Merge pull request #107511 from JnHs/jh-al-backupreports

add backup reports info

Author: PRMerger19

articles/lighthouse/concepts/cross-tenant-management-experience.md

@@ -1,7 +1,7 @@
 ---
 title: Cross-tenant management experiences
 description: Azure delegated resource management enables a cross-tenant management experience.
-ms.date: 03/05/2020
+ms.date: 03/12/2020
 ms.topic: conceptual
 ---
 
@@ -24,7 +24,7 @@ Azure delegated resource management allows greater flexibility to manage resourc
 
 ![Three customer tenants showing service provider responsibilities](../media/azure-delegated-resource-management-customer-tenants.jpg)
 
-Using Azure delegated resource management, authorized users can sign in to the service provider’s tenant to access these resources, as shown here:
+Using Azure delegated resource management, authorized users can sign in to the service provider's tenant to access these resources, as shown here:
 
 ![Customer resources managed through one service provider tenant](../media/azure-delegated-resource-management-service-provider-tenant.jpg)
 
@@ -58,6 +58,7 @@ Most tasks and services can be performed on delegated resources across managed t
 
 - Back up and restore customer data in customer tenants
 - Use the [Backup Explorer](../../backup/monitor-azure-backup-with-backup-explorer.md) to help view operational information of backup items (including Azure resources not yet configured for backup) and monitoring information (jobs and alerts) for delegated subscriptions. The Backup Explorer is currently available only for Azure VM data.
+- Use [Backup Reports](../../backup/configure-reports.md) across delegated subscriptions to track historical trends, analyze backup storage consumption, and audit backups and restores.
 
 [Azure Kubernetes Service (AKS)](../../aks/index.yml):
 
@@ -85,15 +86,15 @@ Most tasks and services can be performed on delegated resources across managed t
 [Azure Security Center](../../security-center/index.yml):
 
 - Cross-tenant visibility
-  - Monitor compliance to security policies and ensure security coverage across all tenants’ resources
+  - Monitor compliance to security policies and ensure security coverage across all tenants' resources
   - Continuous regulatory compliance monitoring across multiple customers in a single view
   - Monitor, triage, and prioritize actionable security recommendations with secure score calculation
 - Cross-tenant security posture management
   - Manage security policies
   - Take action on resources that are out of compliance with actionable security recommendations
   - Collect and store security-related data
 - Cross-tenant threat detection and protection
-  - Detect threats across tenants’ resources
+  - Detect threats across tenants' resources
   - Apply advanced threat protection controls such as just-in-time (JIT) VM access
   - Harden network security group configuration with Adaptive Network Hardening
   - Ensure servers are running only the applications and processes they should be with adaptive application controls
@@ -131,10 +132,10 @@ Support requests:
 ## Current limitations
 With all scenarios, please be aware of the following current limitations:
 
-- Requests handled by Azure Resource Manager can be performed using Azure delegated resource management. The operation URIs for these requests start with `https://management.azure.com`. However, requests that are handled by an instance of a resource type (such as KeyVault secrets access or storage data access) aren’t supported with Azure delegated resource management. The operation URIs for these requests typically start with an address that is unique to your instance, such as `https://myaccount.blob.core.windows.net` or `https://mykeyvault.vault.azure.net/`. The latter also are typically data operations rather than management operations. 
+- Requests handled by Azure Resource Manager can be performed using Azure delegated resource management. The operation URIs for these requests start with `https://management.azure.com`. However, requests that are handled by an instance of a resource type (such as KeyVault secrets access or storage data access) aren't supported with Azure delegated resource management. The operation URIs for these requests typically start with an address that is unique to your instance, such as `https://myaccount.blob.core.windows.net` or `https://mykeyvault.vault.azure.net/`. The latter also are typically data operations rather than management operations. 
 - Role assignments must use role-based access control (RBAC) [built-in roles](../../role-based-access-control/built-in-roles.md). All built-in roles are currently supported with Azure delegated resource management except for Owner or any built-in roles with [DataActions](../../role-based-access-control/role-definitions.md#dataactions) permission. The User Access Administrator role is supported only for limited use in [assigning roles to managed identities](../how-to/deploy-policy-remediation.md#create-a-user-who-can-assign-roles-to-a-managed-identity-in-the-customer-tenant).  Custom roles and [classic subscription administrator roles](../../role-based-access-control/classic-administrators.md) are not supported.
-- While you can onboard subscriptions that use Azure Databricks, users in the managing tenant can’t launch Azure Databricks workspaces on a delegated subscription at this time.
-- While you can onboard subscriptions and resource groups for Azure delegated resource management which have resource locks, those locks will not prevent actions from being performed by users in the managing tenant. [Deny assignments](../../role-based-access-control/deny-assignments.md) that protect system-managed resources, such as those created by Azure managed applications or Azure Blueprints (system-assigned deny assignments), do prevent users in the managing tenant from acting on those resources; however, at this time users in the customer tenant can’t create their own deny assignments (user-assigned deny assignments).
+- While you can onboard subscriptions that use Azure Databricks, users in the managing tenant can't launch Azure Databricks workspaces on a delegated subscription at this time.
+- While you can onboard subscriptions and resource groups for Azure delegated resource management which have resource locks, those locks will not prevent actions from being performed by users in the managing tenant. [Deny assignments](../../role-based-access-control/deny-assignments.md) that protect system-managed resources, such as those created by Azure managed applications or Azure Blueprints (system-assigned deny assignments), do prevent users in the managing tenant from acting on those resources; however, at this time users in the customer tenant can't create their own deny assignments (user-assigned deny assignments).
 
 ## Next steps