Acrolinx

Author: curtand

articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md

@@ -1,5 +1,5 @@
 ---
-title: Configure Azure AD role settings in PIM - Azure Active Directory | Microsoft Docs
+title: Configure Azure AD role settings in Privileged Identity Management - Azure Active Directory | Microsoft Docs
 description: Learn how to configure Azure AD role settings in Azure AD Privileged Identity Management (PIM).
 services: active-directory
 documentationcenter: ''
@@ -46,7 +46,7 @@ Use the **Activations** slider to set the maximum time, in hours, that a role st
 
 ## Notifications
 
-Use the **Notifications** switch to specify whether administrators will receive email notifications when roles are activated. This can be useful for detecting unauthorized or illegitimate activations.
+Use the **Notifications** switch to specify whether administrators will receive email notifications when roles are activated. This notification can be useful for detecting unauthorized or illegitimate activations.
 
 When set to **Enable**, notifications are sent to:
 
@@ -62,51 +62,48 @@ Use the **Incident/Request ticket** switch to require eligible administrators to
 
 ## Multi-Factor Authentication
 
-Use the **Multi-Factor Authentication** switch to specify whether to require users to verify their identity with MFA before they can activate their roles. They only have to verify this once per session, not every time they activate a role. There are two tips to keep in mind when you enable MFA:
+Use the **Multi-Factor Authentication** switch to specify whether to require users to verify their identity with MFA before they can activate their roles. They only have to verify their identity once per session, not every time they activate a role. There are two tips to keep in mind when you enable MFA:
 
-- Users who have Microsoft accounts for their email addresses (typically @outlook.com, but not always) cannot register for Azure MFA. If you want to assign roles to users with Microsoft accounts, you should either make them permanent admins or disable MFA for that role.
-- You cannot disable MFA for highly privileged roles for Azure AD and Office365. This is a safety feature because these roles should be carefully protected:  
+- Users who have Microsoft accounts for their email addresses (typically @outlook.com, but not always) cannot register for Azure Multi-Factor Authentication. If you want to assign roles to users with Microsoft accounts, you should either make them permanent admins or disable multi-factor authentication for that role.
+- You cannot disable Azure Multi-Factor Authentication for highly privileged roles for Azure AD and Office 365. This safety feature helps protect the following roles:  
 
-  - Azure Information Protection Administrator
-  - Billing Administrator
-  - Cloud Application Administrator
-  - Compliance Administrator
-  - Conditional Access Administrator
-  - CRM Service Administrator
-  - Customer LockBox Access Approver
-  - Directory Writers
-  - Exchange Administrator
-  - Global Administrator
-  - Intune Service Administrator
-  - Power BI Service Administrator
-  - Privileged Role Administrator
-  - Security Administrator
-  - SharePoint Service Administrator
-  - Skype for Business Administrator
-  - User Administrator
-
-For more information, see [Multi-factor authentication (MFA) and Privileged Identity Management](pim-how-to-require-mfa.md).
+  - Azure Information Protection administrator
+  - Billing administrator
+  - Cloud application administrator
+  - Compliance administrator
+  - Conditional access administrator
+  - Dynamics 365 administrator
+  - Customer LockBox access approver
+  - Directory writers
+  - Exchange administrator
+  - Global administrator
+  - Intune administrator
+  - Power BI administrator
+  - Privileged role administrator
+  - Security administrator
+  - SharePoint administrator
+  - Skype for Business administrator
+  - User administrator
+
+For more information, see [Multi-factor authentication and Privileged Identity Management](pim-how-to-require-mfa.md).
 
 ## Require approval
 
-If you want to require approval to activate a role, follow these steps.
+If you want to delegate the required approval to activate a role, follow these steps.
 
 1. Set the **Require approval** switch to **Enabled**. The pane expands with options to select approvers.
 
     ![Azure AD roles - Settings - Require approval](./media/pim-how-to-change-default-settings/pim-directory-roles-settings-require-approval.png)
 
-    If you don't specify any approvers, the Privileged Role Administrator become the default approver and would then be required to approve all activation requests for this role.
+    If you don't specify any approvers, the Privileged role administrator becomes the default approver and is then required to approve all activation requests for this role.
 
 1. To specify approvers, click **Select approvers**.
 
     ![Azure AD roles - Settings - Require approval](./media/pim-how-to-change-default-settings/pim-directory-roles-settings-require-approval-select-approvers.png)
 
-1. Select one or more approvers and then click **Select**. You can select users or groups. At least 2 approvers is recommended. Self-approval is not allowed.
-
-    Your selections will appear in the list of selected approvers.
-
-1. Once you have specified your all your role settings, select **Save** to save your changes.
+1. Select one or more approvers in addition to the Privileged role administrator and then click **Select**. You can select users or groups. We recommend at least two approvers is. Even if you add yourself as an approver, you can't self-approve a role activation. Your selections will appear in the list of selected approvers.
 
+1. After you have specified your all your role settings, select **Save** to save your changes.
 
 <!--PLACEHOLDER: Need an explanation of what the temporary Global Administrator setting is for.-->