Final

Author: yoelhor

articles/active-directory/privileged-identity-management/media/pim-configure/pim-email.png

@@ -83,48 +83,58 @@ To better understand Privileged Identity Management and its documentation, you s
 | just-in-time (JIT) access |  | A model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. |
 | principle of least privilege access |  | A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they're authorized to perform. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios. |
 
+## Role assignment overview
 
-## Role assignment workflow
+The PIM role assignments give you a secure way to grant access to resources in your organization. This section describes the assignment process. It includes assign roles to members, activate assignments, approve or deny requests, extend and renew assignments. 
 
-The PIM role assignments give you a secure way to grant access to resources in your organization. This section describes the assignment workflow. The workflow includes assign roles to members, activate assignments, approve or deny requests, extend and renew assignments. 
+PIM keeps you informed by sending you and other participants [email notifications](pim-email-notifications.md). These emails might also include links to relevant tasks, such activating, approve or deny a request.
 
-PIM keeps you informed by sending you and other participants [email notifications](pim-email-notifications.md). These emails might also include links to relevant tasks, such activating, approve or deny a request. 
+The following screenshot shows an email message sent by PIM. The email informs Patti that Alex updated a role assignment for Emily.
+
+![Screenshot shows an email message sent by Privileged Identity Management.](./media/pim-configure/pim-email.png)
 
 ### Assign
 
-The assignment flow starts by assign roles. To grant access to a resource, you assign roles to users, groups, service principals, or managed identities. When you assign a role, you select:
+The assignment process starts by assign roles to members. To grant access to a resource, the administrator assigns roles to users, groups, service principals, or managed identities. The assignment includes the following data:
 
-- The members or owners you want to assign the role.
+- The members or owners to assign the role.
 - The scope of the assignment. The scope limits the assigned role to a particular set of resources.
 - The type of the assignment
-  - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include self-service activation, or requesting approval from designated approvers.
+  - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include  activation, or requesting approval from designated approvers.
   - **Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role.
 - The duration of the assignment, using start and end dates or permanent. For eligible assignments, the members can activate or requesting approval during the start and end dates. For active assignments, the members can use the assign role during this period of time.
 
+The following screenshot shows how administrator assigns a role to members.
+
+![Screenshot of Privileged Identity Management role assignment.](./media/pim-configure/role-assignment.png)
+
+
 For more information, check out the following articles: [Assign Azure AD roles](pim-how-to-add-role-to-user.md), [Assign Azure resource roles](pim-resource-roles-assign-roles.md), and [Assign eligibility for a privileged access group](groups-assign-member-owner.md)
 
 ### Activate
 
 If users have been made eligible for a role, then they must activate the role assignment before using the role. To activate the role, users select specific activation duration within the maximum (configured by administrators), and the reason for the activation request.
 
-If the role requires [approval](pim-resource-roles-approval-workflow.md) to activate, a notification will appear in the upper right corner of the user's browser informing them the request is pending approval. If an approval isn't required, the member can start using the role immediately.
+The following screenshot shows how members activate their role to a limited time.
+
+![Screenshot of Privileged Identity Management role activation.](./media/pim-configure/role-activation.png)
+
+If the role requires [approval](pim-resource-roles-approval-workflow.md) to activate, a notification will appear in the upper right corner of the user's browser informing them the request is pending approval. If an approval isn't required, the member can start using the role.
 
 For more information, check out the following articles: [Activate Azure AD roles](pim-how-to-activate-role.md), [Activate my Azure resource roles](pim-resource-roles-activate-your-roles.md), and [Activate my privileged access group roles](groups-activate-roles.md)
 
 ### Approve or deny
 
-As a delegated approver, you'll receive an email notification when an Azure AD role request is pending your approval. You can view, approve or deny these pending requests in PIM. After the request has been approved, the member can start using the role. For example, if a user or a group was assigned with Contribution role to a resource group, they'll be able to manage that particular resource group.
-
-We recommend selecting two or more approvers for each role to reduce workload for the privileged role administrator. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, then the eligible user must resubmit a new request. The 24 hour approval time window isn't configurable.
+Delegated approvers receive email notifications when a role request is pending their approval. Approvers can view, approve or deny these pending requests in PIM. After the request has been approved, the member can start using the role. For example, if a user or a group was assigned with Contribution role to a resource group, they'll be able to manage that particular resource group.
 
 For more information, check out the following articles: [Approve or deny requests for Azure AD roles](azure-ad-pim-approval-workflow.md), [Approve or deny requests for Azure resource roles](pim-resource-roles-approval-workflow.md), and [Approve activation requests for privileged access group](groups-approval-workflow.md)
 
 ### Extend and renew assignments
 
-After you set up your time-bound owner or member assignments, the first question you might ask is what happens if an assignment expires? In this new version, we provide two options for this scenario:
+After administrators set up time-bound owner or member assignments, the first question you might ask is what happens if an assignment expires? In this new version, we provide two options for this scenario:
 
-- Extend – When a role assignment nears expiration, the user can use Privileged Identity Management to request an extension for the role assignment
-- Renew – When a role assignment has already expired, the user can use Privileged Identity Management to request a renewal for the role assignment
+- **Extend** – When a role assignment nears expiration, the user can use Privileged Identity Management to request an extension for the role assignment
+- **Renew** – When a role assignment has already expired, the user can use Privileged Identity Management to request a renewal for the role assignment
 
 Both user-initiated actions require an approval from a Global Administrator or Privileged Role Administrator. Admins don't need to be in the business of managing assignment expirations. You can just wait for the extension or renewal requests to arrive for simple approval or denial.