Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into ip-metadata

Author: halkazwini

.openpublishing.redirection.active-directory.json

@@ -11095,6 +11095,11 @@
       "source_path_from_root": "/articles/active-directory/cloud-infrastructure-entitlement-management/product-data-inventory.md",
       "redirect_url": "/azure/active-directory/cloud-infrastructure-entitlement-management/product-data-billable-resources",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/governance/create-access-review-privileged-access-groups.md",
+      "redirect_url": "/azure/active-directory/governance/create-access-review-pim-for-groups",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory/governance/TOC.yml

@@ -208,10 +208,10 @@
         href: ../privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json
       - name: Complete an access review
         href: ../privileged-identity-management/pim-complete-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json
-    - name: Azure AD Privileged Access Groups (Preview)
+    - name: Azure AD PIM for Groups (Preview)
       items:
       - name: Create an access review
-        href: create-access-review-privileged-access-groups.md
+        href: create-access-review-pim-for-groups.md
   - name: Lifecycle Workflows (Preview)
     items:
       - name: Deployment

articles/active-directory/governance/create-access-review-privileged-access-groups.md renamed to articles/active-directory/governance/create-access-review-pim-for-groups.md

@@ -1,6 +1,6 @@
 ---
-title: Create an access review of Privileged Access Groups - Azure AD (preview)
-description: Learn how to create an access review of Privileged Access Groups in Azure Active Directory. 
+title: Create an access review of PIM for Groups - Azure AD (preview)
+description: Learn how to create an access review of PIM for Groups in Azure Active Directory. 
 services: active-directory
 author: amsliu
 manager: amycolannino
@@ -16,18 +16,18 @@ ms.reviewer: jgangadhar
 ms.collection: M365-identity-device-management
 ---
 
-# Create an access review of Privileged Access Groups in Azure AD (preview)
+# Create an access review of PIM for Groups in Azure AD (preview)
 
-This article describes how to create one or more access reviews for Privileged Access Groups, which will include the active members of the group as well as the eligible members. Reviews can be performed on both active members of the group, who are active at the time the review is created, and the eligible members of the group.
+This article describes how to create one or more access reviews for PIM for Groups, which will include the active members of the group as well as the eligible members. Reviews can be performed on both active members of the group, who are active at the time the review is created, and the eligible members of the group.
 
 ## Prerequisites
 
 - Azure AD Premium P2.
-- Only Global administrators and Privileged Role administrators can create reviews on Privileged Access Groups. For more information, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md).
+- Only Global administrators and Privileged Role administrators can create reviews on PIM for Groups. For more information, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md).
 
 For more information, see [License requirements](access-reviews-overview.md#license-requirements).
 
-## Create a Privileged Access Group access review
+## Create a PIM for Groups access review
 
 ### Scope
 1. Sign in to the Azure portal and open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page.
@@ -44,10 +44,10 @@ For more information, see [License requirements](access-reviews-overview.md#lice
 
 5. Select **Teams + Groups** and then select **Select Teams + groups** under **Review Scope**. A list of groups to choose from appears on the right.
 
-     ![Screenshot that shows selecting Teams + Groups.](./media/create-access-review/create-privileged-access-groups-review.png)
+     ![Screenshot that shows selecting Teams + Groups.](./media/create-access-review/create-pim-review.png)
 
 > [!NOTE]  
-> When a Privileged Access Group (PAG) is selected, the users under review for the group will include all eligible users and active users in that group. 
+> When a PIM for Groups is selected, the users under review for the group will include all eligible users and active users in that group. 
 
 6. Now you can select a scope for the review. Your options are:
     - **Guest users only**: This option limits the access review to only the Azure AD B2B guest users in your directory.
@@ -64,9 +64,9 @@ For more information, see [License requirements](access-reviews-overview.md#lice
 After you have reached this step, you may follow the instructions outlined under **Next: Reviews** in the [Create an access review of groups or applications](create-access-review.md#next-reviews) article to complete your access review.
 
 > [!NOTE]
-> Review of Privileged Access Groups will only assign active owner(s) as the reviewers. Eligible owners are not included. At least one fallback reviewer is required for a Privileged Access Groups review. If there are no active owner(s) when the review begins, the fallback reviewer(s) will be assigned to the review.
+> Review of PIM for Groups will only assign active owner(s) as the reviewers. Eligible owners are not included. At least one fallback reviewer is required for a PIM for Groups review. If there are no active owner(s) when the review begins, the fallback reviewer(s) will be assigned to the review.
 
 ## Next steps
 
 - [Create an access review of groups or applications](create-access-review.md)
-- [Approve activation requests for privileged access group members and owners (preview)](../privileged-identity-management/groups-approval-workflow.md)
+- [Approve activation requests for PIM for Groups members and owners (preview)](../privileged-identity-management/groups-approval-workflow.md)

articles/active-directory/governance/create-access-review.md

@@ -96,7 +96,7 @@ If you are reviewing access to an application, then before creating the review,
    If you choose either **Managers of users** or **Group owner(s)**, you can also specify a fallback reviewer. Fallback reviewers are asked to do a review when the user has no manager specified in the directory or if the group doesn't have an owner.
 
     >[!IMPORTANT]
-    > For Privileged Access Groups (Preview), you must select **Group owner(s)**. It is mandatory to assign at least one fallback reviewer to the review. The review will only assign active owner(s) as the reviewer(s). Eligible owners are not included. If there are no active owners when the review begins, the fallback reviewer(s) will be assigned to the review.
+    > For PIM for Groups (Preview), you must select **Group owner(s)**. It is mandatory to assign at least one fallback reviewer to the review. The review will only assign active owner(s) as the reviewer(s). Eligible owners are not included. If there are no active owners when the review begins, the fallback reviewer(s) will be assigned to the review.
 
       ![Screenshot that shows New access review.](./media/create-access-review/new-access-review.png)
 
@@ -302,7 +302,7 @@ After one or more access reviews have started, you might want to modify or updat
 ## Next steps
 
 - [Complete an access review of groups or applications](complete-access-review.md)
-- [Create an access review of Privileged Access Groups (preview)](create-access-review-privileged-access-groups.md)
+- [Create an access review of PIM for Groups (preview)](create-access-review-pim-for-groups.md)
 - [Review access to groups or applications](perform-access-review.md)
 - [Review access for yourself to groups or applications](review-your-access.md)
 

articles/active-directory/governance/lifecycle-workflow-tasks.md

@@ -175,7 +175,7 @@ For Microsoft Graph the parameters for the **Generate Temporary Access Pass and
 
 ### Add user to groups
 
-Allows users to be added to Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and privileged access groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md). 
+Allows users to be added to Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and PIM for Groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md). 
 
 You're able to customize the task name and description for this task.
 :::image type="content" source="media/lifecycle-workflow-task/add-group-task.png" alt-text="Screenshot of Workflows task: Add user to group task.":::
@@ -353,7 +353,7 @@ For Microsoft Graph the parameters for the **Disable user account** task are as
 
 ### Remove user from selected groups
 
-Allows users to be removed from Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and privileged access groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md). 
+Allows users to be removed from Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and PIM for Groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md). 
 
 You're able to customize the task name and description for this task in the Azure portal.
 :::image type="content" source="media/lifecycle-workflow-task/remove-group-task.png" alt-text="Screenshot of Workflows task: Remove user from select groups.":::
@@ -392,7 +392,7 @@ For Microsoft Graph the parameters for the **Remove user from selected groups**
 
 ### Remove users from all groups
 
-Allows users to be removed from every Microsoft 365 and cloud-only security group they're a member of. Mail-enabled, distribution, dynamic and privileged access groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md).
+Allows users to be removed from every Microsoft 365 and cloud-only security group they're a member of. Mail-enabled, distribution, dynamic and PIM for Groups are not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md).
 
 
 You're able to customize the task name and description for this task in the Azure portal.

articles/active-directory/governance/media/create-access-review/create-pim-review.png

@@ -0,0 +1,15 @@
+---
+title: include file
+description: include file
+author: amsliu
+manager: amycolannino
+ms.service: active-directory
+ms.workload: identity
+ms.topic: include
+ms.date: 01/31/2023
+ms.author: amsliu
+ms.custom: include file
+---
+
+>[!Note]
+> For groups used for elevating into Azure AD roles, we recommend that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from less-privileged administrators. For example, the Helpdesk Administrator has permission to reset an eligible user's passwords.

articles/active-directory/governance/media/create-access-review/create-privileged-access-groups-review.png

@@ -30,8 +30,7 @@ PIM for Groups is part of Azure AD Privileged Identity Management – alongside
 
 With PIM for Groups you can use policies similar to ones you use in PIM for Azure AD Roles and PIM for Azure Resources: you can require approval for membership or ownership activation, enforce multi-factor authentication (MFA), require justification, limit maximum activation time, and more. Each group in PIM for Groups has two policies: one for activation of membership and another for activation of ownership in the group. Up until January 2023, PIM for Groups feature was called “Privileged Access Groups”.
 
->[!Note]
-> For groups used for elevating into Azure AD roles, we recommend that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from less-privileged administrators. For example, the Helpdesk Administrator has permission to reset an eligible user's passwords.
+[!INCLUDE [PIM for Groups note](../includes/pim-for-groups-include.md)]
 
 ## What are Azure AD role-assignable groups?
 

articles/active-directory/includes/pim-for-groups-include.md

@@ -27,7 +27,7 @@ When a membership or ownership is assigned, the assignment:
 - Can't be removed within five minutes of it being assigned
 
 >[!NOTE]
->Every user who is eligible for membership in or ownership of a privileged access group must have an Azure AD Premium P2 license. For more information, see [License requirements to use Privileged Identity Management](subscription-requirements.md).
+>Every user who is eligible for membership in or ownership of a PIM for Groups must have an Azure AD Premium P2 license. For more information, see [License requirements to use Privileged Identity Management](subscription-requirements.md).
 
 ## Assign an owner or member of a group
 
@@ -63,7 +63,7 @@ Follow these steps to make a user eligible member or owner of a group. You will
     > For groups used for elevating into Azure AD roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from another administrator with permission to reset an eligible user's passwords.
     - Active assignments don't require the member to perform any activations to use the role. Members or owners assigned as active have the privileges assigned to the role at all times.
 
-1.	If the assignment should be permanent (permanently eligible or permanently assigned), select the **Permanently** checkbox. Depending on the group's settings, the check box might not appear or might not be editable. For more information, check out the [Configure privileged access group settings (preview) in Privileged Identity Management](groups-role-settings.md#assignment-duration) article.
+1.	If the assignment should be permanent (permanently eligible or permanently assigned), select the **Permanently** checkbox. Depending on the group's settings, the check box might not appear or might not be editable. For more information, check out the [Configure PIM for Groups settings (preview) in Privileged Identity Management](groups-role-settings.md#assignment-duration) article.
 
     :::image type="content" source="media/pim-for-groups/pim-group-5.png" alt-text="Screenshot of where to configure the setting for add assignments." lightbox="media/pim-for-groups/pim-group-5.png":::