Merge pull request #206367 from yoelhor/patch-288

liljack17 · web-flow · commit 427c7a0b8ec2 · 2022-07-29T07:26:21.000-07:00
[Azure AD PIM] Adding the missing steps
diff --git a/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md b/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md
@@ -11,34 +11,34 @@ ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: pim
-ms.date: 06/24/2022
+ms.date: 07/29/2022
 ms.author: amsliu
 ms.reviewer: shaunliu
 ms.custom: pim
 ms.collection: M365-identity-device-management
 ---
 # Configure security alerts for Azure AD roles in Privileged Identity Management
 
-Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Privileged Identity Management dashboard. Select the alert to see a report that lists the users or roles that triggered the alert.
+Privileged Identity Management (PIM) generates alerts when there's suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Privileged Identity Management dashboard. Select the alert to see a report that lists the users or roles that triggered the alert.
 
-![Screenshot that shows the "Alerts" page with a list of alerts and their severity.](./media/pim-how-to-configure-security-alerts/view-alerts.png)
+![Screenshot that shows the alerts page with a list of alerts and their severity.](./media/pim-how-to-configure-security-alerts/view-alerts.png)
 
 ## Security alerts
 
 This section lists all the security alerts for Azure AD roles, along with how to fix and how to prevent. Severity has the following meaning:
 
 - **High**: Requires immediate action because of a policy violation.
-- **Medium**: Does not require immediate action but signals a potential policy violation.
-- **Low**: Does not require immediate action but suggests a preferable policy change.
+- **Medium**: Doesn't require immediate action but signals a potential policy violation.
+- **Low**: Doesn't require immediate action but suggests a preferable policy change.
 
 ### Administrators aren't using their privileged roles
 
 Severity: **Low**
 
 | | Description |
 | --- | --- |
-| **Why do I get this alert?** | Users that have been assigned privileged roles they don't need increases the chance of an attack. It is also easier for attackers to remain unnoticed in accounts that are not actively being used. |
-| **How to fix?** | Review the users in the list and remove them from privileged roles that they do not need. |
+| **Why do I get this alert?** | Users that have been assigned privileged roles they don't need increases the chance of an attack. It's also easier for attackers to remain unnoticed in accounts that aren't actively being used. |
+| **How to fix?** | Review the users in the list and remove them from privileged roles that they don't need. |
 | **Prevention** | Assign privileged roles only to users who have a business justification. </br>Schedule regular [access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) to verify that users still need their access. |
 | **In-portal mitigation action** | Removes the account from their privileged role. |
 | **Trigger** | Triggered if a user goes over a specified number of days without activating a role. |
@@ -61,7 +61,7 @@ Severity: **Low**
 
 | | Description |
 | --- | --- |
-| **Why do I get this alert?** | The current Azure AD organization does not have Azure AD Premium P2. |
+| **Why do I get this alert?** | The current Azure AD organization doesn't have Azure AD Premium P2. |
 | **How to fix?** | Review information about [Azure AD editions](../fundamentals/active-directory-whatis.md). Upgrade to Azure AD Premium P2. |
 
 ### Potential stale accounts in a privileged role
@@ -71,19 +71,19 @@ Severity: **Medium**
 
 | | Description |
 | --- | --- |
-| **Why do I get this alert?** | This alert is no longer triggered based on the last password change date of for an account. This alert is for accounts in a privileged role that haven't signed in during the past *n* days, where *n* is a number of days that is configurable between 1-365 days . These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers. |
+| **Why do I get this alert?** | This alert is no longer triggered based on the last password change date of for an account. This alert is for accounts in a privileged role that haven't signed in during the past *n* days, where *n* is a number of days that is configurable between 1-365 days. These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers. |
 | **How to fix?** | Review the accounts in the list. If they no longer need access, remove them from their privileged roles. |
-| **Prevention** | Ensure that accounts that are shared are rotating strong passwords when there is a change in the users that know the password. </br>Regularly review accounts with privileged roles using [access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) and remove role assignments that are no longer needed. |
+| **Prevention** | Ensure that accounts that are shared are rotating strong passwords when there's a change in the users that know the password. </br>Regularly review accounts with privileged roles using [access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) and remove role assignments that are no longer needed. |
 | **In-portal mitigation action** | Removes the account from their privileged role. |
-| **Best practices** | Shared, service, and emergency access accounts that authenticate using a password and are assigned to highly privileged administrative roles such as Global administrator or Security administrator should have their passwords rotated for the following cases:<ul><li>After a security incident involving misuse or compromise of administrative access rights</li><li>After any user's privileges are changed so that they are no longer an administrator (for example, after an employee who was an administrator leaves IT or leaves the organization)</li><li>At regular intervals (for example, quarterly or yearly), even if there was no known breach or change to IT staffing</li></ul>Since multiple people have access to these accounts' credentials, the credentials should be rotated to ensure that people that have left their roles can no longer access the accounts. [Learn more about securing accounts](../roles/security-planning.md) |
+| **Best practices** | Shared, service, and emergency access accounts that authenticate using a password and are assigned to highly privileged administrative roles such as Global administrator or Security administrator should have their passwords rotated for the following cases:<ul><li>After a security incident involving misuse or compromise of administrative access rights</li><li>After any user's privileges are changed so that they're no longer an administrator (for example, after an employee who was an administrator leaves IT or leaves the organization)</li><li>At regular intervals (for example, quarterly or yearly), even if there was no known breach or change to IT staffing</li></ul>Since multiple people have access to these accounts' credentials, the credentials should be rotated to ensure that people that have left their roles can no longer access the accounts. [Learn more about securing accounts](../roles/security-planning.md) |
 
 ### Roles are being assigned outside of Privileged Identity Management
 
 Severity: **High**
 
 | | Description |
 | --- | --- |
-| **Why do I get this alert?** | Privileged role assignments made outside of Privileged Identity Management are not properly monitored and may indicate an active attack. |
+| **Why do I get this alert?** | Privileged role assignments made outside of Privileged Identity Management aren't properly monitored and may indicate an active attack. |
 | **How to fix?** | Review the users in the list and remove them from privileged roles assigned outside of Privileged Identity Management. You can also enable or disable both the alert and its accompanying email notification in the alert settings. |
 | **Prevention** | Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there. |
 | **In-portal mitigation action** | Removes the user from their privileged role. |
@@ -95,10 +95,10 @@ Severity: **Low**
 | | Description |
 | --- | --- |
 | **Why do I get this alert?** | Global administrator is the highest privileged role. If a Global Administrator is compromised, the attacker gains access to all of their permissions, which puts your whole system at risk. |
-| **How to fix?** | Review the users in the list and remove any that do not absolutely need the Global administrator role. </br>Assign lower privileged roles to these users instead. |
+| **How to fix?** | Review the users in the list and remove any that don't absolutely need the Global administrator role. </br>Assign lower privileged roles to these users instead. |
 | **Prevention** | Assign users the least privileged role they need. |
 | **In-portal mitigation action** | Removes the account from their privileged role. |
-| **Trigger** | Triggered if two different criteria are met, and you can configure both of them. First, you need to reach a certain threshold of Global administrator role assignments. Second, a certain percentage of your total role assignments must be Global administrators. If you only meet one of these measurements, the alert does not appear. |
+| **Trigger** | Triggered if two different criteria are met, and you can configure both of them. First, you need to reach a certain threshold of Global administrator role assignments. Second, a certain percentage of your total role assignments must be Global administrators. If you only meet one of these measurements, the alert doesn't appear. |
 | **Minimum number of Global Administrators** | This setting specifies the number of Global Administrator role assignments, from 2 to 100, that you consider to be too few for your Azure AD organization. |
 | **Percentage of Global Administrators** | This setting specifies the minimum percentage of administrators who are Global administrators, from 0% to 100%, below which you do not want your Azure AD organization to dip. |
 
@@ -118,13 +118,21 @@ Severity: **Low**
 
 ## Customize security alert settings
 
-On the **Alerts** page, select **Setting**.
+Follow these steps to configure security alerts for Azure AD roles in Privileged Identity Management:
 
-![Alerts page with Settings highlighted](media/pim-how-to-configure-security-alerts/alert-settings.png)
+1. Sign in to the [Azure portal](https://portal.azure.com/).
 
-Customize settings on the different alerts to work with your environment and security goals.
+1. Open **Azure AD Privileged Identity Management**. For information about how to add the Privileged Identity Management tile to your dashboard, see [Start using Privileged Identity Management](pim-getting-started.md).
 
-![Setting page for an alert to enable and configure settings](media/pim-how-to-configure-security-alerts/security-alert-settings.png)
+1. From the left menu, select **Azure AD Roles**.
+
+1. From the left menu, select **Alerts**, and then select **Setting**.
+
+    ![Screenshots of alerts page with the settings highlighted.](media/pim-how-to-configure-security-alerts/alert-settings.png)
+
+1. Customize settings on the different alerts to work with your environment and security goals.
+
+    ![Screenshots of the alert setting page.](media/pim-how-to-configure-security-alerts/security-alert-settings.png)
 
 ## Next steps
 
diff --git a/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-alerts.md b/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-alerts.md
@@ -10,7 +10,7 @@ ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 06/24/2022
+ms.date: 07/29/2022
 ms.author: amsliu
 ms.reviewer: shaunliu
 ms.custom: pim
@@ -19,43 +19,53 @@ ms.collection: M365-identity-device-management
 
 # Configure security alerts for Azure roles in Privileged Identity Management
 
-Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Alerts page.
+Privileged Identity Management (PIM) generates alerts when there's suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Alerts page.
 
-![Azure resources - Alerts page listing alert, risk level, and count](media/pim-resource-roles-configure-alerts/rbac-alerts-page.png)
+![Screenshot of the alerts page listing alert, risk level, and count.](media/pim-resource-roles-configure-alerts/rbac-alerts-page.png)
 
 ## Review alerts
 
 Select an alert to see a report that lists the users or roles that triggered the alert, along with remediation guidance.
 
-![Alert report showing last scan time, description, mitigation steps, type, severity, security impact, and how to prevent next time](media/pim-resource-roles-configure-alerts/rbac-alert-info.png)
+![Screenshot of the alert report showing last scan time, description, mitigation steps, type, severity, security impact, and how to prevent next time.](media/pim-resource-roles-configure-alerts/rbac-alert-info.png)
 
 ## Alerts
 
 Alert | Severity | Trigger | Recommendation
 --- | --- | --- | ---
 **Too many owners assigned to a resource** | Medium | Too many users have the owner role. | Review the users in the list and reassign some to less privileged roles.
-**Too many permanent owners assigned to a resource** | Medium | Too many users are permanently assigned to a role. | Review the users in the list and re-assign some to require activation for role use.
+**Too many permanent owners assigned to a resource** | Medium | Too many users are permanently assigned to a role. | Review the users in the list and reassign some to require activation for role use.
 **Duplicate role created** | Medium | Multiple roles have the same criteria. | Use only one of these roles.
-**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource blade or the Azure Resource Manager API | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management. 
+**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource, or the Azure Resource Manager API. | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management. 
 
 > [!NOTE]
 > During the public preview of the **Roles are being assigned outside of Privileged Identity Management (Preview)** alert, Microsoft supports only permissions that are assigned at the subscription level. 
 
 ### Severity
 
 - **High**: Requires immediate action because of a policy violation. 
-- **Medium**: Does not require immediate action but signals a potential policy violation.
-- **Low**: Does not require immediate action but suggests a preferred policy change.
+- **Medium**: Doesn't require immediate action but signals a potential policy violation.
+- **Low**: Doesn't require immediate action but suggests a preferred policy change.
 
 ## Configure security alert settings
 
-From the Alerts page, go to **Settings**.
+Follow these steps to configure security alerts for Azure roles in Privileged Identity Management:
 
-![Alerts page with Settings highlighted](media/pim-resource-roles-configure-alerts/rbac-navigate-settings.png)
+1. Sign in to the [Azure portal](https://portal.azure.com/).
 
-Customize settings on the different alerts to work with your environment and security goals.
+1. Open **Azure AD Privileged Identity Management**. For information about how to add the Privileged Identity Management tile to your dashboard, see [Start using Privileged Identity Management](pim-getting-started.md).
 
-![Setting page for an alert to enable and configure settings](media/pim-resource-roles-configure-alerts/rbac-alert-settings.png)
+1. From the left menu, select **Azure resources**.
+
+1. From the list of resources, select your Azure subscription. 
+
+1. On the **Alerts** page, select **Settings**.
+
+    ![Screenshot of the alerts page with settings highlighted.](media/pim-resource-roles-configure-alerts/rbac-navigate-settings.png)
+
+1. Customize settings on the different alerts to work with your environment and security goals.
+
+    ![Screenshot of the alert setting.](media/pim-resource-roles-configure-alerts/rbac-alert-settings.png)
 
 ## Next steps
 
diff --git a/articles/active-directory/privileged-identity-management/pim-security-wizard.md b/articles/active-directory/privileged-identity-management/pim-security-wizard.md
@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: pim
-ms.date: 06/27/2022
+ms.date: 07/29/2022
 ms.author: amsliu
 ms.reviewer: shaunliu
 ms.custom: pim ; H1Hack27Feb2017
@@ -36,7 +36,7 @@ Also, keep role assignments permanent if a user has a Microsoft account (in othe
 
 1. Open **Azure AD Privileged Identity Management**.
 
-1. Select **Azure AD roles** and then select **Discovery and insights (Preview)**. Opening the page begins the discovery process to find relevant role assignments.
+1. From the left menu, select **Azure AD roles** and then select **Discovery and insights (Preview)**. Opening the page begins the discovery process to find relevant role assignments.
 
     ![Azure AD roles - Discovery and insights page showing the 3 options](./media/pim-security-wizard/new-preview-link.png)
 
