Merge remote-tracking branch 'refs/remotes/MicrosoftDocs/master' into nitinme-retire-services

Author: nitinme

articles/active-directory/privileged-identity-management/azure-ad-custom-roles-activate.md

@@ -27,7 +27,9 @@ ms.collection: M365-identity-device-management
 Privileged Identity Management in Azure Active Directory (Azure AD) now supports just-in-time and time-bound assignment to custom roles created for Application Management in the Identity and Access Management administrative experience. For more information about creating custom roles to delegate application management in Azure AD, see [Custom administrator roles in Azure Active Directory (preview)](../users-groups-roles/roles-custom-overview.md).
 
 > [!NOTE]
-> Azure AD custom roles are not integrated with the built-in directory roles during preview. Once the capability is generally available, role management will take place in the built-in roles experience.
+> Azure AD custom roles are not integrated with the built-in directory roles during preview. Once the capability is generally available, role management will take place in the built-in roles experience. If you see the following banner, these roles should be managed [in the built-in roles experience](pim-how-to-activate-role.md) and this article does not apply:
+>
+> [![](media/pim-how-to-add-role-to-user/pim-new-version.png "Select Azure AD > Privileged Identity Management")](media/pim-how-to-add-role-to-user/pim-new-version.png#lightbox)
 
 ## Activate a role
 

articles/active-directory/privileged-identity-management/azure-ad-custom-roles-assign.md

@@ -31,7 +31,9 @@ This article tells you how to use Privileged Identity Management (PIM) to create
 - For information about how to grant another administrator access to manage Privileged Identity Management, see [Grant access to other administrators to manage Privileged Identity Management](pim-how-to-give-access-to-pim.md).
 
 > [!NOTE]
-> Azure AD custom roles are not integrated with the built-in directory roles during preview. Once the capability is generally available, role management will take place in the built-in roles experience.
+> Azure AD custom roles are not integrated with the built-in directory roles during preview. Once the capability is generally available, role management will take place in the built-in roles experience. If you see the following banner, these roles should be managed [in the built-in roles experience](pim-how-to-activate-role.md) and this article does not apply:
+>
+> [![](media/pim-how-to-add-role-to-user/pim-new-version.png "Select Azure AD > Privileged Identity Management")](media/pim-how-to-add-role-to-user/pim-new-version.png#lightbox)
 
 ## Assign a role
 

articles/active-directory/privileged-identity-management/azure-ad-custom-roles-configure.md

@@ -26,6 +26,11 @@ ms.collection: M365-identity-device-management
 
 A privileged role administrator can change the role settings that apply to a user when they activate their assignment to a custom role and for other application administrators that are assigning custom roles.
 
+> [!NOTE]
+> Azure AD custom roles are not integrated with the built-in directory roles during preview. Once the capability is generally available, role management will take place in the built-in roles experience. If you see the following banner, these roles should be managed [in the built-in roles experience](pim-how-to-activate-role.md) and this article does not apply:
+>
+> [![](media/pim-how-to-add-role-to-user/pim-new-version.png "Select Azure AD > Privileged Identity Management")](media/pim-how-to-add-role-to-user/pim-new-version.png#lightbox)
+
 ## Open role settings
 
 Follow these steps to open the settings for an Azure AD role.
@@ -94,7 +99,7 @@ If you want to require approval to activate a role, follow these steps.
 
 ## Next steps
 
-- [Activate an Azure AD custom role](azure-ad-custom-roles-assign.md)
+- [Activate an Azure AD custom role](azure-ad-custom-roles-activate.md)
 - [Assign an Azure AD custom role](azure-ad-custom-roles-assign.md)
 - [Remove or update an Azure AD custom role assignment](azure-ad-custom-roles-update-remove.md)
 - [Role definitions in Azure AD](../users-groups-roles/directory-assign-admin-roles.md)

articles/active-directory/privileged-identity-management/azure-ad-custom-roles-update-remove.md

@@ -30,7 +30,9 @@ This article tells you how to use Privileged Identity Management (PIM) to update
 - If you haven't used Privileged Identity Management yet, get more information at [Start using Privileged Identity Management](pim-getting-started.md).
 
 > [!NOTE]
-> Azure AD custom roles are not integrated with the built-in directory roles during preview. Once the capability is generally available, role management role management will take place in the built-in roles experience.
+> Azure AD custom roles are not integrated with the built-in directory roles during preview. Once the capability is generally available, role management will take place in the built-in roles experience. If you see the following banner, these roles should be managed [in the built-in roles experience](pim-how-to-add-role-to-user.md) and this article does not apply:
+>
+> [![](media/pim-how-to-add-role-to-user/pim-new-version.png "Select Azure AD > Privileged Identity Management")](media/pim-how-to-add-role-to-user/pim-new-version.png#lightbox)
 
 ## Update or remove an assignment
 

articles/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow.md

@@ -14,7 +14,7 @@ ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 11/12/2019
+ms.date: 02/07/2020
 ms.author: curtand
 ms.custom: pim
 ms.collection: M365-identity-device-management
@@ -26,28 +26,28 @@ With Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you
 
 ## Determine your version of PIM
 
-Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. This creates additional features as well as [changes to the existing API](azure-ad-roles-features.md#api-changes). While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. Follow the steps in this section to determine which version of Privileged Identity Management you have. After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.
+Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure roles. This creates additional features as well as [changes to the existing API](azure-ad-roles-features.md#api-changes). While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. Follow the steps in this section to determine which version of Privileged Identity Management you have. After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) with a user who is in the [Privileged role administrator](../users-groups-roles/directory-assign-admin-roles.md#privileged-role-administrator) role.
 1. Open **Azure AD Privileged Identity Management**. If you have a banner on the top of the overview page, follow the instructions in the **New version** tab of this article. Otherwise, follow the instructions in the **Previous version** tab.
 
-    ![Azure AD roles new version](./media/pim-how-to-add-role-to-user/pim-new-version.png)
+    [![](media/pim-how-to-add-role-to-user/pim-new-version.png "Select Azure AD > Privileged Identity Management")](media/pim-how-to-add-role-to-user/pim-new-version.png#lightbox)
 
 Follow the steps in this article to approve or deny requests for Azure AD roles.
 
 # [New version](#tab/new)
 
 ## View pending requests
 
-As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. You can view these pending requests in Privileged Identity Management.
+As a delegated approver, you'll receive an email notification when an Azure AD role request is pending your approval. You can view these pending requests in Privileged Identity Management.
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 
 1. Open **Azure AD Privileged Identity Management**.
 
 1. Select **Approve requests**.
 
-    ![Approve requests - Azure resources page showing request to review](./media/pim-resource-roles-approval-workflow/resources-approve-requests.png)
+    ![Approve requests - page showing request to review Azure AD roles](./media/azure-ad-pim-approval-workflow/resources-approve-pane.png)
 
     In the **Requests for role activations** section, you'll see a list of requests pending your approval.
 
@@ -61,7 +61,7 @@ As a delegated approver, you'll receive an email notification when an Azure reso
 
 1. Select **Approve**. You will receive an Azure notification of your approval.
 
-    ![Approve notification showing request was approved](./media/pim-resource-roles-approval-workflow/resources-approve-notification.png)
+    ![Approve notification showing request was approved](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png))
 
 ## Deny requests
 
@@ -80,10 +80,10 @@ Here's some information about workflow notifications:
 - Approvers are notified by email when a request for a role is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny.
 - Requests are resolved by the first approver who approves or denies.
 - When an approver responds to the request, all approvers are notified of the action.
-- Resource administrators are notified when an approved user becomes active in their role.
+- Global admins and Privileged role admins are notified when an approved user becomes active in their role.
 
 >[!NOTE]
->A resource administrator who believes that an approved user should not be active can remove the active role assignment in Privileged Identity Management. Although resource administrators are not notified of pending requests unless they are an approver, they can view and cancel pending requests for all users by viewing pending requests in Privileged Identity Management.
+>A Global admin or Privileged role admin who believes that an approved user should not be active can remove the active role assignment in Privileged Identity Management. Although administrators are not notified of pending requests unless they are an approver, they can view and cancel any pending requests for all users by viewing pending requests in Privileged Identity Management.
 
 # [Previous version](#tab/previous)
 
@@ -129,7 +129,7 @@ As a delegated approver, you'll receive an email notification when an Azure AD r
 
     ![Deny selected requests pane with a deny reason](./media/azure-ad-pim-approval-workflow/pim-deny-selected-requests.png)
 
-1. Click **Deny**.
+1. Select **Deny**.
 
     The Status symbol will be updated with your denial.
 

articles/active-directory/privileged-identity-management/azure-ad-roles-features.md

@@ -28,6 +28,7 @@ The management experience for Azure AD roles in Privileged Identity Management h
 
 With the update being currently rolled out, we are merging the two into a single management experience, and in it you get the same functionality for Azure AD roles as for Azure resource roles. This article informs you of the updated features and any requirements.
 
+
 ## Time-bound assignments
 
 Previously in Privileged Identity Management for Azure AD roles, you were familiar with role assignments with two possible states – *eligible* and *permanent*. Now you can set a start and end time for each type of assignment. This addition gives you four possible states in which you can place an assignment: