Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into docUpdates

Author: djpmsft

articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md

@@ -37,16 +37,16 @@ Organizations can choose to include or exclude roles as they see fit.
 
 Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
 
-* **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
+* **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
    * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md).
 * **Service accounts** and **service principles**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
-   * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
+   * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
 
 ## Create a Conditional Access policy
 
 The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multi-factor authentication.
 
-1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
 1. Browse to **Azure Active Directory** > **Conditional Access**.
 1. Select **New policy**.
 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md

@@ -29,16 +29,16 @@ These tools can provide highly privileged access to resources, that can alter su
 
 Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:
 
-* **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
+* **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
    * More information can be found in the article, [Manage emergency access accounts in Azure AD](../users-groups-roles/directory-emergency-access.md).
 * **Service accounts** and **service principles**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that are not tied to any particular user. They are normally used by back-end services and allow programmatic access to applications. Service accounts should be excluded since MFA can’t be completed programmatically.
-   * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
+   * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
 
 ## Create a Conditional Access policy
 
 The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multi-factor authentication.
 
-1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
 1. Browse to **Azure Active Directory** > **Conditional Access**.
 1. Select **New policy**.
 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md

@@ -23,7 +23,7 @@ Due to the increased risk associated with legacy authentication protocols, Micro
 
 The following steps will help create a Conditional Access policy to block legacy authentication requests.
 
-1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
 1. Browse to **Azure Active Directory** > **Conditional Access**.
 1. Select **New policy**.
 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md

@@ -30,7 +30,7 @@ This policy compliance information is forwarded to Azure AD where Conditional Ac
 
 The following steps will help create a Conditional Access policy to require devices accessing resources be marked as compliant with your organization's Intune compliance policies.
 
-1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
 1. Browse to **Azure Active Directory** > **Conditional Access**.
 1. Select **New policy**.
 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

articles/active-directory/conditional-access/howto-conditional-access-policy-location.md

@@ -21,7 +21,7 @@ With the location condition in Conditional Access, you can control access to you
 
 ## Define locations
 
-1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
 1. Browse to **Azure Active Directory** > **Conditional Access**.
 1. Choose **New location**.
 1. Give your location a name.
@@ -35,7 +35,7 @@ More information about the location condition in Conditional Access can be found
 
 ## Create a Conditional Access policy
 
-1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
 1. Browse to **Azure Active Directory** > **Conditional Access**.
 1. Select **New policy**.
 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

articles/active-directory/develop/quickstart-v2-python-webapp.md

@@ -34,7 +34,7 @@ When you've completed the guide, your application will accept sign-ins of person
 To run this sample, you will need:
 
 - [Python 2.7+](https://www.python.org/downloads/release/python-2713) or [Python 3+](https://www.python.org/downloads/release/python-364/)
-- [Flask](http://flask.pocoo.org/), [Flask-Session](https://pythonhosted.org/Flask-Session/), [requests](https://2.python-requests.org/en/master/)
+- [Flask](http://flask.pocoo.org/), [Flask-Session](https://pythonhosted.org/Flask-Session/), [requests](https://requests.kennethreitz.org//en/master/)
 - [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python) 
 - An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see [how to get an Azure AD tenant.](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
 

articles/active-directory/governance/TOC.yml

@@ -19,6 +19,8 @@
   items:
   - name: Entitlement management
     items:
+    - name: Delegation and roles
+      href: entitlement-management-delegate.md
     - name: Request process and emails
       href: entitlement-management-process.md
   - name: Access reviews
@@ -36,17 +38,21 @@
     items:
     - name: Common scenarios
       href: entitlement-management-scenarios.md
-    - name: Administrators and department managers
+    - name: Administrators
       items:
-      - name: Delegate tasks
-        href: entitlement-management-delegate.md
-      - name: Create a catalog of resources
-        href: entitlement-management-catalog-create.md
+      - name: Delegate to catalog creators
+        href: entitlement-management-delegate-catalog.md
       - name: View reports and logs
         href: entitlement-management-reports.md
       - name: Troubleshoot
         href: entitlement-management-troubleshoot.md
-    - name: Project managers
+    - name: Catalog owners
+      items:
+      - name: Create a catalog of resources
+        href: entitlement-management-catalog-create.md
+      - name: Delegate to access package managers
+        href: entitlement-management-delegate-managers.md
+    - name: Access package managers
       items:
       - name: Create a new access package
         href: entitlement-management-access-package-create.md

articles/active-directory/governance/entitlement-management-access-package-create.md

@@ -42,7 +42,7 @@ The following diagram shows the high-level process to create a new access packag
 
 ## Start new access package
 
-**Prerequisite role:** Global administrator, User administrator or Catalog owner
+**Prerequisite role:** Global administrator, User administrator, or Catalog owner
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 
@@ -124,5 +124,3 @@ On the **Review + create** tab, you can review your settings and check for any v
 ## Next steps
 
 - [Edit and manage an existing access package](entitlement-management-access-package-edit.md)
-- [Add a catalog owner or an access package manager](entitlement-management-delegate.md#add-a-catalog-owner-or-an-access-package-manager)
-- [Create and manage a catalog](entitlement-management-catalog-create.md)

articles/active-directory/governance/entitlement-management-access-package-edit.md

@@ -307,7 +307,7 @@ Most users in your directory can sign in to the My Access portal and automatical
 
 It is important that you copy the entire My Access portal link when sending it to an internal business partner. This ensures that the partner will get access to your directory's portal to make their request. 
 
-The link will start with "myaccess", include a directory hint, and end with an access package id. Make sure the link includes all of the following:
+The link will start with "myaccess", include a directory hint, and end with an access package ID. Make sure the link includes all of the following:
 
  `https://myaccess.microsoft.com/@<directory_hint>#/access-packages/<access_package_id>`
 
@@ -365,5 +365,4 @@ In entitlement management, Azure AD will process bulk changes for assignment and
 
 ## Next steps
 
-- [Add a catalog owner or an access package manager](entitlement-management-delegate.md#add-a-catalog-owner-or-an-access-package-manager)
 - [Request process and email notifications](entitlement-management-process.md)

articles/active-directory/governance/entitlement-management-catalog-create.md

@@ -1,5 +1,5 @@
 ---
-title: Create and manage a catalog in Azure AD entitlement management (Preview) - Azure Active Directory
+title: Create and manage a catalog of resources in Azure AD entitlement management (Preview) - Azure Active Directory
 description: Learn how to create a new container of resources and access packages in Azure Active Directory entitlement management (Preview).
 services: active-directory
 documentationCenter: ''
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 07/23/2019
+ms.date: 10/07/2019
 ms.author: ajburnle
 ms.reviewer: hanki
 ms.collection: M365-identity-device-management
@@ -21,7 +21,7 @@ ms.collection: M365-identity-device-management
 #Customer intent: As an administrator, I want detailed information about the options available when creating and manage catalog so that I most effectively use catalogs in my organization.
 
 ---
-# Create and manage a catalog in Azure AD entitlement management (Preview)
+# Create and manage a catalog of resources in Azure AD entitlement management (Preview)
 
 > [!IMPORTANT]
 > Azure Active Directory (Azure AD) entitlement management is currently in public preview.
@@ -32,11 +32,9 @@ ms.collection: M365-identity-device-management
 
 A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. Whoever creates the catalog becomes the first catalog owner. A catalog owner can add additional catalog owners.
 
-**Prerequisite role:** Global administrator, User administrator or Catalog creator
+**Prerequisite role:** Global administrator, User administrator, or Catalog creator
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
-
-1. Click **Azure Active Directory** and then click **Identity Governance**.
+1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.
 
 1. In the left menu, click **Catalogs**.
 
@@ -70,12 +68,14 @@ To include resources in an access package, the resources must exist in a catalog
 
 1. Click **Add resources**.
 
-1. Click a resource type: **Groups**, **Applications**, or **SharePoint sites**.
+1. Click a resource type: **Groups and Teams**, **Applications**, or **SharePoint sites**.
 
     If you don't see a resource that you want to add or you are unable to add a resource, make sure you have the required Azure AD directory role and entitlement management role. You might need to have someone with the required roles add the resource to your catalog. For more information, see [Required roles to add resources to a catalog](entitlement-management-delegate.md#required-roles-to-add-resources-to-a-catalog).
 
 1. Select one or more resources of the type that you would like to add to the catalog.
 
+    ![Add resources to a catalog](./media/entitlement-management-catalog-create/catalog-add-resources.png)
+
 1. When finished, click **Add**.
 
     These resources can now be included in access packages within the catalog.
@@ -96,11 +96,31 @@ You can remove resources from a catalog. A resource can only be removed from a c
 
 1. Click **Remove** (or click the ellipsis (**...**) and then click **Remove resource**).
 
+## Add additional catalog owners
+
+The user that created a catalog becomes the first catalog owner. To delegate management of a catalog, you add users to the catalog owner role. This helps share the catalog management responsibilities. 
+
+Follow these steps to assign a user to the catalog owner role:
+
+**Prerequisite role:** Global administrator, User administrator, or Catalog owner
+
+1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.
+
+1. In the left menu, click **Catalogs** and then open the catalog you want to add administrators to.
+
+1. In the left menu, click **Roles and administrators**.
+
+    ![Catalogs roles and administrators](./media/entitlement-management-shared/catalog-roles-administrators.png)
+
+1. Click **Add owners** to select the members for these roles.
+
+1. Click **Select** to add these members.
+
 ## Edit a catalog
 
 You can edit the name and description for a catalog. Users see this information in an access package's details.
 
-**Prerequisite role:** Global administrator, User administrator or Catalog owner
+**Prerequisite role:** Global administrator, User administrator, or Catalog owner
 
 1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.
 
@@ -116,7 +136,7 @@ You can edit the name and description for a catalog. Users see this information
 
 You can delete a catalog, but only if it does not have any access packages.
 
-**Prerequisite role:** Global administrator, User administrator or Catalog owner
+**Prerequisite role:** Global administrator, User administrator, or Catalog owner
 
 1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.
 
@@ -128,5 +148,4 @@ You can delete a catalog, but only if it does not have any access packages.
 
 ## Next steps
 
-- [Add a catalog creator](entitlement-management-delegate.md#add-a-catalog-creator)
-- [Create and manage an access package](entitlement-management-access-package-create.md)
+- [Delegate access governance to access package managers](entitlement-management-delegate-managers.md)