Added Part 3

AlizaBernstein · AlizaBernstein · commit a5e7ccbd4636 · 2024-03-12T14:58:30.000+02:00
diff --git a/articles/defender-for-cloud/management-groups-roles.md b/articles/defender-for-cloud/management-groups-roles.md
@@ -1,8 +1,8 @@
 ---
 title: Organize subscriptions into management groups and assign roles to users
-description: Learn how to organize your Azure subscriptions into management groups in Microsoft Defender for Cloud and assign roles to users in your organization
+description: Learn how to organize your Azure subscriptions into management groups in Microsoft Defender for Cloud and assign roles to users in your organization.
 ms.topic: how-to
-ms.date: 01/24/2023
+ms.date: 03/12/2024
 ms.custom: subject-rbac-steps
 ---
 
@@ -22,7 +22,7 @@ Each Microsoft Entra tenant is given a single top-level management group called
 
 The root management group is created automatically when you do any of the following actions:
 
-- In the [Azure portal](https://portal.azure.com), select **Management Groups** .
+- In the [Azure portal](https://portal.azure.com), select **Management Groups**.
 - Create a management group with an API call.
 - Create a management group with PowerShell. For PowerShell instructions, see [Create management groups for resource and organization management](../governance/management-groups/create-management-group-portal.md).
 
@@ -38,7 +38,7 @@ For a detailed overview of management groups, see the [Organize your resources w
 
 1. To create a management group, select **Create**, enter the relevant details, and select **Submit**.
 
-    :::image type="content" source="media/management-groups-roles/add-management-group.png" alt-text="Adding a management group to Azure.":::
+    :::image type="content" source="media/management-groups-roles/add-management-group.png" alt-text="Adding a management group to Azure." lightbox="media/management-groups-roles/add-management-group.png":::
 
     - The **Management Group ID** is the directory unique identifier that is used to submit commands on this management group. This identifier isn't editable after creation as it is used throughout the Azure system to identify this group.
 
@@ -58,10 +58,10 @@ You can add subscriptions to the management group that you created.
 
 1. From the subscriptions page, select **Add**, then select your subscriptions and select **Save**. Repeat until you've added all the subscriptions in the scope.
 
-    :::image type="content" source="./media/management-groups-roles/management-group-add-subscriptions.png" alt-text="Adding a subscription to a management group.":::
+    :::image type="content" source="./media/management-groups-roles/management-group-add-subscriptions.png" alt-text="Adding a subscription to a management group." lightbox="media/management-groups-roles/management-group-add-subscriptions.png":::
 
    > [!IMPORTANT]
-   > Management groups can contain both subscriptions and child management  groups. When you assign a user an Azure role to the parent management group, the access is inherited by the child management group's subscriptions. Policies set at the parent management group are also inherited by the children.
+   > Management groups can contain both subscriptions and child management groups. When you assign a user an Azure role to the parent management group, the access is inherited by the child management group's subscriptions. Policies set at the parent management group are also inherited by the children.
 
 ## Assign Azure roles to other users
 
@@ -75,11 +75,11 @@ You can add subscriptions to the management group that you created.
 
 1. Select **Access control (IAM)**, open the **Role assignments** tab and select **Add** > **Add role assignment**.
 
-    :::image type="content" source="./media/management-groups-roles/add-user.png" alt-text="Adding a user to a management group.":::
+    :::image type="content" source="./media/management-groups-roles/add-user.png" alt-text="Adding a user to a management group."  lightbox="media/management-groups-roles/add-user.png":::
 
 1. From the **Add role assignment** page, select the relevant role.
 
-    :::image type="content" source="./media/management-groups-roles/add-role-assignment-page.png" alt-text="Add role assignment page.":::
+    :::image type="content" source="./media/management-groups-roles/add-role-assignment-page.png" alt-text="Add role assignment page." lightbox="media/management-groups-roles/add-role-assignment-page.png":::
 
 1. From the **Members** tab, select **+ Select members** and assign the role to the relevant members.
 
@@ -115,7 +115,7 @@ You can add subscriptions to the management group that you created.
 
 ## Remove elevated access
 
-Once the Azure roles have been assigned to the users, the tenant administrator should remove itself from the user access administrator role.
+Once the Azure roles are assigned to the users, the tenant administrator should remove itself from the user access administrator role.
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 
diff --git a/articles/defender-for-cloud/quickstart-onboard-devops.md b/articles/defender-for-cloud/quickstart-onboard-devops.md
@@ -1,20 +1,20 @@
 ---
 title: Connect your Azure DevOps organizations
 description: Learn how to connect your Azure DevOps environment to Defender for Cloud.
-ms.date: 01/24/2023
+ms.date: 03/12/2024
 ms.topic: quickstart
 ms.custom: ignite-2023
 ---
 
 # Quickstart: Connect your Azure DevOps Environment to Microsoft Defender for Cloud
 
-In this quickstart, you will connect your Azure DevOps organizations on the **Environment settings** page in Microsoft Defender for Cloud. This page provides a simple onboarding experience to autodiscover your Azure DevOps repositories.
+This quickstart shows you how to connect your Azure DevOps organizations on the **Environment settings** page in Microsoft Defender for Cloud. This page provides a simple onboarding experience to autodiscover your Azure DevOps repositories.
 
 By connecting your Azure DevOps organizations to Defender for Cloud, you extend the security capabilities of Defender for Cloud to your Azure DevOps resources. These features include:
 
 - **Foundational Cloud Security Posture Management (CSPM) features**: You can assess your Azure DevOps security posture through Azure DevOps-specific security recommendations. You can also learn about all the [recommendations for DevOps](recommendations-reference.md) resources.
 
-- **Defender CSPM features**: Defender CSPM customers receive code to cloud contextualized attack paths, risk assessments, and insights to identify the most critical weaknesses that attackers can use to breach their environment. Connecting your Azure DevOps repositories allows you to contextualize DevOps security findings with your cloud workloads and identify the origin and developer for timely remediation. For more information, learn how to [identify and analyze risks across your environment](concept-attack-path.md)
+- **Defender CSPM features**: Defender CSPM customers receive code to cloud contextualized attack paths, risk assessments, and insights to identify the most critical weaknesses that attackers can use to breach their environment. Connecting your Azure DevOps repositories allows you to contextualize DevOps security findings with your cloud workloads and identify the origin and developer for timely remediation. For more information, learn how to [identify and analyze risks across your environment](concept-attack-path.md).
 
 API calls that Defender for Cloud performs count against the [Azure DevOps global consumption limit](/azure/devops/integrate/concepts/rate-limits). For more information, see the [common questions about DevOps security in Defender for Cloud](faq-defender-for-devops.yml).
 
@@ -30,7 +30,7 @@ To complete this quickstart, you need:
 |--|--|
 | Release state: | General Availability. |
 | Pricing: | For pricing, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/?v=17.23h#pricing). |
-| Required permissions: | **Account Administrator** with permissions to sign in to the Azure portal. <br> **Contributor** to create a connector on the Azure subscription. <br> **Project Collection Administrator** on the Azure DevOps Organization. <br> **Basic or Basic + Test Plans Access Level** on the Azure DevOps Organization. <br> _Please ensure you have BOTH Project Collection Administrator permissions and Basic Access Level for all Azure DevOps organizations you wish to onboard. Stakeholder Access Level is not sufficient._ <br> **Third-party application access via OAuth**, which must be set to `On` on the Azure DevOps Organization. [Learn more about OAuth and how to enable it in your organizations](/azure/devops/organizations/accounts/change-application-access-policies).|
+| Required permissions: | **Account Administrator** with permissions to sign in to the Azure portal. <br> **Contributor** to create a connector on the Azure subscription. <br> **Project Collection Administrator** on the Azure DevOps Organization. <br> **Basic or Basic + Test Plans Access Level** on the Azure DevOps Organization. <br> _Make sure you have BOTH Project Collection Administrator permissions and Basic Access Level for all Azure DevOps organizations you wish to onboard. Stakeholder Access Level is not sufficient._ <br> **Third-party application access via OAuth**, which must be set to `On` on the Azure DevOps Organization. [Learn more about OAuth and how to enable it in your organizations](/azure/devops/organizations/accounts/change-application-access-policies).|
 | Regions and availability: | Refer to the [support and prerequisites](devops-support.md) section for region support and feature availability.  |
 | Clouds: | :::image type="icon" source="media/quickstart-onboard-github/check-yes.png" border="false"::: Commercial <br> :::image type="icon" source="media/quickstart-onboard-github/x-no.png" border="false"::: National (Azure Government, Microsoft Azure operated by 21Vianet) |
 
@@ -40,7 +40,7 @@ To complete this quickstart, you need:
 ## Connect your Azure DevOps organization
 
 > [!NOTE]
-> After connecting Azure DevOps to Defender for Cloud, the Microsoft Defender for DevOps Container Mapping extension will be automatically shared and installed on all connected Azure DevOps organizations. This extension allows Defender for Cloud to extract metadata from pipelines, such as a container's digest ID and name. This metadata is used to connect DevOps entities with their related cloud resources. [Learn more about container mapping.](container-image-mapping.md)
+> After connecting Azure DevOps to Defender for Cloud, the Microsoft Defender for DevOps Container Mapping extension will be automatically shared and installed on all connected Azure DevOps organizations. This extension allows Defender for Cloud to extract metadata from pipelines, such as a container's digest ID and name. This metadata is used to connect DevOps entities with their related cloud resources. [Learn more about container mapping](container-image-mapping.md).
 
 To connect your Azure DevOps organization to Defender for Cloud by using a native connector:
 
@@ -64,28 +64,28 @@ To connect your Azure DevOps organization to Defender for Cloud by using a nativ
 
 1. Select **Next: Configure access**.
 
-1. Select **Authorize**. Ensure you are authorizing the correct Azure Tenant using the drop-down menu in [Azure DevOps](https://aex.dev.azure.com/me?mkt) and by verifying you are in the correct Azure Tenant in Defender for Cloud.
+1. Select **Authorize**. Ensure you're authorizing the correct Azure Tenant using the drop-down menu in [Azure DevOps](https://aex.dev.azure.com/me?mkt) and by verifying you're in the correct Azure Tenant in Defender for Cloud.
 
 1. In the popup dialog, read the list of permission requests, and then select **Accept**.
 
-    :::image type="content" source="media/quickstart-onboard-ado/accept.png" alt-text="Screenshot that shows the button for accepting permissions.":::
+    :::image type="content" source="media/quickstart-onboard-ado/accept.png" alt-text="Screenshot that shows the button for accepting permissions."  lightbox="media/quickstart-onboard-ado/accept.png":::
 
 1. For Organizations, select one of the following options:
 
-    - Select **all existing organizations** to auto-discover all projects and repositories in organizations you are currently a Project Collection Administrator in.
-    - Select **all existing and future organizations** to auto-discover all projects and repositories in all current and future organizations you are a Project Collection Administrator in.
+    - Select **all existing organizations** to auto-discover all projects and repositories in organizations you're currently a Project Collection Administrator in.
+    - Select **all existing and future organizations** to auto-discover all projects and repositories in all current and future organizations you're a Project Collection Administrator in.
 
     > [!NOTE]
     > **Third-party application access via OAuth** must be set to `On` on for each Azure DevOps Organization. [Learn more about OAuth and how to enable it in your organizations](/azure/devops/organizations/accounts/change-application-access-policies).
 
-    Since Azure DevOps repositories are onboarded at no additional cost, autodiscover is applied across the organization to ensure Defender for Cloud can comprehensively assess the security posture and respond to security threats across your entire DevOps ecosystem. Organizations can later be manually added and removed through **Microsoft Defender for Cloud** > **Environment settings**.
+    Since Azure DevOps repositories are onboarded at no extra cost, autodiscover is applied across the organization to ensure Defender for Cloud can comprehensively assess the security posture and respond to security threats across your entire DevOps ecosystem. Organizations can later be manually added and removed through **Microsoft Defender for Cloud** > **Environment settings**.
 
 1. Select **Next: Review and generate**.
 
 1. Review the information, and then select **Create**.
 
 > [!NOTE]
-> To ensure proper functionality of advanced DevOps posture capabilities in Defender for Cloud, only one instance of an Azure DevOps organization can be onboarded to the Azure Tenant you are creating a connector in.
+> To ensure proper functionality of advanced DevOps posture capabilities in Defender for Cloud, only one instance of an Azure DevOps organization can be onboarded to the Azure Tenant you're creating a connector in.
 
 The **DevOps security** blade shows your onboarded repositories grouped by Organization. The **Recommendations** blade shows all security assessments related to Azure DevOps repositories.
 
