Merge pull request #187633 from ajburnle/azuread-accessreviews-multistagereview

[Azure AD] [Access Reviews] multi-stage access reviews (preview)

Author: laurabren

articles/active-directory/fundamentals/whats-new-archive.md

@@ -1838,7 +1838,7 @@ For more information about this feature, see [Disable and delete external identi
 **Service category:** Access Reviews  
 **Product capability:** Identity Governance
 
-In Azure AD access reviews, administrators creating reviews can now write a custom message to the reviewers. Reviewers will see the message in the email they receive that prompts them to complete the review. To learn more about using this feature, see step 14 of the [Create one or more access reviews](../governance/create-access-review.md#create-one-or-more-access-reviews) section.
+In Azure AD access reviews, administrators creating reviews can now write a custom message to the reviewers. Reviewers will see the message in the email they receive that prompts them to complete the review. To learn more about using this feature, see step 14 of the [Create a single-stage review](../governance/create-access-review.md#create-a-single-stage-access-review) section.
 
 ---
 

articles/active-directory/governance/complete-access-review.md

@@ -11,7 +11,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: how-to
 ms.subservice: compliance
-ms.date: 08/20/2021
+ms.date: 02/18/2022
 ms.author: ajburnle
 ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
@@ -42,7 +42,6 @@ You can track the progress of access reviews as they are completed.
 
 1. In the list, click an access review.
 
- 
     On the **Overview** page, you can see the progress of the **Current** instance of the review. If there is not an active instance open at the time, you will see information on the previous instance. No access rights are changed in the directory until the review is completed.
 
      ![Review of All company group](./media/complete-access-review/all-company-group.png)
@@ -69,20 +68,28 @@ You can track the progress of access reviews as they are completed.
 
 1. If you're no longer interested in the access review, you can delete it by clicking the **Delete** button.
 
+### View status of multi-stage review (preview)
+
+To see the status and stage of a multi-stage access review:
+
+1. Select the multi-stage review you want to check the status of or see what stage it's in.
+ 
+1. Click **Results** on the left nav menu under **Current**.
+
+1. Once you are on the results page, under **Status** it will tell you which stage the multi-stage review is in. The next stage of the review won't become active until the duration specified during the access review setup has passed. 
+
+1. If a decision has been made, but the review duration for this stage has not expired yet, you can select **Stop current stage** button on the results page. This will trigger the next stage of review.
+ 
 ## Retrieve the results
 
 To view the results for a review, click the **Results** page. To view just a user's access, in the Search box, type the display name or user principal name of a user whose access was reviewed.
 
 ![Retrieve results for an access review](./media/complete-access-review/retrieve-results.png) 
 
- 
 To view the results of a completed instance of an access review that is recurring, click **Review history**, then select the specific instance from the list of completed access review instances, based on the instance's start and end date. The results of this instance can be obtained from the **Results** page. Recurring access reviews allow you to have a constant picture of access to resources that may need to be updated more often than one-time access reviews.
 
 To retrieve the results of an access review, both in-progress or completed, click the **Download** button. The resulting CSV file can be viewed in Excel or in other programs that open UTF-8 encoded CSV files.
 
-
- 
-
 ## Apply the changes
 
 If **Auto apply results to resource** was enabled based on your selections in **Upon completion settings**, auto-apply will be executed once a review instance completes, or earlier if you manually stop the review.
@@ -105,14 +112,12 @@ Manually or automatically applying results doesn't have an effect on a group tha
 > - Reviewing a resource (role, group, application) with nested groups assigned: For users who have membership through a nested group, we will not remove their membership to the nested group and therefore they will retain access to the resource being reviewed.
 > - User not found / other errors can also result in an apply result not being supported.
  
-
 ## Actions taken on denied guest users in an access review
 
 On review creation, the creator can choose between two options for denied guest users in an access review. 
  - Denied guest users can have their access to the resource removed. This is the default.
  - The denied guest user can be blocked from signing in for 30 days, then deleted from the tenant. During the 30-day period the guest user is able to be restored access to the tenant by an administrator. After the 30-day period is completed, if the guest user has not had access to the resource granted to them again, they will be removed from the tenant permanently. In addition, using the Azure Active Directory portal, a Global Administrator can explicitly [permanently delete a recently deleted user](../fundamentals/active-directory-users-restore.md) before that time period is reached. Once a user has been permanently deleted, the data about that guest user will be removed from active access reviews. Audit information about deleted users remains in the audit log.
 
-
 ## Next steps
 
 - [Manage access reviews](manage-access-review.md) 

articles/active-directory/governance/create-access-review.md

@@ -10,7 +10,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: how-to
 ms.subservice: compliance
-ms.date: 08/20/2021
+ms.date: 02/18/2022
 ms.author: ajburnle
 ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
@@ -37,8 +37,9 @@ This article describes how to create one or more access reviews for group member
 
 For more information, see [License requirements](access-reviews-overview.md#license-requirements).
 
-## Create one or more access reviews
+## Create a single-stage access review
 
+### Scope
 1. Sign in to the Azure portal and open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page.
 
 1. On the left menu, select **Access reviews**.
@@ -62,8 +63,8 @@ For more information, see [License requirements](access-reviews-overview.md#lice
 
    ![Screenshot that shows the interface that appears if you selected applications instead of groups.](./media/create-access-review/select-application-detailed.png)
 
-    > [!NOTE]
-    > Selecting multiple groups or applications results in the creation of multiple access reviews. For example, if you select five groups to review, the result is five separate access reviews.
+   > [!NOTE]
+   > Selecting multiple groups or applications results in the creation of multiple access reviews. For example, if you select five groups to review, the result is five separate access reviews.
 
 1. Now you can select a scope for the review. Your options are:
 
@@ -75,7 +76,11 @@ For more information, see [License requirements](access-reviews-overview.md#lice
 
 1. Select **Next: Reviews**.
 
-1. In the **Specify reviewers** section, in the **Select reviewers** box, select either one or more people to do the access reviews. You can choose from:
+### Next: Reviews
+ 
+1. You can create a single-stage or multi-stage review (preview). For a single stage review continue here. To create a multi-stage access review (preview), follow the steps in [Create a multi-stage access review (preview)](#create-a-multi-stage-access-review-preview)
+
+1. In the **Specify reviewers** section, in the **Select reviewers** box, select either one or more people to make decisions in the access reviews. You can choose from:
 
     - **Group owner(s)**: This option is only available when you do a review on a team or group.
     - **Selected user(s) or groups(s)**
@@ -96,6 +101,8 @@ For more information, see [License requirements](access-reviews-overview.md#lice
 
 1. Select **Next: Settings**.
 
+### Next: Settings
+
 1. In the **Upon completion settings** section, you can specify what happens after the review finishes.
 
     ![Screenshot that shows Upon completion settings.](./media/create-access-review/upon-completion-settings-new.png)
@@ -141,10 +148,55 @@ For more information, see [License requirements](access-reviews-overview.md#lice
 
    ![Screenshot that shows the Review + Create tab.](./media/create-access-review/create-review.png)
 
+### Next: Review + Create
+
 1. Name the access review. Optionally, give the review a description. The name and description are shown to the reviewers.
 
 1. Review the information and select **Create**.
 
+## Create a multi-stage access review (preview)
+
+A multi-stage review allows the administrator to define two or three sets of reviewers to complete a review one after another. In a single-stage review, all reviewers make a decision within the same period and the last reviewer to make a decision "wins". In a multi-stage review, two or three independent sets of reviewers make a decision within their own stage, and the next stage doesn't happen until a decision is made in the previous stage. Multi-stage reviews can be used to reduce the burden on later-stage reviewers, allow for escalation of reviewers, or have independent groups of reviewers agree on decisions.
+
+1. After you have selected the resource and scope of your review, move on to the **Reviews** tab. 
+
+1. Click the checkbox next to **(Preview) Multi-stage review**.
+
+1. Under **First stage review**, select the reviewers from the dropdown menu next to **Select reviewers**. 
+
+1. If you select **Group owner(s)** or **Managers of Users**, you have the option to add a fallback reviewer. To add a fallback, click **Select fallback reviewers** and add the users you want to be fallback reviewers.
+ 
+    ![Screenshot that shows multi-stage review enabled and multi-stage review settings.](./media/create-access-review/create-multi-stage-review.png)
+
+1. Add the duration for the first stage. To add the duration, enter a number in the field next to **Stage duration (in days)**. This is the number of days you wish for the first stage to be open to the first stage reviewers to make decisions.
+ 
+1. Under **Second stage review**, select the reviewers from the dropdown menu next to **Select reviewers**. These reviewers will be asked to review after the duration of the first stage review ends.
+
+1. Add any fallback reviewers if necessary.
+
+1. Add the duration for the second stage.
+ 
+1. By default, you will see two stages when you create a multi-stage review. However, you can add up to three stages. If you want to add a third stage, click **+ Add a stage** and complete the required fields.  
+
+1. You can decide to allow 2nd and 3rd stage reviewers to the see decisions made in the previous stage(s).If you want to allow them to see the decisions made prior, click the box next to **Show previous stage(s) decisions to later stage reviewers** under **Reveal review results**. Leave the box unchecked to disable this setting if you’d like your reviewers to review independently. 
+
+    ![Screenshot that shows duration and show previous stages setting enabled for multi-stage review.](./media/create-access-review/reveal-multi-stage-results-and-duration.png)
+
+1. The duration of each recurrence will be set to the sum of the duration day(s) you specified in each stage.
+
+1. Specify the **Review recurrence**, the **Start date**, and **End date** for the review. The recurrence type must be at least as long as the total duration of the recurrence (i.e., the max duration for a weekly review recurrence is 7 days).
+
+1. To specify which reviewees will continue from stage to stage, select one or multiple of the following options next to **Specify reviewees to go to next stage** :
+     ![Screenshot that shows specify reviewees setting and options for multi-stage review.](./media/create-access-review/next-stage-reviewees-setting.png)
+
+    1. **Approved reviewees** - Only reviewees that were approved move on to the next stage(s).
+    1. **Denied reviewees** - Only reviewees that were denied move on to the next stage(s).
+    1. **Not reviewed reviewees** - Only reviewees that haven't been reviewed will move on to the next stage(s).
+    1. **Reviewees marked as "Don't Know"** - Only reviewees marked as "Don't know" move on to the next stage(s).
+    1.  **All**: everyone moves on to the next stage if you’d like all stages of reviewers to make a decision.  
+
+1. Continue on to the **settings tab** and finish the rest of the settings and create the review. Follow the instructions in [Next: Settings](#next-settings).
+
 ## Allow group owners to create and manage access reviews of their groups (preview)
 
 The prerequisite role is a Global or User administrator.