v1 changes pushed with diagram placeholders

Tristan Desktop · Tristan Desktop · commit 60843a499bdc · 2022-08-29T14:15:18.000+10:00
diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/media/onboard-enable-tenant/dashboard.png b/articles/active-directory/cloud-infrastructure-entitlement-management/media/onboard-enable-tenant/dashboard.png
diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md
@@ -18,6 +18,20 @@ This article describes how to onboard an Amazon Web Services (AWS) account on Pe
 > [!NOTE]
 > A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
 
+## Explanation
+
+There are several moving parts across AWS and Azure which are required to be configured before onboarding.
+
+1. An AAD OIDC App
+1. An AWS OIDC account
+1. An (optional) AWS Master account
+1. An (optional) AWS Central logging account
+1. An AWS OIDC role
+1. An AWS Cross Account role assumed by OIDC role
+ 
+
+<!-- diagram from gargi -->
+
 ## Onboard an AWS account
 
 1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches:
diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md
@@ -18,6 +18,14 @@ This article describes how to onboard a Microsoft Azure subscription or subscrip
 > [!NOTE]
 > A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
 
+## Explanation
+
+Given Permissions Management is hosted on Azure and you are onboarding your Azure subscriptions to be monitored and managed, setup is simple with few moving parts to configure. Below is what is required to configure onboarding:
+
+1. When your tenant is onboarded, an application is created in the tenant.
+1. This app requires 'reader' permissions on the subscriptions
+1. For controller functionality, the app requires 'User Access Administrator' to create and implement right-size roles
+
 ## Prerequisites
 
 To add Permissions Management to your Azure AD tenant:
diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-tenant.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-tenant.md
@@ -18,6 +18,8 @@ This article describes how to enable Permissions Management in your organization
 > [!NOTE]
 > To complete this task, you must have *global administrator* permissions as a user in that tenant. You can't enable Permissions Management as a user from other tenant who has signed in via B2B or via Azure Lighthouse.
 
+:::image type="content" source="media/onboard-enable-tenant/dashboard.png" alt-text="A preview of what the permissions management dashboard looks like." lightbox="media/onboard-enable-tenant/dashboard.png":::
+
 ## Prerequisites
 
 To enable Permissions Management in your organization:
diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md
@@ -18,6 +18,20 @@ This article describes how to onboard a Google Cloud Platform (GCP) project on P
 > [!NOTE]
 > A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
 
+## Explanation
+
+For GCP, permissions management is scoped to a *GCP project*. A GCP project is a logical collection of your resources in GCP, somewhat analogous to a subscription in Azure, albeit with further configurations you can perform e.g. application registrations.
+
+<!-- Diagram from Gargi-->
+
+There are several moving parts across GCP and Azure which are required to be configured before onboarding.
+
+1. An AAD OIDC App
+1. An Workload Identity in GCP
+1. OAuth2 confidential client grant utilized
+1. A GCP service account with permissions to collect
+
+
 ## Onboard a GCP project
 
 1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches:
@@ -108,7 +122,7 @@ This option detects all projects that are accessible by the Cloud Infrastructure
 
     The **Welcome to Permissions Management GCP onboarding** screen appears, displaying steps you must complete to onboard your GCP project.
 
-### 5. Paste the environment vars from the Permissions Management portal.
+### 5. Paste the environmental variables from the Permissions Management portal.
 
 1. Return to Permissions Management and select **Copy export variables**.
 1. In the GCP Onboarding shell editor, paste the variables you copied, and then press **Enter**.
