Merge pull request #103267 from curtand/pim0104

[Azure AD PIM] GitHub issue and default tab update

Author: v-albemi

articles/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow.md

@@ -35,103 +35,103 @@ Beginning in November 2019, the Azure AD roles portion of Privileged Identity Ma
 
 Follow the steps in this article to approve or deny requests for Azure AD roles.
 
-# [Previous version](#tab/previous)
+# [New version](#tab/new)
 
 ## View pending requests
 
-As a delegated approver, you'll receive an email notification when an Azure AD role request is pending your approval. You can view these pending requests in Privileged Identity Management.
+As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. You can view these pending requests in Privileged Identity Management.
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 
 1. Open **Azure AD Privileged Identity Management**.
 
-1. Click **Azure AD roles**.
-
-1. Click **Approve requests**.
+1. Select **Approve requests**.
 
-    ![Azure AD roles - Approve requests](./media/azure-ad-pim-approval-workflow/approve-requests.png)
+    ![Approve requests - Azure resources page showing request to review](./media/pim-resource-roles-approval-workflow/resources-approve-requests.png)
 
-    You'll see a list of requests pending your approval.
+    In the **Requests for role activations** section, you'll see a list of requests pending your approval.
 
 ## Approve requests
 
-1. Select the requests you want to approve and then click **Approve** to open the Approve selected requests pane.
+1. Find and select the request that you want to approve. An approve or deny page appears.
 
-    ![Approve requests list with Approve option highlighted](./media/azure-ad-pim-approval-workflow/pim-approve-requests-list.png)
+    ![Approve requests - approve or deny pane with details and Justification box](./media/azure-ad-pim-approval-workflow/resources-approve-pane.png)
 
-1. In the **Approve reason** box, type a reason.
+1. In the **Justification** box, enter the business justification.
 
-    ![Approve selected requests pane with a approve reason](./media/azure-ad-pim-approval-workflow/pim-approve-selected-requests.png)
+1. Select **Approve**. You will receive an Azure notification of your approval.
 
-1. Click **Approve**.
+    ![Approve notification showing request was approved](./media/pim-resource-roles-approval-workflow/resources-approve-notification.png)
 
-    The Status symbol will be updated with your approval.
+## Deny requests
 
-    ![Approve selected requests pane after Approve button clicked](./media/azure-ad-pim-approval-workflow/pim-approve-status.png)
+1. Find and select the request that you want to deny. An approve or deny page appears.
 
-## Deny requests
+    ![Approve requests - approve or deny pane with details and Justification box](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
 
-1. Select the requests you want to deny and then click **Deny** to open the Deny selected requests pane.
+1. In the **Justification** box, enter the business justification.
 
-    ![Approve requests list with Deny option highlighted](./media/azure-ad-pim-approval-workflow/pim-deny-requests-list.png)
+1. Select **Deny**. A notification appears with your denial.
 
-1. In the **Deny reason** box, type a reason.
+## Workflow notifications
 
-    ![Deny selected requests pane with a deny reason](./media/azure-ad-pim-approval-workflow/pim-deny-selected-requests.png)
+Here's some information about workflow notifications:
 
-1. Click **Deny**.
+- Approvers are notified by email when a request for a role is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny.
+- Requests are resolved by the first approver who approves or denies.
+- When an approver responds to the request, all approvers are notified of the action.
+- Resource administrators are notified when an approved user becomes active in their role.
 
-    The Status symbol will be updated with your denial.
+>[!NOTE]
+>A resource administrator who believes that an approved user should not be active can remove the active role assignment in Privileged Identity Management. Although resource administrators are not notified of pending requests unless they are an approver, they can view and cancel pending requests for all users by viewing pending requests in Privileged Identity Management.
 
-# [New version](#tab/new)
+# [Previous version](#tab/previous)
 
 ## View pending requests
 
-As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. You can view these pending requests in Privileged Identity Management.
+As a delegated approver, you'll receive an email notification when an Azure AD role request is pending your approval. You can view these pending requests in Privileged Identity Management.
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 
 1. Open **Azure AD Privileged Identity Management**.
 
-1. Select **Approve requests**.
+1. Click **Azure AD roles**.
 
-    ![Approve requests - Azure resources page showing request to review](./media/pim-resource-roles-approval-workflow/resources-approve-requests.png)
+1. Click **Approve requests**.
 
-    In the **Requests for role activations** section, you'll see a list of requests pending your approval.
+    ![Azure AD roles - Approve requests](./media/azure-ad-pim-approval-workflow/approve-requests.png)
+
+    You'll see a list of requests pending your approval.
 
 ## Approve requests
 
-1. Find and select the request that you want to approve. An approve or deny page appears.
+1. Select the requests you want to approve and then click **Approve** to open the Approve selected requests pane.
 
-    ![Approve requests - approve or deny pane with details and Justification box](./media/azure-ad-pim-approval-workflow/resources-approve-pane.png)
+    ![Approve requests list with Approve option highlighted](./media/azure-ad-pim-approval-workflow/pim-approve-requests-list.png)
 
-1. In the **Justification** box, enter the business justification.
+1. In the **Approve reason** box, type a reason.
 
-1. Select **Approve**. You will receive an Azure notification of your approval.
+    ![Approve selected requests pane with a approve reason](./media/azure-ad-pim-approval-workflow/pim-approve-selected-requests.png)
 
-    ![Approve notification showing request was approved](./media/pim-resource-roles-approval-workflow/resources-approve-notification.png)
+1. Click **Approve**.
 
-## Deny requests
+    The Status symbol will be updated with your approval.
 
-1. Find and select the request that you want to deny. An approve or deny page appears.
+    ![Approve selected requests pane after Approve button clicked](./media/azure-ad-pim-approval-workflow/pim-approve-status.png)
 
-    ![Approve requests - approve or deny pane with details and Justification box](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
+## Deny requests
 
-1. In the **Justification** box, enter the business justification.
+1. Select the requests you want to deny and then click **Deny** to open the Deny selected requests pane.
 
-1. Select **Deny**. A notification appears with your denial.
+    ![Approve requests list with Deny option highlighted](./media/azure-ad-pim-approval-workflow/pim-deny-requests-list.png)
 
-## Workflow notifications
+1. In the **Deny reason** box, type a reason.
 
-Here's some information about workflow notifications:
+    ![Deny selected requests pane with a deny reason](./media/azure-ad-pim-approval-workflow/pim-deny-selected-requests.png)
 
-- Approvers are notified by email when a request for a role is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny.
-- Requests are resolved by the first approver who approves or denies.
-- When an approver responds to the request, all approvers are notified of the action.
-- Resource administrators are notified when an approved user becomes active in their role.
+1. Click **Deny**.
 
->[!NOTE]
->A resource administrator who believes that an approved user should not be active can remove the active role assignment in Privileged Identity Management. Although resource administrators are not notified of pending requests unless they are an approver, they can view and cancel pending requests for all users by viewing pending requests in Privileged Identity Management.
+    The Status symbol will be updated with your denial.
 
 ---
 

articles/active-directory/privileged-identity-management/pim-deployment-plan.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: pim
-ms.date: 11/08/2019
+ms.date: 02/04/2020
 ms.author: curtand
 ms.custom: 
 ms.collection: M365-identity-device-management
@@ -115,7 +115,7 @@ The following section helps you identify all the stakeholders that are involved
 
 As part of the planning process, you must first consent to and enable Privileged Identity Management by following our [start using Privileged Identity Management](pim-getting-started.md) article. Enabling Privileged Identity Management gives you access to some features that are specifically designed to help with your deployment.
 
-If your objective is to deploy Privileged Identity Management for Azure resources, you should follow our [discover Azure resources to manage in Privileged Identity Management](pim-resource-roles-discover-resources.md) article. Only owners of each resource, resource group, and subscription will be able to discover them inside Privileged Identity Management. If you are a Global Administrator trying to deploy Privileged Identity Management for your Azure resources, you can [elevate access to manage all Azure subscriptions](../../role-based-access-control/elevate-access-global-admin.md?toc=%2fazure%2factive-directory%2fprivileged-identity-management%2ftoc.json) to give yourself access to all Azure resources in the directory for discovery. However, we advise that you get approval from each of your subscription owners before managing their resources with Privileged Identity Management.
+If your objective is to deploy Privileged Identity Management for Azure resources, you should follow our [discover Azure resources to manage in Privileged Identity Management](pim-resource-roles-discover-resources.md) article. Only owners of subscriptions and management groups can discover and onboard these resources onto Privileged Identity Management. After it is onboarded, the PIM functionality is available for owners at all levels including management group, subscription, resource group, and resource. If you are a Global Administrator trying to deploy Privileged Identity Management for your Azure resources, you can [elevate access to manage all Azure subscriptions](../../role-based-access-control/elevate-access-global-admin.md?toc=%2fazure%2factive-directory%2fprivileged-identity-management%2ftoc.json) to give yourself access to all Azure resources in the directory for discovery. However, we advise that you get approval from each of your subscription owners before managing their resources with Privileged Identity Management.
 
 ### Enforce principle of least privilege
 
@@ -193,7 +193,7 @@ If there are any roles with guest users assigned, they are particularly vulnerab
 > [!TIP]
 > :heavy_check_mark: **Microsoft recommends** you manage all roles with guest users using Privileged Identity Management to reduce risk associated with compromised guest user accounts.
 
-Reader roles like the Directory Reader, Message Center Reader, and Security Reader are sometimes believed to be less important compared to other roles as they don’t have write permission. However, we have seen some customers also protect these roles because attackers who have gained access to these accounts may be able to read sensitive data, such as personally identifiable information (PII). You should take this into consideration when deciding whether reader roles in your organization need to be managed using Privileged Identity Management.
+Reader roles like the Directory Reader, Message Center Reader, and Security Reader are sometimes believed to be less important compared to other roles as they don’t have write permission. However, we have seen some customers also protect these roles because attackers who have gained access to these accounts may be able to read sensitive data, such as personal data. You should take this into consideration when deciding whether reader roles in your organization need to be managed using Privileged Identity Management.
 
 #### Azure resource roles