Merge pull request #223167 from v-edmckillop/patch-65

19BMG00 · web-flow · commit 4b6baffe94e5 · 2023-01-09T10:00:58.000-08:00
Update active-directory-deployment-plans.md
diff --git a/articles/active-directory/fundamentals/active-directory-deployment-plans.md b/articles/active-directory/fundamentals/active-directory-deployment-plans.md
@@ -1,97 +1,130 @@
 ---
-title: Deployment plans - Azure Active Directory | Microsoft Docs
-description: Guidance about how to deploy many Azure Active Directory capabilities.
+title: Azure Active Directory deployment plans
+description: Guidance on Azure Active Directory deployment, such as authentication, devices, hybrid scenarios, governance, and more.
 services: active-directory
 author: gargisinha
 manager: martinco
-
 ms.service: active-directory
 ms.subservice: fundamentals
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/13/2022
+ms.date: 01/06/2023
 ms.author: gasinh
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
 
 # Azure Active Directory deployment plans
-Looking for complete guidance on deploying Azure Active Directory (Azure AD) capabilities? Azure AD deployment plans walk you through the business value, planning considerations, and operational procedures needed to successfully deploy common Azure AD capabilities.
-
-From any of the plan pages, use your browser's Print to PDF capability to create an up-to-date offline version of the documentation.
-
-
-## Deploy authentication
-
-| Capability | Description|
-| -| -|
-| [Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md)| Azure AD Multi-Factor Authentication (MFA) is Microsoft's two-step verification solution. Using admin-approved authentication methods, Azure AD MFA helps safeguard access to your data and applications while meeting the demand for a simple sign-in process. Watch this video on [How to configure and enforce multi-factor authentication in your tenant](https://www.youtube.com/watch?v=qNndxl7gqVM)|
-| [Conditional Access](../conditional-access/plan-conditional-access.md)| With Conditional Access, you can implement automated access control decisions for who can access your cloud apps, based on conditions. |
-| [Self-service password reset](../authentication/howto-sspr-deployment.md)| Self-service password reset helps your users reset their passwords without administrator intervention, when and where they need to. |
-| [Passwordless](../authentication/howto-authentication-passwordless-deployment.md) | Implement passwordless authentication using the Microsoft Authenticator app or FIDO2 Security keys in your organization |
-
-## Deploy application and device management
-
-| Capability | Description|
-| -| - |
-| [Single sign-on](../manage-apps/plan-sso-deployment.md)| Single sign-on helps your users' access the apps and resources they need to do business while signing in only once. After they've signed in, they can go from Microsoft Office to SalesForce to Box to internal applications without being required to enter credentials a second time. |
-| [My Apps](../manage-apps/my-apps-deployment-plan.md)| Offer your users a simple hub to discover and access all their applications. Enable them to be more productive with self-service capabilities, like requesting access to apps and groups, or managing access to resources on behalf of others. |
-| [Devices](../devices/plan-device-deployment.md) | This article helps you evaluate the methods to integrate your device with Azure AD, choose the implementation plan, and provides key links to supported device management tools. |
-
-
-## Deploy hybrid scenarios  
 
-| Capability | Description|
-| -| -|
-| [AD FS to cloud user authentication](../hybrid/migrate-from-federation-to-cloud-authentication.md)| Learn to migrate your user authentication from federation to cloud authentication with either pass through authentication or password hash sync.
-| [Azure AD Application Proxy](../app-proxy/application-proxy-deployment-plan.md) |Employees today want to be productive at any place, at any time, and from any device. They need to access SaaS apps in the cloud and corporate apps on-premises. Azure AD Application proxy enables this robust access without costly and complex virtual private networks (VPNs) or demilitarized zones (DMZs). |
-| [Seamless SSO](../hybrid/how-to-connect-sso-quick-start.md)| Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. With this feature, users won't need to type in their passwords to sign in to Azure AD and usually won't need to enter their usernames. This feature provides authorized users with easy access to your cloud-based applications without needing any extra on-premises components. |
+Use the following guidance to help deploy Azure Active Directory (Azure AD). Learn about business value, planning considerations, and operational procedures. You can use a browser Print to PDF function to create offline documentation.
 
-## Deploy user provisioning
+## Your stakeholders
 
-| Capability | Description|
-| -| -|
-| [User provisioning](../app-provisioning/plan-auto-user-provisioning.md)| Azure AD helps you automate the creation, maintenance, and removal of user identities in cloud (SaaS) applications, such as Dropbox, Salesforce, ServiceNow, and more. |
-| [Cloud HR user provisioning](../app-provisioning/plan-cloud-hr-provision.md)| Cloud HR user provisioning to Active Directory creates a foundation for ongoing identity governance and enhances the quality of business processes that rely on authoritative identity data. Using this feature with your cloud HR product, such as Workday or Successfactors, you can seamlessly manage the identity lifecycle of employees and contingent workers by configuring rules that map Joiner-Mover-Leaver processes (such as New Hire, Terminate, Transfer) to IT provisioning actions (such as Create, Enable, Disable) |
-| [Azure AD B2B collaboration](../fundamentals/secure-external-access-resources.md)| Azure AD enables you to collaborate with any external user, allowing them to securely gain access to SaaS and Line-of-Business (LoB) applications. |
+When beginning your deployment plans, include your key stakeholders. Identify and document stakeholders, roles, responsibilities. Titles and roles can differ from one organization to another, however the ownership areas are similar.
 
-## Deploy governance and reporting
-
-| Capability | Description|
-| -| -|
-| [Privileged Identity Management](../privileged-identity-management/pim-deployment-plan.md)| Azure AD Privileged Identity Management (PIM) helps you manage privileged administrative roles across Azure AD, Azure resources, and other Microsoft Online Services. PIM provides solutions like just-in-time access, request approval workflows, and fully integrated access reviews so you can identify, uncover, and prevent malicious activities of privileged roles in real time. |
-| [Reporting and Monitoring](../reports-monitoring/plan-monitoring-and-reporting.md)| The design of your Azure AD reporting and monitoring solution depends on your legal, security, and operational requirements as well as your existing environment and processes. This article presents the various design options and guides you to the right deployment strategy. |
-| [Access Reviews](../governance/deploy-access-reviews.md) | Access Reviews are an important part of your governance strategy, enabling you to know and manage who has access, and to what they have access. This article helps you plan and deploy access reviews to achieve your desired security and collaboration postures. |
-| [Identity governance for applications](../governance/identity-governance-applications-prepare.md) | As part of your organization's controls to meet your compliance and risk management objectives for managing access for critical applications, you can use Azure AD features to set up and enforce appropriate access.|
-
-## Include the right stakeholders
-
-When beginning your deployment planning for a new capability, it's important to include key stakeholders across your organization. We recommend that you identify and document the person or people who fulfill each of the following roles, and work with them to determine their involvement in the project.  
-
-Roles might include the following 
-
-|Role |Description |
+|Role |Responsibility |
 |-|-|
-|End-user|A representative group of users for which the capability will be implemented. Often previews the changes in a pilot program.
-|IT Support Manager|IT support organization representative who can provide input on the supportability of this change from a helpdesk perspective.  
-|Identity Architect or Azure Global Administrator|Identity management team representative in charge of defining how this change is aligned with the core identity management infrastructure in your organization.|
-|Application Business Owner |The overall business owner of the affected application(s), which may include managing access.  May also provide input on the user experience and usefulness of this change from an end user's perspective.
-|Security Owner|A representative from the security team that can sign out that the plan will meet the security requirements of your organization.|
-|Compliance Manager|The person within your organization responsible for ensuring compliance with  corporate, industry, or governmental requirements.|
-
-**Levels of involvement might include:**
+|Sponsor|An enterprise senior leader with authority to approve and/or assign budget and resources. The sponsor is the connection between managers and the executive team.|
+|End user|The people for whom the service is implemented. Users can participate in a pilot program.|
+|IT Support Manager|Provides input on the supportability of proposed changes |
+|Identity architect or Azure Global Administrator|Defines how the change aligns with identity management infrastructure|
+|Application business owner |Owns the affected application(s), which might include access management. Provides input on the user experience.
+|Security owner|Confirms the change plan meets security requirements|
+|Compliance manager|Ensures compliance with corporate, industry, or governmental requirements|
+
+### RACI
+
+RACI is an acronym derived from four key responsibilities: 
+
+* **Responsible** 
+* **Accountable**
+* **Consulted**
+* **Informed**
+
+Use these terms to clarify and define roles and responsibilities in your project, and for other cross-functional or departmental projects and processes.
+
+## Authentication
+
+Use the following list to plan for authentication deployment. 
+
+* **Azure AD multi-factor authentication (MFA)** - Using admin-approved authentication methods, Azure AD MFA helps safeguard access to your data and applications while meeting the demand for a simple sign-in process: 
+  * See the video, [How to configure and enforce multi-factor authentication in your tenant](https://www.youtube.com/watch?v=qNndxl7gqVM)
+  * See, [Plan an Azure Active Directory Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md) 
+* **Conditional Access** - Implement automated access-control decisions for users to access cloud apps, based on conditions: 
+  * See, [What is Conditional Access?](/azure/active-directory/conditional-access/overview)
+  * See, [Plan a Conditional Access deployment](../conditional-access/plan-conditional-access.md)
+* **Azure AD self-service password reset (SSPR)** - Help users reset a password without administrator intervention:
+  * See, [Passwordless authentication options for Azure AD](/articles/active-directory/authentication/concept-authentication-passwordless.md)
+  * See, [Plan an Azure Active Directory self-service password reset deployment](../authentication/howto-sspr-deployment.md) 
+* **Passordless authentication** - Implement passwordless authentication using the Microsoft Authenticator app or FIDO2 Security keys:
+  * See, [Enable passwordless sign-in with Microsoft Authenticator](/azure/active-directory/authentication/howto-authentication-passwordless-phone)
+  * See, [Plan a passwordless authentication deployment in Azure Active Directory](../authentication/howto-authentication-passwordless-deployment.md)
+
+## Applications and devices
+
+Use the following list to help deploy applications and devices.
+
+* **Single sign-on (SSO)** - Enable user access to apps and resources while signing in once, without being required to enter credentials again: 
+  * See, [What is SSO in Azure AD?](/articles/active-directory/manage-apps/what-is-single-sign-on.md)
+  * See, [Plan a SSO deployment](../manage-apps/plan-sso-deployment.md)
+* **My Apps portal** - A web-based portal to discover and access applications. Enable user productivity with self-service, for instance requesting access to groups, or managing access to resources on behalf of others. 
+  * See, [My Apps portal overview](/azure/active-directory/manage-apps/myapps-overview)
+* **Devices** - Evaluate device integration methods with Azure AD, choose the implementation plan, and more.
+  * See, [Plan your Azure Active Directory device deployment](../devices/plan-device-deployment.md)  
+
+## Hybrid scenarios  
+
+The following list describes features and services for productivity gains in hybrid scenarios.
+
+* **Active Directory Federation Services (AD FS)** - Migrate user authentication from federation to cloud with pass-through authentication or password hash sync:
+  *  See, [What is federation with Azure AD?](/articles/active-directory/hybrid/whatis-fed.md)
+  *  See, [Migrate from federation to cloud authentication](../hybrid/migrate-from-federation-to-cloud-authentication.md)
+* **Azure AD Application Proxy** - Enable employees to be productive at any place or time, and from a device. Learn about software as a service (SaaS) apps in the cloud and corporate apps on-premises. Azure AD Application Proxy enables access without virtual private networks (VPNs) or demilitarized zones (DMZs):
+  * See, [Remote access to on-premises applications through Azure AD Application Proxy](/articles/active-directory/app-proxy/application-proxy.md)
+  * See, [Plan an Azure AD Application Proxy deployment](../app-proxy/application-proxy-deployment-plan.md)
+* **Seamless single sign-on (Seamless SSO)** - Use Seamless SSO for user sign-in, on corporate devices connected to a corporate network. Users don't need to enter passwords to sign in to Azure AD, and usually don't need to enter usernames. Authorized users access cloud-based apps without extra on-premises components:
+  * See, [Azure Active Directory SSO: Quickstart](../hybrid/how-to-connect-sso-quick-start.md) 
+  * See, [Azure Active Directory Seamless SSO: Technical deep dive](/articles/active-directory/hybrid/how-to-connect-sso-how-it-works.md)
+
+## Users
+
+* **User identities** - Learn about automation to create, maintain, and remove user identities in cloud apps, such as Dropbox, Salesforce, ServiceNow, and more. 
+  * See, [Plan an automatic user provisioning deployment in Azure Active Directory](../app-provisioning/plan-auto-user-provisioning.md)
+* **Identity governance** - Create identity governance and enhance business processes that rely on identity data. With HR products, such as Workday or Successfactors, manage employee and contingent-staff identity lifecycle with rules. These rules map Joiner-Mover-Leaver processes, such as New Hire, Terminate, Transfer, to IT actions such as Create, Enable, Disable.
+  * See, [Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md) 
+* **Azure AD B2B collaboration** - Improve external-user collaboration with secure access to applications: 
+  * See, [B2B collaboration overview](/azure/active-directory/external-identities/what-is-b2b)
+  * See, [Plan an Azure Active Directory B2B collaboration deployment](../fundamentals/secure-external-access-resources.md)
+
+## Governance and reporting
+
+Use the following list to learn about governance and reporting. Items in the list refer to Microsoft Entra. 
+
+Learn more: [Secure access for a connected world—meet Microsoft Entra](https://www.microsoft.com/en-us/security/blog/?p=114039)
+
+* **Privileged identity management (PIM)** - Manage privileged administrative roles across Azure AD, Azure resources, and other Microsoft Online Services. Use it for just-in-time access, request approval workflows, and fully integrated access reviews to help prevent malicious activities: 
+  * See, [Start using Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-getting-started)
+  * See, [Plan a Privileged Identity Management deployment](../privileged-identity-management/pim-deployment-plan.md) 
+* **Reporting and monitoring** - Your Azure AD reporting and monitoring solution design has dependencies and constraints: legal, security, operations, environment, and processes. 
+  * See, [Azure Active Directory reporting and monitoring deployment dependencies](../reports-monitoring/plan-monitoring-and-reporting.md)
+* **Access reviews** - Understand and manage access to resources:
+  * See, [What are access reviews?](/articles/active-directory/governance/access-reviews-overview.md)
+  * See, [Plan a Microsoft Entra access reviews deployment](../governance/deploy-access-reviews.md)  
+* **Identity governance** - Meet your compliance and risk management objectives for access to critical applications. Learn how to enforce accurate access.
+  * See, [Govern access for applications in your environment](../governance/identity-governance-applications-prepare.md)
+  
+Learn more: [Azure governance documentation](/azure/governance/)
 
-- **R**esponsible for implementing project plan and outcome 
+## Best practices for a pilot
 
-- **A**pproval of project plan and outcome 
+Use pilots to test with a small group, before making a change for larger groups, or everyone. Ensure each use case in your organization is tested.
 
-- **C**ontributor to project plan and outcome 
+### Pilot: Phase 1
 
-- **I**nformed of project plan and outcome
+In your first phase, target IT, usability, and other users who can test and provide feedback. Use this feedback to gain insights on potential issues for support staff, and to develop communications and instructions you send to all users.
 
-## Best practices for a pilot
-A pilot allows you to test with a small group before turning on a capability for everyone. Ensure that as part of your testing, each use case within your organization is thoroughly tested. It's best to target a specific group of pilot users before rolling this deployment out to your organization as a whole.
+### Pilot: Phase 2
 
-In your first wave, target IT, usability, and other appropriate users who can test and provide feedback. Use this feedback to further develop the communications and instructions you send to your users, and to give insights into the types of issues your support staff may see. 
+Widen the pilot to larger groups of users by using dynamic membership, or by manually adding users to the targeted group(s).
 
-Widening the rollout to larger groups of users should be carried out by increasing the scope of the group(s) targeted. This can be done through [dynamic group membership](../enterprise-users/groups-dynamic-membership.md), or by manually adding users to the targeted group(s).
+Learn more: [Dynamic membership rules for groups in Azure Active Directory](../enterprise-users/groups-dynamic-membership.md)]
