Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into release-ignite-sqldb-serverless

Author: v-alje

articles/active-directory/governance/entitlement-management-process.md

@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 05/30/2019
+ms.date: 10/30/2019
 ms.author: ajburnle
 ms.reviewer: mamkumar
 ms.collection: M365-identity-device-management
@@ -23,13 +23,11 @@ ms.collection: M365-identity-device-management
 ---
 # Request process and email notifications in Azure AD entitlement management
 
-When a user submits a request to an access package, a process is started to deliver that request. Azure AD entitlement management also sends email notifications to approvers and requestors when key events occur during the process.
-
-This article describes the request process, and the email notifications that are sent.
+When a user submits a request to an access package, a process begins to deliver that access request. Azure AD entitlement management sends email notifications to approvers and requestors when key events occur during the process. This article describes the request process and the email notifications that are sent.
 
 ## Request process
 
-A user that needs access to an access package can submit an access request. Depending on the configuration of the policy, the request might require an approval. When a request is approved, a process begins to assign the user access to each resource in the access package. The following diagram shows an overview of the process and the different states.
+A user that needs access to an access package can submit an access request. Depending on the configuration of the policy, the request might require an approval. When a request is approved, a process begins to assign the user access to each resource in the access package. The following diagram shows an overview of the process and the different states:
 
 ![Approval process diagram](./media/entitlement-management-process/request-process.png)
 
@@ -47,42 +45,84 @@ A user that needs access to an access package can submit an access request. Depe
 
 ## Email notifications
 
-If you are an approver, you are sent email notifications when you need to approve an access request and when an access request has been completed. If you are a requestor, you are sent email notifications that indicate the status of your request. The following diagram shows when these email notifications are sent.
+If you are an approver, you are sent email notifications when you need to approve an access request and when an access request has been completed. If you are a requestor, you are sent email notifications that indicate the status of your request.
+
+The following diagrams shows when these email notifications are sent to either the approvers or the requestor. Reference the [email notifications table](entitlement-management-process.md#email-notifications-table) to find the corresponding number to the email notifications displayed in the diagrams.
+
+### Primary approvers and alternate approvers
+The following diagram shows the experience of primary approvers and alternate approvers, and the email notifications they receive during the request process:
+
+![Primary and alternate approvers process flow](./media/entitlement-management-process/primary-approvers-and-alternate-with-escalation-flow.png)
+
+### Requestors
+The following diagram shows the experience of requestors and the email notifications they receive during the request process:
 
-![Entitlement management email process](./media/entitlement-management-process/email-notifications.png)
+![Requestor process flow](./media/entitlement-management-process/requestor-approval-and-expiration-request-flow.png)
 
-The following table provides more detail about each of these email notifications.
+### Email notifications table
+The following table provides more detail about each of these email notifications. To manage these emails, you can use rules. For example, in Outlook, you can create rules to move the emails to a folder if the subject contains words from this table:
 
 | # | Email subject | When sent | Sent to |
 | --- | --- | --- | --- |
-| 1 | Action required: Review access request from *[requestor]* to *[access package]* by *[date]* | When a requestor submits a request for an access package | All approvers |
-| 2 | Action required: Review access request from *[requestor]* to *[access package]* by *[date]* | X days before the approval request timeout | All approvers |
-| 3 | Status notification: *[requestor]*'s access request to *[access package]* has expired | When the approvers do not approve or deny an access request within the request duration | Requestor |
-| 4 | Status notification: *[requestor]* access request to *[access package]* has been completed | When the first approver approves or denies an access request | All approvers |
-| 5 | You have been denied access to *[access package]* | When a requestor has been denied access to the access package | Requestor |
-| 6 | You now have access to *[access package]*  | When a requestor has been granted access to every resource in the access package | Requestor |
-| 7 | Your access to *[access package]* expires in X day(s) | X days before the requestor's access to the access package expires | Requestor |
-| 8 | Your access to *[access package]* has expired | When the requestor's access to an access package expires | Requestor |
+| 1 | Action required: Approve or deny forwarded request by *[date]* | This email will be sent to Stage-1 Alternate approvers (after the request has been escalated) to take action. | Stage-1 Alternate Approver |
+| 2 | Action required: Approve or deny request by *[date]* | This email will be sent to Stage-1 Primary approvers, if escalation is disabled, to take action. | Stage-1 Primary Approver |
+| 3 | Reminder: Approve or deny the request by *[date]* for *[requestor]* | This reminder email will be sent to Stage-1 Primary approvers, if escalation is disabled, to take action, only when they haven’t yet taken action. | Stage-1 Primary Approver |
+| 4 | Approve or deny the request by *[time]* on *[date]* | This email will be sent to Stage-1 Primary approvers (if escalation is enabled) to take action. | Stage-1 Primary Approver |
+| 5 | Action required reminder: Approve or deny the request by *[date]* for *[requestor]* | This reminder email will be sent to Stage-1 Primary approvers, if escalation is enabled, to take action, only when they haven’t yet taken action. | Stage-1 Primary Approver |
+| 6 | Request has expired for *[access_package]* | This email will be sent to Stage-1 primary approvers and/or Stage-1 alternate approvers, of a single-stage or multi-stage request, after the request has expired. | Stage-1 Primary Approver, Stage-1 Alternate Approver |
+| 7 | Request approved for *[requestor]* to *[access_package]* | This email will be sent to the stage-1 primary approvers and/or stage-1 alternate approvers, upon completion of a request. | Stage-1 Primary Approver, Stage-1 Alternate Approver |
+| 8 | Request approved for *[requestor]* to *[access_package]* | This email will be sent to the stage-1 primary approvers and/or stage-1 alternate approvers, of a 2-stage request, only when stage-1 is approved. | Stage-1 Primary Approver, Stage-1 Alternate Approver |
+| 9 | Request denied to *[access_package]* | This email will be sent to the requestor only when his request is denied | Requestor |
+| 10 | Your request has expired for *[access_package]* | This email will be sent to the requestor at the end of Stage-1, of a single-stage or multi-stage request, after the request has expired. | Requestor |
+| 18 | You now have access to *[access_package]* | This email will be sent to the end-users to start using their access. | Requestor |
+| 19 | Extend access for *[access_package]* by *[date]* | This email will be sent to the end-users before their access expires. | Requestor |
+| 20 | Access has ended for *[access_package]* | This email will be sent to the end-users after their access expires. | Requestor |
 
 ### Access request emails
 
-When a requestor submits an access request for an access package that is configured to require approval, all approvers configured in the policy receive an email notification with details of the request. Details include the requestor's name, organization, access start and end date if provided, business justification, when the request was submitted, and when the request will expire. The email includes a link where approvers can approve or deny the access request. Here is a sample email notification that is sent to an approver when a requestor submits an access request.
+When a requestor submits an access request for an access package configured to require approval, all approvers added to the policy will receive an email notification with details of the request. Details include the requestor's name, organization, access start and end date (if provided), business justification, when the request was submitted, and when the request will expire.
+
+The email includes a link approvers can click on to go to Myaccess to approve or deny the access request. Here is a sample email notification that is sent to an approver when a requestor submits an access request:
+
+![Approve request to access package email](./media/entitlement-management-shared/approver-request-email.png)
+
+The primary approvers are also sent an email notification with a reminder to take action and make a decision for the request. Here is a sample email of the notification primary approvers receive to remind them to take action:
+
+![Reminder access request email](./media/entitlement-management-process/approver-access-request-reminder-email.png)
 
-![Review access request email](./media/entitlement-management-shared/email-approve-request.png)
+### Alternate approver request emails
+
+If forwarding to alternate approvers is enabled, per the forwarding policy, if the request is still pending, the request will be forwarded. The alternate approver will receive a notification email to approve or deny the request. Here is a sample email of the notification the alternate approvers receive:
+
+![Alternate approver request email](./media/entitlement-management-process/alternate-approver-email-fwd-request.png)
+
+Both, the primary approvers and the alternate approvers can approve or deny the request.
 
 ### Approved or denied emails
 
-Requestors are notified when their access request is approved and available for access, or when their access request is denied. When an approver receives an access request submitted by a requestor, they can approve or deny the access request. The approver needs to add a business justification for their decision.
+Requestors are notified when their access request is approved and available for access, or when their access request is denied. When an approver receives an access request submitted by a requestor, they can approve or deny the access request. The approver needs to add a business justification for their decision. Here is a sample email sent to primary or alternate approvers after a request is approved:
+
+![Review access request email](./media/entitlement-management-process/approver-request-email-approved.png)
+
+When an access request is approved, and their access is provisioned, an email notification is sent to the requestor that they now have access to the access package. Here is a sample email notification that is sent to a requestor when they are granted access to an access package:
 
-When an access request is approved, entitlement management starts the process of granting the requestor access to each of the resources in the access package. After the requestor has been granted access to every resource in the access package, an email notification is sent to the requestor that their access request was approved and that they now have access to the access package. Here is a sample email notification that is sent to a requestor when they are granted access to an access package.
+![Expired access request email](./media/entitlement-management-process/requestor-email-approved.png)
 
-When an access request is denied, an email notification is sent to the requestor. Here is a sample email notification that is sent to a requestor when their access request is denied.
+When an access request is denied, an email notification is sent to the requestor. Here is a sample email notification that is sent to a requestor when their access request is denied:
+
+![Requestor request denied email](./media/entitlement-management-process/requestor-email-denied.png)
 
 ### Expired access request emails
 
-Requestors are notified when their access request has expired. When a requestor submits an access request, the request has a request duration after which it expires. If there are no approvers who submit an approve/deny decision, the request continues to remain in a pending approval state. When the request reaches its configured expiration duration, the request expires, and can no longer be approved or denied by the approvers. In this case, the request goes into an expired state. An expired request can no longer be approved or denied. An email notification is sent to the requestor that their access request has expired, and that they need to resubmit the access request. Here is a sample email notification that is sent to a requestor when their access request has expired.
+Access requests could expire if no approver has approved or denied the request. 
+
+When the request reaches its configured expiration date and expires, it can no longer be approved or denied by the approvers. Here is a sample email of the notification sent to all of the primary and alternate approvers:
+
+ ![Approvers expired access request email](./media/entitlement-management-process/approver-request-email-expired.png)
+
+ An email notification is also sent to the requestor, notifying them that their access request has expired, and that they need to resubmit the access request. Here is a sample email notification that is sent to a requestor when their access request has expired:
 
-![Expired access request email](./media/entitlement-management-process/email-expired-access-request.png)
+![Requestor expired access request email](./media/entitlement-management-process/requestor-email-request-expired.png)
 
 ## Next steps
 

articles/active-directory/governance/entitlement-management-request-approve.md

@@ -33,7 +33,7 @@ The first step to approve or deny access requests is to find and open the access
 
 1. Look for an email from Microsoft Azure that asks you to approve or deny a request. Here is an example email:
 
-    ![Approve request to access package email](./media/entitlement-management-shared/email-approve-request.png)
+    ![Approve request to access package email](./media/entitlement-management-shared/approver-request-email.png)
 
 1. Click the **Approve or deny request** link to open the access request.