Merge pull request #246354 from billmath/pim3

updating

Author: prmerger-automator[bot]

articles/active-directory/privileged-identity-management/concept-pim-for-groups.md

@@ -11,7 +11,7 @@ ms.subservice: pim
 ms.topic: overview
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 6/7/2023
+ms.date: 8/15/2023
 ms.author: billmath
 ms.custom: pim 
 ms.collection: M365-identity-device-management
@@ -72,6 +72,19 @@ One group can be an eligible member of another group, even if one of those group
 
 If a user is an active member of Group A, and Group A is an eligible member of Group B, the user can activate their membership in Group B. This activation will be only for the user that requested the activation for, it does not mean that the entire Group A becomes an active member of Group B.
 
+## Privileged Identity Management and app provisioning (Public Preview)
+
+If the group is configured for [app provisioning](../app-provisioning/index.yml), activation of group membership will trigger provisioning of group membership (and user account itself if it wasn’t provisioned previously) to the application using SCIM protocol. 
+
+In Public Preview we have a functionality that triggers provisioning right after group membership is activated in PIM.
+Provisioning configuration depends on the application. Generally, we recommend having at least two groups assigned to the application. Depending on the number of roles in your application, you may choose to define additional “privileged groups.”:
+
+
+|Group|Purpose|Members|Group membership|Role assigned in the application|
+|-----|-----|-----|-----|-----|
+|All users group|Ensure that all users that need access to the application are constantly provisioned to the application.|All users that need to access application.|Active|None, or low-privileged role|
+|Privileged group|Provide just-in-time access to privileged role in the application.|Users that need to have just-in-time access to privileged role in the application.|Eligible|Privileged role|
+
 ## Next steps
 
 - [Bring groups into Privileged Identity Management](groups-discover-groups.md)