Merge pull request #249050 from billmath/pim3

updating

Author: v-shils

articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/approve-1.png

@@ -21,6 +21,8 @@ ms.collection: M365-identity-device-management
 
 With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.
 
+
+
 ## View pending requests
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
@@ -96,18 +98,15 @@ GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentSche
 >[!NOTE]
 >Approvers are not able to approve their own role activation requests.
 
-1. Find and select the request that you want to approve. An approve or deny page appears.
-
-    ![Screenshot that shows the "Approve requests - Azure AD roles" page.](./media/azure-ad-pim-approval-workflow/resources-approve-pane.png)
-
-1. In the **Justification** box, enter the business justification.
-
-1. Select **Approve**. You will receive an Azure notification of your approval.
-
-    ![Approve notification showing request was approved](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
+ 1. Find and select the request that you want to approve. An approve or deny page appears.
+ 2. In the **Justification** box, enter the business justification.
+ 3. Select **Submit**. You will receive an Azure notification of your approval.
 
 ## Approve pending requests using Microsoft Graph API
 
+>[!NOTE]
+> Approval for **extend and renew** requests is currently not supported by the Microsoft Graph API
+
 ### Get IDs for the steps that require approval
 
 For a specific activation request, this command gets all the approval steps that need approval. Multi-step approvals are not currently supported.
@@ -148,8 +147,8 @@ GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentAppr
 PATCH 
 https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/<request-ID-GUID>/steps/<approval-step-ID-GUID> 
 { 
-    "reviewResult": "Approve", 
-    "justification": "abcdefg" 
+    "reviewResult": "Approve", // or "Deny"
+    "justification": "Trusted User" 
 } 
  ````
 
@@ -159,13 +158,9 @@ Successful PATCH calls generate an empty response.
 
 ## Deny requests
 
-1. Find and select the request that you want to deny. An approve or deny page appears.
-
-    ![Approve requests - approve or deny pane with details and Justification box](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
-
-1. In the **Justification** box, enter the business justification.
-
-1. Select **Deny**. A notification appears with your denial.
+ 1. Find and select the request that you want to approve. An approve or deny page appears.
+ 2. In the **Justification** box, enter the business justification.
+ 3. Select **Deny**. A notification appears with your denial.
 
 ## Workflow notifications
 

articles/active-directory/privileged-identity-management/media/azure-ad-pim-approval-workflow/approve-2.png

@@ -23,12 +23,14 @@ With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD),
 
 Follow the steps in this article to approve or deny requests for Azure resource roles.
 
+
 ## View pending requests
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
 As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. You can view these pending requests in Privileged Identity Management.
 
+
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).
 
 1. Browse to **Identity governance** > **Privileged Identity Management** > **Approve requests**.
@@ -37,27 +39,54 @@ As a delegated approver, you'll receive an email notification when an Azure reso
 
     In the **Requests for role activations** section, you'll see a list of requests pending your approval.
 
+
 ## Approve requests
 
-1. Find and select the request that you want to approve. An approve or deny page appears.
+ 1. Find and select the request that you want to approve. An approve or deny page appears.     
+ 2. In the **Justification** box, enter the business justification.
+ 3. Select **Approve**. You will receive an Azure notification of your approval.
 
-    ![Approve requests - approve or deny pane with details and Justification box](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
 
-1. In the **Justification** box, enter the business justification.
+## Approve pending requests using Microsoft ARM API
 
-1. Select **Approve**. You will receive an Azure notification of your approval.
+>[!NOTE]
+> Approval for **extend and renew** requests is currently not supported by the Microsoft ARM API
 
-    ![Approve notification showing request was approved](./media/pim-resource-roles-approval-workflow/resources-approve-notification.png)
+### Get IDs for the steps that require approval
 
-## Deny requests
+To get the details of any stage of a role assignment approval, you can use [Role Assignment Approval Step - Get By ID](/rest/api/authorization/role-assignment-approval-step/get-by-id?tabs=HTTP) REST API.
+
+#### HTTP request
+
+````HTTP
+GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignmentApprovals/{approvalId}/stages/{stageId}?api-version=2021-01-01-preview
+````
 
-1. Find and select the request that you want to deny. An approve or deny page appears.
 
-    ![Approve requests - approve or deny pane with details and Justification box](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
+### Approve the activation request step
 
-1. In the **Justification** box, enter the business justification.
+#### HTTP request
+
+````HTTP
+PATCH 
+PATCH https://management.azure.com/providers/Microsoft.Authorization/roleAssignmentApprovals/{approvalId}/stages/{stageId}?api-version=2021-01-01-preview 
+{ 
+    "reviewResult": "Approve", // or "Deny"
+    "justification": "Trusted User" 
+} 
+ ````
+
+#### HTTP response
+
+Successful PATCH calls generate an empty response.
+
+For more information, see [Use Role Assignment Approvals to approve PIM role activation requests with REST API](/rest/api/authorization/privileged-approval-sample)
+
+## Deny requests
 
-1. Select **Deny**. A notification appears with your denial.
+ 1. Find and select the request that you want to approve. An approve or deny page appears.     
+ 2. In the **Justification** box, enter the business justification.
+ 3. Select **Deny**. A notification appears with your denial.
 
 ## Workflow notifications