MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/predicates.md
Lines changed: 7 additions & 3 deletions b/‎articles/active-directory-b2c/predicates.md
Lines changed: 7 additions & 3 deletions
diff --git a/‎articles/active-directory/governance/entitlement-management-overview.md
Lines changed: 65 additions & 57 deletions b/‎articles/active-directory/governance/entitlement-management-overview.md
Lines changed: 65 additions & 57 deletions
diff --git a/‎articles/active-directory/governance/identity-governance-overview.md
Lines changed: 23 additions & 21 deletions b/‎articles/active-directory/governance/identity-governance-overview.md
Lines changed: 23 additions & 21 deletions
diff --git a/‎articles/active-directory/managed-identities-azure-resources/overview.md
Lines changed: 7 additions & 5 deletions b/‎articles/active-directory/managed-identities-azure-resources/overview.md
Lines changed: 7 additions & 5 deletions
diff --git a/‎articles/active-directory/privileged-identity-management/pim-how-to-require-mfa.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/privileged-identity-management/pim-how-to-require-mfa.md
Lines changed: 1 addition & 1 deletion
@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 09/10/2018
+ms.date: 10/28/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -27,6 +27,8 @@ The following diagram shows the relationship between the elements:
 
 The **Predicate** element defines a basic validation to check the value of a claim type and returns `true` or `false`. The validation is done by using a specified **Method** element and a set of **Parameter** elements relevant to the method. For example, a predicate can check whether the length of a string claim value is within the range of minimum and maximum parameters specified, or whether a string claim value contains a character set. The **UserHelpText** element provides an error message for users if the check fails. The value of **UserHelpText** element can be localized using [language customization](localization.md).
 
+The **Predicates** element must appear directly following the **ClaimsSchema** element within the [BuildingBlocks](buildingblocks.md) element.
+
 The **Predicates** element contains the following element:
 
 | Element | Occurrences | Description |
@@ -108,6 +110,8 @@ The following example shows a `IsDateRange` method with the parameters `Minimum`
 
 While the predicates define the validation to check against a claim type, the **PredicateValidations** group a set of predicates to form a user input validation that can be applied to a claim type. Each **PredicateValidation** element contains a set of **PredicateGroup** elements that contain a set of **PredicateReference** elements that points to a **Predicate**. To pass the validation, the value of the claim should pass all of the tests of any predicate under all of the **PredicateGroup** with their set of **PredicateReference** elements.
 
+The **PredicateValidations** element must appear directly following the **Predicates** element within the [BuildingBlocks](buildingblocks.md) element.
+
 ```XML
 <PredicateValidations>
   <PredicateValidation Id="">
@@ -190,7 +194,7 @@ With **Predicates** and **PredicateValidationsInput** you can control the comple
 - **Lowercase** using the `IncludesCharacters` method, validates that the password contains a lowercase letter.
 - **Uppercase** using the `IncludesCharacters` method, validates that the password contains an uppercase letter.
 - **Number** using the `IncludesCharacters` method, validates that the password contains a digit.
-- **Symbol** using the `IncludesCharacters` method, validates that the password contains one of following symbols `@#$%^&*\-_+=[]{}|\:',?/~"();!`
+- **Symbol** using the `IncludesCharacters` method, validates that the password contains one of several symbol characters.
 - **PIN** using the `MatchesRegex` method, validates that the password contains numbers only.
 - **AllowedAADCharacters** using the `MatchesRegex` method, validates that the password only invalid character was provided.
 - **DisallowedWhitespace** using the `MatchesRegex` method, validates that the password doesn't begin or end with a whitespace character.
@@ -229,7 +233,7 @@ With **Predicates** and **PredicateValidationsInput** you can control the comple
   <Predicate Id="Symbol" Method="IncludesCharacters">
     <UserHelpText>a symbol</UserHelpText>
     <Parameters>
-      <Parameter Id="CharacterSet">@#$%^&amp;*\-_+=[]{}|\:',?/`~"();!</Parameter>
+      <Parameter Id="CharacterSet">@#$%^&amp;*\-_+=[]{}|\\:',.?/`~"();!</Parameter>
     </Parameters>
   </Predicate>
 
 
@@ -12,21 +12,21 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 08/28/2019
+ms.date: 10/24/2019
 ms.author: ajburnle
 ms.reviewer: markwahl-msft
 ms.collection: M365-identity-device-management
 ---
 
 # What is Azure AD Identity Governance?
 
-Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right users have the right access to the right resources, and it allows you to protect, monitor, and audit access to critical assets -- while ensuring employee productivity.  
+Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources. These and related Azure AD and Enterprise Mobility + Security features allows you to mitigate access risk by protecting, monitoring, and auditing access to critical assets -- while ensuring employee and business partner productivity.  
 
-Identity Governance give organizations the ability to do the following tasks across employees, business partners and vendors, and services and applications:
+Identity Governance give organizations the ability to do the following tasks across employees, business partners and vendors, and across services and applications both on-premises and in clouds:
 
 - Govern the identity lifecycle
 - Govern access lifecycle
-- Secure administration
+- Secure privileged access for administration
 
 Specifically, it is intended to help organizations address these four key questions:
 
@@ -41,9 +41,9 @@ Identity Governance helps organizations achieve a balance between *productivity*
 
 ![Identity lifecycle](./media/identity-governance-overview/identity-lifecycle.png)
 
-For many organizations, identity lifecycle for employees is tied to the representation of that user in an HCM (human capital management) system.  Azure AD Premium automatically maintains user identities for people represented in Workday in both Active Directory and Azure Active Directory, as described in the [Workday inbound provisioning (preview) tutorial](../saas-apps/workday-inbound-tutorial.md).  Azure AD Premium also includes [Microsoft Identity Manager](/microsoft-identity-manager/), which can import records from on-premises HCM systems such as SAP, Oracle eBusiness, and Oracle PeopleSoft.
+For many organizations, identity lifecycle for employees is tied to the representation of that user in an HCM (human capital management) system.  Azure AD Premium automatically maintains user identities for people represented in Workday in both Active Directory and Azure Active Directory, as described in the [Workday inbound provisioning tutorial](../saas-apps/workday-inbound-tutorial.md).  Azure AD Premium also includes [Microsoft Identity Manager](/microsoft-identity-manager/), which can import records from on-premises HCM systems such as SAP, Oracle eBusiness, and Oracle PeopleSoft.
 
-Increasingly, scenarios require collaboration with people outside your organization. [Azure AD B2B](/azure/active-directory/b2b/) collaboration enables you to securely share your organization's applications and services with guest users and external partners from any organization, while maintaining control over your own corporate data.
+Increasingly, scenarios require collaboration with people outside your organization. [Azure AD B2B](/azure/active-directory/b2b/) collaboration enables you to securely share your organization's applications and services with guest users and external partners from any organization, while maintaining control over your own corporate data.  [Azure AD entitlement management](entitlement-management-overview.md) enables you to select which organization's users are allowed to request access and be added as B2B guests to your organization's directory, and ensures that these guests are removed when they no longer need access.
 
 ## Access lifecycle
 
@@ -53,7 +53,7 @@ Organizations need a process to manage access beyond what was initially provisio
 
 Typically, IT delegates access approval decisions to business decision makers.  Furthermore, IT can involve the users themselves.  For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. Guest users may be unaware of the handling requirements for data in an organization to which they have been invited.
 
-Organizations can automate the access lifecycle process through technologies such as [dynamic groups](../users-groups-roles/groups-dynamic-membership.md), coupled with user provisioning to [SaaS apps](../saas-apps/tutorial-list.md) or [apps integrated with SCIM](../manage-apps/use-scim-to-provision-users-and-groups.md).  Organizations can also control which [guest users have access to on-premises applications](../b2b/hybrid-cloud-to-on-premises.md).  These access rights can then be regularly reviewed using recurring [Azure AD access reviews](access-reviews-overview.md).
+Organizations can automate the access lifecycle process through technologies such as [dynamic groups](../users-groups-roles/groups-dynamic-membership.md), coupled with user provisioning to [SaaS apps](../saas-apps/tutorial-list.md) or [apps integrated with SCIM](../manage-apps/use-scim-to-provision-users-and-groups.md).  Organizations can also control which [guest users have access to on-premises applications](../b2b/hybrid-cloud-to-on-premises.md).  These access rights can then be regularly reviewed using recurring [Azure AD access reviews](access-reviews-overview.md).   [Azure AD entitlement management](entitlement-management-overview.md) also enables you to define how users request access across packages of group and team memberships, application roles, and SharePoint Online roles.
 
 When a user attempts to access applications, Azure AD enforces [Conditional Access](/azure/active-directory/conditional-access/) policies. For example, Conditional Access policies can include displaying a [terms of use](../conditional-access/terms-of-use.md) and [ensuring the user has agreed to those terms](../conditional-access/require-tou.md) prior to being able to access an application.
 
@@ -63,36 +63,38 @@ Historically, privileged access has been described by other vendors as a separat
 
 ![Privileged access lifecycle](./media/identity-governance-overview/privileged-access-lifecycle.png)
 
-Azure AD Privileged Identity Management (PIM) provides additional controls tailored to securing access rights for resources, across Azure AD, Azure, and other Microsoft Online Services.  The just-in-time access, and role change alerting capabilities provided by Azure AD PIM, in addition to multi-factor authentication and Conditional Access, provide a comprehensive set of governance controls to help secure your company's resources (directory, Office 365, and Azure resource roles). As with other forms of access, organizations can use access reviews to configure recurring access recertification for all users in administrator roles.
+[Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) provides additional controls tailored to securing access rights for resources, across Azure AD, Azure, and other Microsoft Online Services.  The just-in-time access, and role change alerting capabilities provided by Azure AD PIM, in addition to multi-factor authentication and Conditional Access, provide a comprehensive set of governance controls to help secure your company's resources (directory, Office 365, and Azure resource roles). As with other forms of access, organizations can use access reviews to configure recurring access recertification for all users in administrator roles.
 
-## Least privileged roles
+## Getting started
 
-It's a best practice to use the least privileged role to perform administrative tasks in Identity Governance. We recommend that you use Azure AD PIM to activate a role as needed to perform these tasks. The following are the least privileged directory roles to configure Identity Governance features: 
+Check out the Getting started tab of **Identity Governance** in the Azure portal to start using entitlement management, access reviews, Privileged Identity Management, and Terms of use.
 
-| Feature | Least privileged role |
-| ------- | --------------------- |
-| Entitlement management | User administrator (with the exception of adding SharePoint Online sites to catalogs, which requires Global administrator) |
-| Terms of use | Security administrator or Conditional access administrator |
-| Access reviews | User administrator (with the exception of access reviews of Azure or Azure AD roles, which requires Privileged role administrator) |
-|Privileged Identity Management | Privileged role administrator |
+![Identity Governance getting started](./media/identity-governance-overview/getting-started.png)
 
 
-## Getting started
+If you have any feedback about Identity Governance features, click **Got feedback?** in the Azure portal to submit your feedback. The team regularly reviews your feedback.
 
-While there is no perfect solution or recommendation for every customer, the following configurations provide a guide to what baseline policies Microsoft recommends you follow to ensure a more secure and productive workforce.
+While there is no perfect solution or recommendation for every customer, the following configuration guides also provide the baseline policies Microsoft recommends you follow to ensure a more secure and productive workforce.
 
 - [Identity and device access configurations](/microsoft-365/enterprise/microsoft-365-policies-configurations)
 - [Securing privileged access](../users-groups-roles/directory-admin-roles-secure.md)
 
-You can also check out the Getting started tab of **Identity Governance** in the Azure portal to start using entitlement management, access reviews, Privileged Identity Management, and Terms of use.
+## Appendix - least privileged roles for managing in Identity Governance features
 
-![Identity Governance getting started](./media/identity-governance-overview/getting-started.png)
+It's a best practice to use the least privileged role to perform administrative tasks in Identity Governance. We recommend that you use Azure AD PIM to activate a role as needed to perform these tasks. The following are the least privileged directory roles to configure Identity Governance features:
 
-If you have any feedback about Identity Governance features, click **Got feedback?** in the Azure portal to submit your feedback. The team regularly reviews your feedback.
+| Feature | Least privileged role |
+| ------- | --------------------- |
+| Entitlement management | User administrator (with the exception of adding SharePoint Online sites to catalogs, which requires Global administrator) |
+| Access reviews | User administrator (with the exception of access reviews of Azure or Azure AD roles, which requires Privileged role administrator) |
+|Privileged Identity Management | Privileged role administrator |
+| Terms of use | Security administrator or Conditional access administrator |
 
 ## Next steps
 
 - [What is Azure AD entitlement management? (Preview)](entitlement-management-overview.md)
 - [What are Azure AD access reviews?](access-reviews-overview.md)
 - [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)
 - [What can I do with Terms of use?](active-directory-tou.md)
+
+
@@ -119,23 +119,25 @@ Learn how to use a managed identity with a Windows VM:
 
 Learn how to use a managed identity with a Linux VM:
 
+* [Access Azure Container Registry](../../container-registry/container-registry-authentication-managed-identity.md)
 * [Access Azure Data Lake Store](tutorial-linux-vm-access-datalake.md)
 * [Access Azure Resource Manager](tutorial-linux-vm-access-arm.md)
 * [Access Azure Storage by using an access key](tutorial-linux-vm-access-storage.md)
 * [Access Azure Storage by using shared access signatures](tutorial-linux-vm-access-storage-sas.md)
 * [Access a non-Azure AD resource with Azure Key Vault](tutorial-linux-vm-access-nonaad.md)
-* [Access Azure Container Registry](../../container-registry/container-registry-authentication-managed-identity.md)
 
 Learn how to use a managed identity with other Azure services:
 
 * [Azure App Service](/azure/app-service/overview-managed-identity)
-* [Azure Functions](/azure/app-service/overview-managed-identity)
-* [Azure Logic Apps](/azure/logic-apps/create-managed-service-identity)
-* [Azure Service Bus](../../service-bus-messaging/service-bus-managed-service-identity.md)
-* [Azure Event Hubs](../../event-hubs/event-hubs-managed-service-identity.md)
 * [Azure API Management](../../api-management/api-management-howto-use-managed-service-identity.md)
 * [Azure Container Instances](../../container-instances/container-instances-managed-identity.md)
 * [Azure Container Registry Tasks](../../container-registry/container-registry-tasks-authentication-managed-identity.md)
+* [Azure Event Hubs](../../event-hubs/event-hubs-managed-service-identity.md)
+* [Azure Functions](/azure/app-service/overview-managed-identity)
+* [Azure Kubernetes Service](/azure/aks/use-managed-identity)
+* [Azure Logic Apps](/azure/logic-apps/create-managed-service-identity)
+* [Azure Service Bus](../../service-bus-messaging/service-bus-managed-service-identity.md)
+
 
 ## What Azure services support the feature?<a name="which-azure-services-support-managed-identity"></a>
 
 
@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 
 We recommend that you require multi-factor authentication (MFA) for all your administrators. This reduces the risk of an attack due to a compromised password.
 
-You can require that users complete a multi=factor authentication challenge when they sign in. You can also require that users complete a multi=factor authentication challenge when they activate a role in Azure Active Directory (Azure AD) Privileged Identity Management (PIM). This way, if the user didn't complete a multi=factor authentication challenge when they signed in, they will be prompted to do so by Privileged Identity Management.
+You can require that users complete a multi-factor authentication challenge when they sign in. You can also require that users complete a multi-factor authentication challenge when they activate a role in Azure Active Directory (Azure AD) Privileged Identity Management (PIM). This way, if the user didn't complete a multi-factor authentication challenge when they signed in, they will be prompted to do so by Privileged Identity Management.
 
 > [!IMPORTANT]
 > Right now, Azure Multi-Factor Authentication only works with work or school accounts, not Microsoft personal accounts (usually a personal account that's used to sign in to Microsoft services such as Skype, Xbox, or Outlook.com). Because of this, anyone using a personal account can't be an eligible administrator because they can't use multi-factor authentication to activate their roles. If these users need to continue managing workloads using a Microsoft account, elevate them to permanent administrators for now.