Merge pull request #252243 from markwahl-msft/mwahl-em-lcw-tasks

EM: mention LCW tasks in EM assignments, overview and scenarios

Author: prmerger-automator[bot]

articles/active-directory/governance/entitlement-management-access-package-assignments.md

@@ -200,6 +200,28 @@ $policy = $accesspackage.AssignmentPolicies[0]
 $req = New-MgBetaEntitlementManagementAccessPackageAssignmentRequest -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -TargetEmail "[email protected]"
 ```
 
+## Configure access assignment as part of a lifecycle workflow
+
+In the Microsoft Entra Lifecycle Workflows feature, you can add a [Request user access package assignment](lifecycle-workflow-tasks.md#request-user-access-package-assignment) task to an onboarding workflow. The task can specify an access package which users should have. When the workflow runs for a user, then an access package assignment request will be created automatically.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a global administrator.
+
+1. Browse to **Identity governance** > **Lifecycle workflows** > **Workflows**.
+
+1. Select an employee onboarding or move workflow.
+
+1. Select **Tasks** and select **Add task**.
+
+1. Select **Request user access package assignment** and select **Add**.
+
+1. Select the newly added task.
+
+1. Select **Select Access package**, and choose the access package that new or moving users should be assigned to.
+
+1. Select **Select Policy**, and choose the access package assignment policy in that access package.
+
+1. Select **Save**.
+
 ## Remove an assignment
 
 You can remove an assignment that a user or an administrator had previously requested.
@@ -245,6 +267,26 @@ if ($assignment -ne $null) {
 }
 ```
 
+## Configure assignment removal as part of a lifecycle workflow
+
+In the Microsoft Entra Lifecycle Workflows feature, you can add a [Remove access package assignment for user](lifecycle-workflow-tasks.md#remove-access-package-assignment-for-user) task to an offboarding workflow. That task can specify an access package the user might be assigned to. When the workflow runs for a user, then their access package assignment will be removed automatically.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a global administrator.
+
+1. Browse to **Identity governance** > **Lifecycle workflows** > **Workflows**.
+
+1. Select an employee offboarding workflow.
+
+1. Select **Tasks** and select **Add task**.
+
+1. Select **Remove access package assignment for user** and select **Add**.
+
+1. Select the newly added task.
+
+1. Select **Select Access packages**, and choose one or more access packages that users being offboarded should be removed from.
+
+1. Select **Save**.
+
 ## Next steps
 
 - [Change request and settings for an access package](entitlement-management-access-package-request-policy.md)

articles/active-directory/governance/entitlement-management-overview.md

@@ -94,7 +94,7 @@ You can have policies for users to request access. In these kinds of policies, a
 - The approval process and the users that can approve or deny access
 - The duration of a user's access assignment, once approved, before the assignment expires
 
-You can also have policies for users to be assigned access, either by an administrator or [automatically](entitlement-management-access-package-auto-assignment-policy.md).
+You can also have policies for users to be assigned access, either [by an administrator](entitlement-management-access-package-assignments.md#directly-assign-a-user), [automatically based on rules](entitlement-management-access-package-auto-assignment-policy.md), or through lifecycle workflows.
 
 The following diagram shows an example of the different elements in entitlement management. It shows one catalog with two example access packages.
 

articles/active-directory/governance/entitlement-management-scenarios.md

@@ -47,12 +47,20 @@ There are several ways that you can configure entitlement management for your or
 
 ## Govern access for users in your organization
 
-### Administrator: Assign employees access automatically (preview)
+### Administrator: Assign employees access automatically
 
 1. [Create a new access package](entitlement-management-access-package-create.md#start-the-creation-process)
 1. [Add groups, Teams, applications, or SharePoint sites to access package](entitlement-management-access-package-create.md#select-resource-roles)
 1. [Add an automatic assignment policy](entitlement-management-access-package-auto-assignment-policy.md)
 
+### Administrator: Assign employees access from lifecycle workflows
+
+1. [Create a new access package](entitlement-management-access-package-create.md#start-the-creation-process)
+1. [Add groups, Teams, applications, or SharePoint sites to access package](entitlement-management-access-package-create.md#select-resource-roles)
+1. [Add a direct assignment policy](entitlement-management-access-package-request-policy.md#none-administrator-direct-assignments-only)
+1. Add a task to [Request user access package assignment](lifecycle-workflow-tasks.md#request-user-access-package-assignment) to a workflow when a user joins
+1. Add a task to [Remove access package assignment for user](lifecycle-workflow-tasks.md#remove-access-package-assignment-for-user) to a workflow when a user leaves
+
 ### Access package manager: Allow employees in your organization to request access to resources
 
 1. [Create a new access package](entitlement-management-access-package-create.md#start-the-creation-process)
@@ -111,7 +119,7 @@ There are several ways that you can configure entitlement management for your or
 
 ## Day-to-day management
 
-### Administrator: View the connected organziations that are proposed and configured
+### Administrator: View the connected organizations that are proposed and configured
 
 1. [View the list of connected organizations](entitlement-management-organization.md)