You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Typically, IT delegates access approval decisions to business decision makers. Furthermore, IT can involve the users themselves. For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. Guest users may be unaware of the handling requirements for data in an organization to which they have been invited.
53
+
Typically, IT delegates access approval decisions to business decision makers. Furthermore, IT can involve the users themselves. For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. Guest users may be unaware of the handling requirements for data in an organization to which they've been invited.
54
54
55
55
Organizations can automate the access lifecycle process through technologies such as [dynamic groups](../enterprise-users/groups-dynamic-membership.md), coupled with user provisioning to [SaaS apps](../saas-apps/tutorial-list.md) or [apps integrated with SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md). Organizations can also control which [guest users have access to on-premises applications](../external-identities/hybrid-cloud-to-on-premises.md). These access rights can then be regularly reviewed using recurring [Azure AD access reviews](access-reviews-overview.md). [Azure AD entitlement management](entitlement-management-overview.md) also enables you to define how users request access across packages of group and team memberships, application roles, and SharePoint Online roles. For more information, see the [simplifying identity governance tasks with automation](#simplifying-identity-governance-tasks-with-automation) section below to select the appropriate Azure AD features for your access lifecycle automation scenarios.
56
56
@@ -93,7 +93,7 @@ There are also tutorials for [managing access to resources in entitlement manage
93
93
94
94
If you have any feedback about Identity Governance features, click **Got feedback?** in the Azure portal to submit your feedback. The team regularly reviews your feedback.
95
95
96
-
While there is no perfect solution or recommendation for every customer, the following configuration guides also provide the baseline policies Microsoft recommends you follow to ensure a more secure and productive workforce.
96
+
While there's no perfect solution or recommendation for every customer, the following configuration guides also provide the baseline policies Microsoft recommends you follow to ensure a more secure and productive workforce.
97
97
98
98
-[Prerequisites for configuring Azure AD for identity governance](identity-governance-applications-prepare.md)
99
99
-[Plan an access reviews deployment to manage resource access lifecycle](deploy-access-reviews.md)
@@ -111,22 +111,22 @@ Once you've started using these identity governance features, you can easily aut
| Adding and removing a user's group memberships, application roles, and SharePoint site roles, on a specific date |[Configure lifecycle settings for an access package in entitlement management](entitlement-management-access-package-lifecycle-policy.md)|
113
113
| Running custom workflows when a user requests or receives access, or access is removed |[Trigger Logic Apps in entitlement management](entitlement-management-logic-apps-integration.md) (preview) |
114
-
| Regularly reviewing memberships of guests in Microsoft groups and Teams, and removing guest memberships that are denied |[Create an access review](create-access-review.md)|
114
+
| Regularly having memberships of guests in Microsoft groups and Teams reviewed, and removing guest memberships that are denied |[Create an access review](create-access-review.md)|
115
115
| Removing guest accounts that were denied by a reviewer |[Review and remove external users who no longer have resource access](access-reviews-external-users.md)|
116
116
| Removing guest accounts that have no access package assignments |[Manage the lifecycle of external users](entitlement-management-external-users.md#manage-the-lifecycle-of-external-users)|
117
117
| Provisioning users into on-premises and cloud applications that have their own directories or databases |[Configure automatic user provisioning](../app-provisioning/user-provisioning.md) with user assignments or [scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md)|
118
118
| Other scheduled tasks |[Automate identity governance tasks with Azure Automation](identity-governance-automation.md) and Microsoft Graph via the [Microsoft.Graph.Identity.Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) PowerShell module|
119
119
120
120
## Appendix - least privileged roles for managing in Identity Governance features
121
121
122
-
It's a best practice to use the least privileged role to perform administrative tasks in Identity Governance. We recommend that you use Azure AD PIM to activate a role as needed to perform these tasks. The following are the least privileged directory roles to configure Identity Governance features:
122
+
It's a best practice to use the least privileged role to perform administrative tasks in Identity Governance. We recommend that you use Azure AD PIM to activate a role as needed to perform these tasks. The following are the least privileged [directory roles](../roles/permissions-reference.md) to configure Identity Governance features:
| Access reviews | User administrator (with the exception of access reviews of Azure or Azure AD roles, which requires Privileged role administrator) |
128
-
|Privileged Identity Management | Privileged role administrator|
129
-
| Terms of use | Security administrator or Conditional access administrator|
127
+
| Access reviews | User Administrator (with the exception of access reviews of Azure or Azure AD roles, which require Privileged Role Administrator) |
128
+
|Privileged Identity Management | Privileged Role Administrator|
129
+
| Terms of use | Security Administrator or Conditional Access Administrator|
130
130
131
131
>[!NOTE]
132
132
>The least privileged role for Entitlement management has changed from the User Administrator role to the Identity Governance Administrator role.
0 commit comments