Initial draft of best practices

rolyon · rolyon · commit 6db7c33413d6 · 2020-04-17T18:10:32.000-07:00
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
@@ -33548,7 +33548,12 @@
     },
     {
       "source_path": "articles/active-directory/pim-azure-resource.md",
-      "redirect_url": "/azure/role-based-access-control/pim-azure-resource",
+      "redirect_url": "/azure/role-based-access-control/best-practices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/role-based-access-control/pim-azure-resource.md",
+      "redirect_url": "/azure/role-based-access-control/best-practices",
       "redirect_document_id": true
     },
     {
diff --git a/articles/role-based-access-control/TOC.yml b/articles/role-based-access-control/TOC.yml
@@ -28,8 +28,8 @@
     href: tutorial-custom-role-cli.md
 - name: Concepts
   items:
-  - name: PIM for Azure resources
-    href: pim-azure-resource.md
+  - name: Best practices
+    href: best-practices.md
   - name: Conditional Access for Azure management
     href: conditional-access-azure-management.md
 - name: How-to guides
diff --git a/articles/role-based-access-control/best-practices.md b/articles/role-based-access-control/best-practices.md
@@ -27,6 +27,20 @@ Using Azure RBAC, you can segregate duties within your team and grant only the a
 
 When planning your access control strategy, it's a best practice to grant users the least privilege to get their work done. The following diagram shows a suggested pattern for using RBAC.
 
-![RBAC and least privilege](./media/overview/rbac-least-privilege.png)
+![RBAC and least privilege](./media/best-practices/rbac-least-privilege.png)
+
+For information about how to add role assignments, see [Add or remove role assignments](role-assignments-portal.md).
+
+## Limit the number of subscription owners
+
+You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner. This recommendation can be monitored in Azure Security Center. For other identity and access recommendations, see [Security recommendations - a reference guide](../security-center/recommendations-reference.md).
+
+## Use Azure AD Privileged Identity Management
+
+To protect privileged accounts from malicious cyber-attacks, you can use Azure Active Directory Privileged Identity Management (PIM) to lower the exposure time of privileges and increase your visibility into their use through reports and alerts. PIM helps protect privileged accounts by providing just-in-time privileged access to Azure AD and Azure resources. Access can be time bound after which privileges are revoked automatically. 
+
+For more information, see [What is Azure AD Privileged Identity Management?](../active-directory/privileged-identity-management/pim-configure.md).
 
 ## Next steps
+
+- [Troubleshoot Azure RBAC](troubleshooting.md)
diff --git a/articles/role-based-access-control/media/best-practices/rbac-least-privilege.png b/articles/role-based-access-control/media/best-practices/rbac-least-privilege.png

Original file line number	Diff line number	Diff line change
`@@ -33548,7 +33548,12 @@`
`33548`	`33548`	`},`
`33549`	`33549`	`{`
`33550`	`33550`	`"source_path": "articles/active-directory/pim-azure-resource.md",`
`33551`		`- "redirect_url": "/azure/role-based-access-control/pim-azure-resource",`
	`33551`	`+ "redirect_url": "/azure/role-based-access-control/best-practices",`
	`33552`	`+ "redirect_document_id": false`
	`33553`	`+ },`
	`33554`	`+ {`
	`33555`	`+ "source_path": "articles/role-based-access-control/pim-azure-resource.md",`
	`33556`	`+ "redirect_url": "/azure/role-based-access-control/best-practices",`
`33552`	`33557`	`"redirect_document_id": true`
`33553`	`33558`	`},`
`33554`	`33559`	`{`