Apply suggestions from code review

Acro edits.

Author: v-stsavell

articles/active-directory/standards/fedramp-access-controls.md

@@ -43,7 +43,7 @@ Each row in the following table provides prescriptive guidance to help you devel
 | **AC-2(2)**<br>The information system automatically [*FedRAMP Selection: disables*] temporary and emergency accounts after [*FedRAMP Assignment: 24 hours from last use*].<p><p>**AC-02(3)**<br>The information system automatically disables inactive accounts after [*FedRAMP Assignment: thirty-five (35) days for user accounts*].<p><p>**AC-2 (3) Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines the time period for non-user accounts (e.g., accounts associated with devices).  The time periods are approved and accepted by the JAB/AO.  Where user management is a function of the service, reports of activity of consumer users shall be made available. | **Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.**<p>Implement account management automation with Microsoft Graph and Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required time frame. <p>Determine inactivity<br><li>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br><li>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<p>Remove or disable accounts<br><li>[Working with users in Microsoft Graph](/graph/api/resources/users)<br><li>[Get a user](/graph/api/user-get?tabs=http)<br><li>[Update user](/graph/api/user-update?tabs=http)<br><li>[Delete a user](/graph/api/user-delete?tabs=http)<p>Work with devices in Microsoft Graph<br><li>[Get device](/graph/api/device-get?tabs=http)<br><li>[Update device](/graph/api/device-update?tabs=http)<br><li>[Delete device](/graph/api/device-delete?tabs=http)<p>Use [Azure AD PowerShell](/powershell/module/azuread/)<br><li>[Get-AzureADUser](/powershell/module/azuread/get-azureaduser)<br><li>[Set-AzureADUser](/powershell/module/azuread/set-azureaduser)<br><li>[Get-AzureADDevice](/powershell/module/azuread/get-azureaddevice)<br><li>[Set-AzureADDevice](/powershell/module/azuread/set-azureaddevice) |
 | **AC-2(4)**<br>The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [*FedRAMP Assignment: organization and/or service provider system owner*]. | **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.**<p>All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.<p>Audit<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Microsoft Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<P>Notification<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
 | **AC-2(5)**<br>The organization requires that users log out when [*FedRAMP Assignment: inactivity is anticipated to exceed fifteen (15) minutes*].<p><p>**AC-2 (5) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Should use a shorter timeframe than AC-12 | **Implement device log-out after a 15-minute period of inactivity.**<p>Implement device lock by using a conditional access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |
-| **AC-2(7)**<p><p>**The organization:**<br>**(a.)** Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;<br>**(b)** Monitors privileged role assignments; and<br>**(c)** Takes [*FedRAMP Assignment: disables//revokes access within an organization-specified timeframe*] when privileged role assignments are no longer appropriate. | **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Activation maximum duration](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new)<p>Monitor<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)<br><li>[View audit history for Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md?tabs=new)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| **AC-2(7)**<p><p>**The organization:**<br>**(a.)** Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;<br>**(b)** Monitors privileged role assignments; and<br>**(c)** Takes [*FedRAMP Assignment: disables/revokes access within an organization-specified timeframe*] when privileged role assignments are no longer appropriate. | **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Activation maximum duration](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new)<p>Monitor<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)<br><li>[View audit history for Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md?tabs=new)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
 | **AC-2(11)**<br>The information system enforces [*Assignment: organization-defined circumstances and/or usage conditions*] for [*Assignment: organization-defined information system accounts*]. | **Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.**<p>Create conditional access policies to enforce access control decisions across users and devices.<p>Conditional access<br><li>[Create a conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json)<br><li>[What is conditional access?](../conditional-access/overview.md) |
 | **AC-2(12)**<p><p>**The organization:**<br>**(a)** Monitors information system accounts for [*Assignment: organization-defined atypical use*]; and<br>**(b)** Reports atypical usage of information system accounts to [*FedRAMP Assignment: at a minimum, the ISSO and/or similar role within the organization*].<p><p>**AC-2 (12) (a) and AC-2 (12) (b) Additional FedRAMP Requirements and Guidance:**<br> Required for privileged accounts. | **Monitor and report customer-controlled accounts with privileged access for atypical usage.**<p>For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Azure Active Directory Identity Protection notifications](../identity-protection/howto-identity-protection-configure-notifications.md)<p>Monitor accounts<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
 | **AC-2(13)**<br>The organization disables accounts of users posing a significant risk within [*FedRAMP Assignment: one (1) hour*] of discovery of the risk.|**Disable customer-controlled accounts of users that pose a significant risk within one hour.**<p>In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create conditional access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<p>Conditional access<br><li>[What is conditional access?](../conditional-access/overview.md)<br><li>[Create a conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json)<br><li>[Conditional access: User risk-based conditional access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Conditional access: Sign-in risk-based conditional access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Self-remediation with risk policy](../identity-protection/howto-identity-protection-remediate-unblock.md) |