Merge pull request #208880 from markwahl-msft/mwahl-em-auto-role

prmerger-automator[bot] · web-flow · commit 82153f77b72e · 2022-08-23T20:32:12.000Z
identity governance: add before you begin to auto-assignment article
diff --git a/articles/active-directory/governance/entitlement-management-access-package-auto-assignment-policy.md b/articles/active-directory/governance/entitlement-management-access-package-auto-assignment-policy.md
@@ -28,6 +28,10 @@ During this preview, you can have at most one automatic assignment policy in an
 
 This article describes how to create an access package automatic assignment policy for an existing access package.
 
+## Before you begin
+
+You'll need to have attributes populated on the users who will be in scope for being assigned access.  The attributes you can use in the rules criteria of an access package assignment policy are those attributes listed in [supported properties](../enterprise-users/groups-dynamic-membership.md#supported-properties), along with [extension attributes and custom extension properties](../enterprise-users/groups-dynamic-membership.md#extension-properties-and-custom-extension-properties).  These attributes can be brought into Azure AD from [Graph](/graph/api/resources/user?view=graph-rest-beta), an HR system such as [SuccessFactors](../app-provisioning/sap-successfactors-integration-reference.md), [Azure AD Connect cloud sync](../cloud-sync/how-to-attribute-mapping.md) or [Azure AD Connect sync](../hybrid/how-to-connect-sync-feature-directory-extensions.md).
+
 ## Create an automatic assignment policy (Preview)
 
 To create a policy for an access package, you need to start from the access package's policy tab. Follow these steps to create a new policy for an access package.
@@ -45,7 +49,7 @@ To create a policy for an access package, you need to start from the access pack
 1. Provide a dynamic membership rule, using the [membership rule builder](../enterprise-users/groups-dynamic-membership.md) or by clicking **Edit** on the rule syntax text box.
 
    > [!NOTE]
-   > The rule builder might not be able to display some rules constructed in the text box. For more information, see [rule builder in the Azure portal](/enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).
+   > The rule builder might not be able to display some rules constructed in the text box, and validating a rule currently requires the you to be in the Global administrator role. For more information, see [rule builder in the Azure portal](/enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).
 
     ![Screenshot of an access package automatic assignment policy rule configuration.](./media/entitlement-management-access-package-auto-assignment-policy/auto-assignment-rule-configuration.png)
 
