Merge pull request #91207 from msaburnley/aj-elm-accessreviews

[Azure AD] [ELM] access reviews of assignments

Author: megvanhuygen

articles/active-directory/governance/TOC.yml

@@ -84,6 +84,14 @@
         href: entitlement-management-request-access.md
   - name: Access reviews
     items:
+    - name: Access packages
+      items:
+        - name: Create an access review
+          href: entitlement-management-access-reviews-create.md
+        - name: Review access
+          href: entitlement-management-access-reviews-review-access.md 
+        - name: Review access for yourself 
+          href: entitlement-management-access-reviews-self-review.md 
     - name: Groups and apps
       items:
       - name: Create an access review

articles/active-directory/governance/entitlement-management-access-package-create.md

@@ -62,7 +62,7 @@ Here are the high-level steps to create a new access package.
 1. In the left menu, click **Access packages**.
 
 1. Click **New access package**.
-
+   
     ![Entitlement management in the Azure portal](./media/entitlement-management-shared/access-packages-list.png)
 
 ## Basics

articles/active-directory/governance/entitlement-management-access-reviews-create.md

@@ -0,0 +1,96 @@
+---
+title: Create an access review of an access package in Azure AD entitlement management
+description: Learn how to create an access review policy for entitlement management access packages in Azure Active Directory access reviews (Preview).
+services: active-directory
+documentationCenter: ''
+author: msaburnley
+manager: daveba
+editor: 
+ms.service: active-directory
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.subservice: compliance
+ms.date: 11/01/2019
+ms.author: ajburnle
+ms.reviewer: 
+ms.collection: M365-identity-device-management
+
+
+#Customer intent: As an administrator, I want to create an access review policy for my access packages so I can review the active assignments of my users to ensure everyone has the appropriate access.
+
+---
+# Create an access review of an access package in Azure AD entitlement management
+
+To reduce the risk of stale access, you should enable periodic reviews of users who have active assignments to an access package in Azure AD entitlement management. You can enable reviews when you create a new access package or edit an existing access package. This article describes how to enable access reviews of access packages.
+
+## Prerequisites
+
+To enable reviews of access packages, you must meet the prerequisites for creating an access package:
+- Azure AD Premium P2
+- Global administrator, User administrator, Catalog owner, or Access package manager
+
+For more information, see [License requirements](entitlement-management-overview.md#license-requirements).
+
+
+## Create an access review of an access package
+
+You can enable access reviews when [creating a new access package](entitlement-management-access-package-create.md) or [editing an existing access package](entitlement-management-access-package-lifecycle-policy.md) policy. Follow these steps to enable access reviews of an access package:
+
+1. Open the **Lifecycle** tab for an access package and scroll down to **Access Reviews**.
+
+1. Move the **Require access reviews** toggle to **Yes**.
+
+    ![Add the access review](./media/entitlement-management-access-reviews/access-reviews-pane.png)
+
+1. Specify the date the reviews will start next to **Starting on**.
+
+1. Next, set the **Review frequency** to **Annually**, **Bi-annually**, **Quarterly** or **Monthly**.
+This setting determines how often access reviews will occur.
+
+1. Set the **Duration** to define how many days each review of the recurring series will be open for input from reviewers. For example, you might schedule an annual review that starts on January 1st and is open for review for 30 days so that reviewers have until the end of the month to respond.
+
+1. Next to **Reviewers**, select **Self-review** if you want users to perform their own access review or select **Specific reviewer(s)** if you want to designate a reviewer.
+
+    ![Select Add reviewers](./media/entitlement-management-access-reviews/access-reviews-add-reviewer.png)
+
+1. If you selected **Specific reviewer(s)**, specify which users will do the access review:
+    1. Select **Add reviewers**.
+    1. In the **Select reviewers** pane, search for and select the user(s) you want to be a reviewer.
+    1. When you've selected your reviewer(s), click the **Select** button.
+
+    ![Specify the reviewers](./media/entitlement-management-access-reviews/access-reviews-select-reviewer.png)
+
+1. Click **Review + Create** if you are creating a new access package or **Update** if you are editing an access package, at the bottom of the page.
+
+## View the status of the access review
+
+After the start date, an access review will be listed in the **Access reviews** section. Follow these steps to view the status of an access review:
+
+1. In **Identity Governance**, click **Access packages** then select the access package with the access review status you'd like to check.   
+
+1. Once you are on the access package overview, click **Access reviews** on the left menu.
+    
+    ![Select access reviews](./media/entitlement-management-access-reviews/access-review-status-access-package-overview.png)
+
+1. A list will appear that contains all of the policies that have access reviews associated with them. Click the review to see its report.
+
+    ![List of access reviews](./media/entitlement-management-access-reviews/access-review-status-select-access-reviews.png)
+   
+1. When you view the report, it shows the number of users reviewed and the actions taken by the reviewer on them.
+
+    ![View review status](./media/entitlement-management-access-reviews/access-review-status.png)
+ 
+
+## Access reviews email notifications
+You can designate reviewers, or users can review their access themselves. By default, Azure AD will send an email to reviewers or self-reviewers shortly after the review starts.
+
+The email will include instructions on how to review access to access packages. If the review is for users to review their access, show them the instructions on how to perform a self-review of their access packages.
+  
+If you've assigned guest users as reviewers, and they haven't accepted their Azure AD guest invitation, they won't receive emails from Azure AD access reviews. They must first accept the invite and create an account with Azure AD before they can receive the emails. 
+
+## Next steps
+
+- [Review access of access packages](entitlement-management-access-reviews-review-access.md)
+- [Self-review of access packages](entitlement-management-access-reviews-self-review.md)

articles/active-directory/governance/entitlement-management-access-reviews-review-access.md

@@ -0,0 +1,104 @@
+---
+title: Review access of an access package in Azure AD entitlement management
+description: Learn how to complete an access review of entitlement management access packages in Azure Active Directory access reviews (Preview).
+services: active-directory
+documentationCenter: ''
+author: msaburnley
+manager: daveba
+editor: 
+ms.service: active-directory
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.subservice: compliance
+ms.date: 11/01/2019
+ms.author: ajburnle
+ms.reviewer: 
+ms.collection: M365-identity-device-management
+
+
+#Customer intent: As an administrator, I want to review the active assignments of my users to ensure everyone has the appropriate access.
+
+---
+# Review access of an access package in Azure AD entitlement management
+
+Azure AD entitlement management simplifies how enterprises manage access to groups, applications, and SharePoint sites. This article describes how to perform access reviews for other users that are assigned to an access package as a designated reviewer.
+
+## Prerequisites
+
+To review users' active access package assignments, you must meet the prerequisites to do an access review:
+- Azure AD Premium P2
+- Global administrator
+- Designated User administrator, Catalog owner, or Access package manager
+
+For more information, see [License requirements](entitlement-management-overview.md#license-requirements).
+
+
+## Open the access review
+
+Use the following steps to find and open the access review:
+
+1. You may receive an email from Microsoft that asks you to review access. Locate the email to open the access review. Here is an example email to review access:
+    
+    ![Access review reviewer email](./media/entitlement-management-access-reviews-review-access/review-access-reviewer-email.png)
+
+1. Click the **Review user access** link to open the access review. 
+
+1. If you don’t have the email, you can find your pending access reviews by navigating directly to https://myaccess.microsoft.com.
+
+1. Click **Access reviews** on the left navigation bar to see a list of pending access reviews assigned to you.
+    
+    ![Select access reviews on My Access](./media/entitlement-management-access-reviews-review-access/review-access-myaccess-select-access-review.png)
+
+1. Click the review that you’d like to begin.
+    
+    ![Select the access review](./media/entitlement-management-access-reviews-review-access/review-access-select-access-review.png)
+
+## Perform the access review
+
+Once you open the access review, you will see the names of users for which you need to review. There are two ways that you can approve or deny access:
+- You can manually approve or deny access for one or more users
+- You can accept the system recommendations
+
+### Manually approve or deny access for one or more users
+1. Review the list of users and determine which users need to continue to have access.
+
+    ![List of users to review](./media/entitlement-management-access-reviews-review-access/review-access-list-of-users.png)
+
+1. To approve or deny access, select the radio button to the left of the user’s name.
+
+1. Select **Approve** or **Deny** in the bar above the user names.
+
+    ![Select the user](./media/entitlement-management-access-reviews-review-access/review-access-select-users.png)
+
+1. If you aren't sure, you can click the **Don’t know** button.
+
+    If you make this selection, the user maintains access, and this selection goes in the audit logs. The log shows any other reviewers that you still completed the review.
+
+1. You may be required to provide a reason for your decision. Type in a reason and click **Submit**.
+
+    ![Approve or deny access](./media/entitlement-management-access-reviews-review-access/review-access-decision-approve.png)
+
+1. You can change your decision at any time before the end of the review. To do so, select the user from the list and change the decision. For example, you can approve access for a user you previously denied.
+
+If there are multiple reviewers, the last submitted response is recorded. Consider an example where an administrator designates two reviewers – Alice and Bob. Alice opens the review first and approves access. Before the review ends, Bob opens the review and denies access. In this case, the last deny access decision gets recorded.
+
+>[!NOTE]
+>If a user is denied access, they aren't removed from the access package immediately. The user will be removed from the access package when the review ends, or an administrator ends the review.
+
+### Approve or deny access using the system-generated recommendations
+
+To review access for multiple users more quickly, you can use the system-generated recommendations, accepting the recommendations with a single click. The recommendations are generated based on the user's sign-in activity.
+
+1.	In the bar at the top of the page, click **Accept recommendations**.
+    
+    ![Select Accept recommendations](./media/entitlement-management-access-reviews-review-access/review-access-use-recommendations.png)
+    
+    You'll see a summary of the recommended actions.
+
+1.	Click **Submit** to accept the recommendations.
+
+## Next steps
+
+- [Self-review of access packages](entitlement-management-access-reviews-self-review.md)

articles/active-directory/governance/entitlement-management-access-reviews-self-review.md

@@ -0,0 +1,63 @@
+---
+title: Self-review of an access package in Azure AD entitlement management
+description: Learn how to review user access of entitlement management access packages in Azure Active Directory access reviews (Preview).
+services: active-directory
+documentationCenter: ''
+author: msaburnley
+manager: daveba
+editor: 
+ms.service: active-directory
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.subservice: compliance
+ms.date: 11/01/2019
+ms.author: ajburnle
+ms.reviewer: 
+ms.collection: M365-identity-device-management
+
+
+#Customer intent: As a user, I want to complete an access review of my active assignments myself.
+
+---
+# Self-review of an access package in Azure AD entitlement management
+
+Azure AD entitlement management simplifies how enterprises manage access to groups, applications, and SharePoint sites. This article describes how a user does a self-review of their assigned access package(s).
+
+## Open the access review
+
+To do an access review, you must first open the access review. Use the following procedure to find and open the access review:
+
+1. You may receive an email from Microsoft that asks you to review access. Locate the email to open the access review. Here is an example of an email requesting a review of access: 
+    
+    ![Access review self-reviewer email](./media/entitlement-management-access-reviews-review-access/self-review-reviewer-email.png)
+
+1. Click the **Review access** link.
+
+1. You can also go directly to https://myaccess.microsoft.com to find your pending access reviews if you don't receive an email.
+
+1. Click **Access reviews** on the left navigation bar to see a list of pending access reviews assigned to you.
+
+
+1.	Click the review that you’d like to begin.
+
+## Perform the access review
+
+Once you open the access review, you can see your access. Use the following procedure to do the access review:
+
+1.	Decide whether you still need access to the access package. For example, the project you're working on isn't complete, so you still need access to continue working on the project.
+
+1.	Click **Yes** to keep your access or click **No** to remove your access.
+    >[!NOTE]
+    >If you stated that you no longer need access, you aren't removed from the access package immediately. You will be removed from the access package when the review ends or if an administrator stops the review.
+
+1.	If you clicked **Yes**, you may need to include a justification statement in the **Reason** box.
+
+1.	Click **Submit**.
+
+You can return to the review if you change your mind and decide to change your response before the end of the review.
+
+## Next steps
+
+- [Review access to access packages](entitlement-management-access-reviews-review-access.md)