. For example, when you talk to an administrator on the phone, you can ask them to open policy CA01 to solve an issue.
 
@@ -263,7 +263,7 @@ If a user has an issue with a Conditional Access policy, collect the following i
 
 If the user received a message with a More details link, they can collect most of this information for you.
 
-![Can’t get to app error message](media/plan-conditional-access/cant-get-to-app.png)
+![Screenshots of an example error message and more details](media/plan-conditional-access/cant-get-to-app.png)
 
 Once you've collected the information, See the following resources:
 
diff --git a/articles/active-directory/identity-protection/how-to-deploy-identity-protection.md b/articles/active-directory/identity-protection/how-to-deploy-identity-protection.md
@@ -1,6 +1,6 @@
 ---
-title: 
-description: 
+title: Plan an Azure AD Identity Protection deployment
+description: Deploy Azure Active Directory Identity Protection
 
 services: active-directory
 ms.service: active-directory
@@ -45,15 +45,15 @@ When technology projects fail, they typically do so due to mismatched expectatio
 
 ### Communication plan
 
-Communication is critical to the success of any new functionality. You should proactively communicate with your users how their experience will change, when it will change, and how to get support if they experience issues.
+Communication is critical to the success of any new functionality. You should proactively communicate with your users how their [experience](concept-identity-protection-user-experience.md) will change, when it will change, and how to get support if they experience issues.
 
 ## Step 1: Review existing reports
 
-It's important to understand your current Identity Protection reports before deploying risk based Conditional Access policies. This is to give you an understanding of your environment, investigate suspicious behavior you may have missed and to dismiss or confirm safe user who you have determined aren't at risk. We recommend allowing users to self-remediate through policies that will be discussed in [Step 3](#step-3-configure-your-policies).
+It's important to understand your current Identity Protection reports before deploying risk based Conditional Access policies. This review is to give you an understanding of your environment, investigate suspicious behavior you may have missed and to dismiss or confirm safe user who you have determined aren't at risk. We recommend allowing users to self-remediate through policies that will be discussed in [Step 3](#step-3-configure-your-policies).
 
 ### Existing risk detections
 
-If your users haven't been remediating risk, then they may have accumulated risk. Users who reset their password on-premises don't remediate risk. Make sure before you dismiss risks, you've determined they aren't really at risk by [investigating risk detections](howto-identity-protection-investigate-risk.md). After investigating you can remediate user risk by following the steps in the article, [Remediate risks and unblock users](howto-identity-protection-remediate-unblock.md). Make bulk changes to user risk by following the samples in the article, [Azure Active Directory Identity Protection and the Microsoft Graph PowerShell](howto-identity-protection-graph-api.md).
+If your users haven't been remediating risk, then they may have accumulated risk. Users who reset their password on-premises don't remediate risk. Make sure before you dismiss risks, you've determined they aren't really at risk by [investigating risk detections](howto-identity-protection-investigate-risk.md). After investigating, you can remediate user risk by following the steps in the article, [Remediate risks and unblock users](howto-identity-protection-remediate-unblock.md). Make bulk changes to user risk by following the samples in the article, [Azure Active Directory Identity Protection and the Microsoft Graph PowerShell](howto-identity-protection-graph-api.md).
 
 ## Step 2: Plan for Conditional Access risk policies
 
@@ -77,11 +77,11 @@ Plan your Azure Active Directory Multi-Factor Authentication deployment with Con
 
 ### Known network locations
 
-It's important to configure named locations in Conditional Access and add your VPN ranges to Defender for Cloud Apps. Sign-ins from named locations, marked as trusted or known, improve the accuracy of Azure AD Identity Protection's risk calculation. These sign-ins lower a user's risk when they authenticate from a location marked as trusted or known. This will reduce false positives for some detections in your environment.
+It's important to configure named locations in Conditional Access and add your VPN ranges to Defender for Cloud Apps. Sign-ins from named locations, marked as trusted or known, improve the accuracy of Azure AD Identity Protection's risk calculation. These sign-ins lower a user's risk when they authenticate from a location marked as trusted or known. This practice will reduce false positives for some detections in your environment.
 
 ### Report only mode 
 
-Report-only mode is a Conditional Access policy state that allows administrators to evaluate the impact of Conditional Access policies before enforcing them in their environment.
+Report-only mode is a Conditional Access policy state that allows administrators to evaluate the effect of Conditional Access policies before enforcing them in their environment.
 
 ## Step 3: Configure your policies
 
@@ -93,13 +93,13 @@ Use the Identity Protection multifactor authentication registration policy to he
 
 Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multi-factor authentication to prove that they're really who they say they are. You may want to start by scoping these policies to admins only. 
 
-The guidance in the article [Common Conditional Access policy: Sign-in risk-based multifactor authentication](../conditional-access/howto-conditional-access-policy-risk.md) provides guidance to create a sign-in risk policy.
+The article [Common Conditional Access policy: Sign-in risk-based multifactor authentication](../conditional-access/howto-conditional-access-policy-risk.md) provides guidance to create a sign-in risk policy.
 
 ### Conditional Access user risk
 
 Microsoft works with researchers, law enforcement, various security teams at Microsoft, and other trusted sources to find leaked username and password pairs. When these vulnerable users are detected, we recommend requiring users perform multifactor authentication then reset their password.
 
-The guidance in the article [Common Conditional Access policy: User risk-based password change](../conditional-access/howto-conditional-access-policy-risk-user.md) provides guidance to create a user risk policy that requires password change.
+The article [Common Conditional Access policy: User risk-based password change](../conditional-access/howto-conditional-access-policy-risk-user.md) provides guidance to create a user risk policy that requires password change.
 
 ### Migrating from older Identity Protection policies
 
@@ -116,22 +116,22 @@ For more information, see the section [Migrate risk policies from Identity Prote
 
 ### Enable notifications
 
-Enable notifications so you can respond when a user is flagged as at risk so you can start investigating immediately. You can also set up weekly digest emails giving you an overview of risk for that week in your tenant.
+[Enable notifications](howto-identity-protection-configure-notifications.md) so you can respond when a user is flagged as at risk so you can start investigating immediately. You can also set up weekly digest emails giving you an overview of risk for that week.
 
 ### Monitor and investigate
 
-Investigate risk with Identity Protection Alerts (in DRAFT)
-Identity Protection workbook to help monitor and look for patterns in your tenant. Monitor this workbook for trends and also Conditional Access Report Only mode results to see if there are any tweaks that need to be made, for example,  additions to named locations.
+The [Identity Protection workbook](../reports-monitoring/workbook-risk-analysis.md) can help monitor and look for patterns in your tenant. Monitor this workbook for trends and also Conditional Access Report Only mode results to see if there are any changes that need to be made, for example, additions to named locations.
  
-How to investigate anomaly detection with Defender for Cloud App Security Alerts 
-You can also use the Identity Protection APIs to export the risk to your SIEM tool so your security team can monitor and alert on risk events. 
+Microsoft Defender for Cloud Apps provides an investigation framework organizations can use as a starting point. For more information, see the article [How to investigate anomaly detection alerts] (/defender-cloud-apps/investigate-anomaly-alerts).
 
-During this testing time, you might want to simulate some threats Identity Protection protects against so you can see some of these risks.
+You can also use the Identity Protection APIs to [export risk information](howto-export-risk-data.md) to other tools, so your security team can monitor and alert on risk events. 
+
+During testing, you might want to [simulate some threats](howto-identity-protection-simulate-risk.md) to test your investigation processes.
 
 ## Step 5: Enable Conditional Access policies
 
 After you've completed all your analysis, evaluated policies in report only mode, and you have your stakeholders on board it's time to turn on your Conditional Access risk policies.
 
 ## Next steps
 
-
+[What is risk?](concept-identity-protection-risks.md)
diff --git a/articles/active-directory/identity-protection/media/overview-identity-protection/identiy-protection-overview.png b/articles/active-directory/identity-protection/media/overview-identity-protection/identiy-protection-overview.png
diff --git a/articles/active-directory/identity-protection/overview-identity-protection.md b/articles/active-directory/identity-protection/overview-identity-protection.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: overview
-ms.date: 08/15/2022
+ms.date: 01/03/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -17,12 +17,16 @@ ms.collection: M365-identity-device-management
 ---
 # What is Identity Protection?
 
-Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure Active Directory, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses trillions of signals per day to identify and protect customers from threats. Identity Protection allows organizations to accomplish three key tasks:
+Identity Protection allows organizations to accomplish three key tasks:
 
 - [Automate the detection and remediation of identity-based risks](howto-identity-protection-configure-risk-policies.md).
 - [Investigate risks](howto-identity-protection-investigate-risk.md) using data in the portal.
 - [Export risk detection data to other tools](howto-export-risk-data.md).
 
+:::image type="content" source="media/overview-identity-protection/identiy-protection-overview.png" alt-text="Diagram showing how Identity Protection conceptually works." lightbox="media/overview-identity-protection/identiy-protection-overview.png":::
+
+Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure Active Directory, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses trillions of signals per day to identify and protect customers from threats. 
+
 The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation.
 
 ## Why is automation important?
@@ -110,8 +114,4 @@ More information on these rich reports can be found in the article, [How To: Inv
 
 ## Next steps
 
-- [Security overview](concept-identity-protection-security-overview.md)
-
-- [What is risk](concept-identity-protection-risks.md)
-
-- [Policies available to mitigate risks](concept-identity-protection-policies.md)
+- [Plan an Identity Protection deployment](how-to-deploy-identity-protection.md)
