Update 7-secure-access-conditional-access.md

v-edmckillop · web-flow · commit 99773e046060 · 2023-02-22T13:04:35.000-08:00
diff --git a/articles/active-directory/fundamentals/7-secure-access-conditional-access.md b/articles/active-directory/fundamentals/7-secure-access-conditional-access.md
@@ -14,78 +14,100 @@ ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
+
 # Manage external access to resources with Conditional Access policies 
 
-[Conditional Access](../conditional-access/overview.md) is the tool Azure AD uses to bring together signals, enforce policies, and determine whether a user should be allowed access to resources. For detailed information on how to create and use Conditional Access policies (Conditional Access policies), see [Plan a Conditional Access deployment](../conditional-access/plan-conditional-access.md). 
+Conditional Access interprets signals, enforces policies, and determines if a user is granted access to resources. In this article, learn about applying Conditional Access policies to external users. The article assumes you might not have access to entitlement management, which can be used with Conditional Access. 
+
+Learn more: 
+
+* [What is Conditional Access?](../conditional-access/overview.md)
+* [Plan a Conditional Access deployment](../conditional-access/plan-conditional-access.md)
+* [What is entitlement management?](../governance/entitlement-management-overview.md)
 
-![Diagram of Conditional Access signals and decisions](media/secure-external-access//7-conditional-access-signals.png)
+The following diagram illustrates signals to Conditional Access that trigger access processes. 
 
-This article discusses applying Conditional Access policies to external users and assumes you don’t have access to [Entitlement Management](../governance/entitlement-management-overview.md) functionality. Conditional Access policies can be and are used alongside Entitlement Management.
+   ![Diagram of Conditional Access signals and decisions.](media/secure-external-access//7-conditional-access-signals.png)
 
-Earlier in this document set, you [created a security plan](3-secure-access-plan.md) that outlined:
+## Align a security plan with Conditional Access polices
 
-* Applications and resources have the same security requirements and can be grouped for access.
-* Sign-in requirements for external users.
+In the third article, in the set of ten articles, there is guidance on creating a security plan. Use that plan to help create Conditional Access policies for external access. Part of the security plan includes:
 
-You’ll use that plan to create your Conditional Access policies for external access. 
+* Grouped applications and resources for simplified access
+* Sign-in requirements for external users
 
 > [!IMPORTANT]
-> Create several internal and external user test accounts so that you can test the policies you create before applying them.
+> Create internal and external user test accounts to test policies before applying them.
+
+See article three, [Create a security plan for external access to resources](3-secure-access-plan.md)
 
 ## Conditional Access policies for external access
 
-The following are best practices related to governing external access with Conditional Access policies.
+The following sections are best practices for governing external access with Conditional Access policies.
+
+### Entitlement management or groups
+
+If you can’t use connected organizations in entitlement management, create an Azure AD security group, or Microsoft 365 Group for partner organizations. Assign users from that partner to the group. You can use the groups in Conditional Access policies.
+
+Learn more: 
+
+* [What is entitlement management?](../governance/entitlement-management-overview.md)
+* [Manage Azure Active Directory groups and group membership](how-to-manage-groups.md)
+* [Overview of Microsoft 365 Groups for administrators](/microsoft-365/admin/create-groups/office-365-groups?view=o365-worldwide&preserve-view=true)
+
+
+### Conditional Access policy creation
 
-* If you can’t use connected organizations in Entitlement Management, create an Azure AD security group or Microsoft 365 group for each partner organization you work with. Assign all users from that partner to the group. You may then use those groups in Conditional Access policies.
+Create as few Conditional Access policies as possible. For applications that have the same access needs, add them all to the same policy.  
 
-* Create as few Conditional Access policies as possible. For applications that have the same access needs, add them all to the same policy.  
+Conditional Access policies can apply to a maximum of 250 applications. If more than 250 Apps have the same access needs, create duplicate policies. Policy A will apply to apps 1-250, policy B will apply to apps 251-500, etc.
 
-   > [!NOTE]
-   > Conditional Access policies can apply to a maximum of 250 applications. If more than 250 Apps have the same access needs, create duplicate policies. Policy A will apply to apps 1-250, policy B will apply to apps 251-500, etc.
+### Naming convention
 
-* Clearly name policies specific to external access with a naming convention. One naming convention is *ExternalAccess_actiontaken_AppGroup*. For example a policy for external access that blocks access to finance apps, called ExternalAccess_Block_FinanceApps.
+Use a naming convention that clarifies policy purpose. External access examples are:
 
-## Block all external users from resources
+* ExternalAccess_actiontaken_AppGroup
+* ExternalAccess_Block_FinanceApps
 
-You can block external users from accessing specific sets of resources with Conditional Access policies. Once you’ve determined the set of resources to which you want to block access, create a policy.
+## Block external users from resources
 
-To create a policy that blocks access for external users to a set of applications:
+You can block external users from accessing resources with Conditional Access policies. 
 
-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
-1. Select **New policy**.
-1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies, for example ExternalAccess_Block_FinanceApps.
-1. Under **Assignments**, select **Users or workload identities**.
-   1. Under **Include**, select **All guests and external users**. 
-   1. Under **Exclude**, select **Users and groups** and choose your organization's [emergency access or break-glass accounts](../roles/security-emergency-access.md). 
-   1. Select **Done**.
-1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
-   1. Under **Exclude**, select any applications that shouldn’t be blocked.
-1. Under **Access controls** > **Grant**, select **Block access**, and choose **Select**.
-1. Confirm your settings and set **Enable policy** to **Report-only**.
-1. Select **Create** to create to enable your policy.
+Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+Select **New policy**.
+Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies, for example ExternalAccess_Block_FinanceApps.
+Under **Assignments**, select **Users or workload identities**.
+Under **Include**, select **All guests and external users**. 
+Under **Exclude**, select **Users and groups** and choose your organization's [emergency access or break-glass accounts](../roles/security-emergency-access.md). 
+Select **Done**.
+Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
+Under **Exclude**, select any applications that shouldn’t be blocked.
+Under **Access controls** > **Grant**, select **Block access**, and choose **Select**.
+Confirm your settings and set **Enable policy** to **Report-only**.
+Select **Create** to create to enable your policy.
 
 After confirming your settings using [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
 
 ### Block external access to all except specific external users
 
 There may be times you want to block external users except a specific group. For example, you may want to block all external users except those working for the finance team from the finance applications. To do this [Create a security group](active-directory-groups-create-azure-portal.md) to contain the external users who should access the finance applications:
 
-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
-1. Select **New policy**.
-1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies, for example ExternalAccess_Block_AllButFinance.
-1. Under **Assignments**, select **Users or workload identities**.
-   1. Under **Include**, select **All guests and external users**. 
-   1. Under **Exclude**, select **Users and groups**, 
-      1. Choose your organization's [emergency access or break-glass accounts](../roles/security-emergency-access.md). 
-      1. Choose the security group of external users you want to exclude from being blocked from specific applications.
-   1. Select **Done**.
-1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
-   1. Under **Exclude**, select the finance applications that shouldn’t be blocked.
-1. Under **Access controls** > **Grant**, select **Block access**, and choose **Select**.
-1. Confirm your settings and set **Enable policy** to **Report-only**.
-1. Select **Create** to create to enable your policy.
+Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+Select **New policy**.
+Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies, for example ExternalAccess_Block_AllButFinance.
+Under **Assignments**, select **Users or workload identities**.
+Under **Include**, select **All guests and external users**. 
+Under **Exclude**, select **Users and groups**, 
+Choose your organization's [emergency access or break-glass accounts](../roles/security-emergency-access.md). 
+Choose the security group of external users you want to exclude from being blocked from specific applications.
+Select **Done**.
+Under **Cloud apps or actions** > **Include**, select **All cloud apps**.
+Under **Exclude**, select the finance applications that shouldn’t be blocked.
+Under **Access controls** > **Grant**, select **Block access**, and choose **Select**.
+Confirm your settings and set **Enable policy** to **Report-only**.
+Select **Create** to create to enable your policy.
 
 After confirming your settings using [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
 
