Merge pull request #111400 from curtand/shaun0414

[Azure AD PIM] raise CSAT for getting started

Author: megvanhuygen

articles/active-directory/privileged-identity-management/pim-configure.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: pim
 ms.topic: overview
-ms.date: 11/08/2019
+ms.date: 04/21/2020
 ms.author: curtand
 ms.custom: pim 
 ms.collection: M365-identity-device-management
@@ -44,9 +44,7 @@ Once you set up Privileged Identity Management, you'll see **Tasks**, **Manage**
 
 ## Who can do what?
 
-If you're the first person to use Privileged Identity Management, you are automatically assigned the [Security Administrator](../users-groups-roles/directory-assign-admin-roles.md#security-administrator) and [Privileged Role Administrator](../users-groups-roles/directory-assign-admin-roles.md#privileged-role-administrator) roles in the directory.
-
-For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator role can manage assignments for other administrators. You can [grant access to other administrators to manage Privileged Identity Management](pim-how-to-give-access-to-pim.md). Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
+For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. You can [grant access to other administrators to manage Privileged Identity Management](pim-how-to-give-access-to-pim.md). Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
 
 For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles in Privileged Identity Management.
 

articles/active-directory/privileged-identity-management/pim-email-notifications.md

@@ -11,7 +11,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: pim
-ms.date: 01/05/2019
+ms.date: 04/21/2020
 ms.author: curtand
 ms.reviewer: hanki
 ms.custom: pim
@@ -72,6 +72,18 @@ The email includes four tiles:
 
 The **Overview of your top roles** section lists the top five roles in your tenant based on total number of permanent and eligible administrators for each role. The **Take action** link opens the [PIM wizard](pim-security-wizard.md) where you can convert permanent administrators to eligible administrators in batches.
 
+## Email timing for activation approvals
+
+When users activates their role and the role setting requires approval, approvers will receive three emails for each approval:
+
+- Request to approve or deny the user's activation request (sent by the request approval engine)
+- The user's request is approved (sent by the request approval engine)
+- The user's role is activated (sent by Privileged Identity Management)
+
+The first two emails sent by the request approval engine can be delayed. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be much longer, up to fifteen minutes.
+
+If an approval request is approved in the Azure portal before the first email is sent, the first email will no longer be triggered and other approvers won't be notified by email of the approval request. It might appear as if the they didn't get an email but it's the expected behavior.
+
 ## PIM emails for Azure resource roles
 
 Privileged Identity Management sends emails to Owners and User Access Administrators when the following events occur for Azure resource roles:

articles/active-directory/privileged-identity-management/pim-getting-started.md

@@ -11,16 +11,16 @@ ms.service: active-directory
 ms.subservice: pim
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 03/13/2020
+ms.date: 04/21/2020
 ms.author: curtand
 ms.custom: pim  
 ms.collection: M365-identity-device-management
 ---
 # Start using Privileged Identity Management
 
-With Privileged Identity Management (PIM), you can manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. This scope includes access to Azure resources, Azure AD, and other Microsoft online services like Office 365 or Microsoft Intune.
+This article describes how to enable Privileged Identity Management (PIM) and get started using it.
 
-This article describes how to enable and get started using Privileged Identity Management.
+Use Privileged Identity Management (PIM) to manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD, and other Microsoft online services like Office 365 or Microsoft Intune.
 
 ## Prerequisites
 
@@ -31,29 +31,38 @@ To use Privileged Identity Management, you must have one of the following licens
 
 For more information, see [License requirements to use Privileged Identity Management](subscription-requirements.md).
 
-## Sign up PIM for Azure AD roles
+## Prepare PIM for Azure AD roles
 
-Once you have enabled Privileged Identity Management for your directory, you'll need to sign up Privileged Identity Management to manage Azure AD roles.
+Once you have enabled Privileged Identity Management for your directory, you can prepare Privileged Identity Management to manage Azure AD roles.
 
-1. Open **Azure AD Privileged Identity Management**.
+You should get started with Azure AD roles in the following order:
 
-1. Select **Azure AD roles**.
+1. [Configure role settings](pim-how-to-change-default-settings.md).
+1. [Give eligible assignments](pim-how-to-add-role-to-user.md).
+1. [Allow eligible users to activate their role just-in-time](pim-how-to-activate-role.md).
 
-    ![Sign up Privileged Identity Management for Azure AD roles](./media/pim-getting-started/sign-up-pim-azure-ad-roles.png)
+## Prepare PIM for Azure roles
 
-1. Select **Sign up**.
+Once you have enabled Privileged Identity Management for your directory, you can prepare Privileged Identity Management to manage Azure roles for Azure resource access on a subscription.
 
-1. In the message that appears, click **Yes** to sign up Privileged Identity Management to manage Azure AD roles.
+You should get started with Azure roles in the following order:
+
+1. [Discover Azure resources](pim-resource-roles-discover-resources.md)
+1. [Configure role settings](pim-resource-roles-configure-role-settings.md).
+1. [Give eligible assignments](pim-resource-roles-assign-roles.md).
+1. [Allow eligible users to activate their roles just-in-time](pim-resource-roles-activate-your-roles.md).
+
+I think this is good, can we also add a section for Azure Resource roles. You can add the same three though they will link to the Azure Resource doc. And before these 3 points, Azure Resource will require customers to discover resources
+ 
+
+https://review.docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources?branch=pr-en-us-111400
 
-    ![Sign up Privileged Identity Management for Azure AD roles message](./media/pim-getting-started/sign-up-pim-message.png)
 
-    When sign up completes, the Azure AD options will be enabled. You might need to refresh the portal.
 
-    For information about how to discover and select the Azure resources to protect with Privileged Identity Management, see [Discover Azure resources to manage in Privileged Identity Management](pim-resource-roles-discover-resources.md).
 
 ## Navigate to your tasks
 
-Once Privileged Identity Management is set up, you can start your identity management tasks.
+Once Privileged Identity Management is set up, you can learn your way around.
 
 ![Navigation window in Privileged Identity Management showing Tasks and Manage options](./media/pim-getting-started/pim-quickstart-tasks.png)
 
@@ -63,12 +72,12 @@ Once Privileged Identity Management is set up, you can start your identity manag
 | **My requests** | Displays your pending requests to activate eligible role assignments. |
 | **Approve requests** | Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve. |
 | **Review access** | Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else. |
-| **Azure AD roles** | Displays a dashboard and settings for privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant. |
-| **Azure resources** | Displays a dashboard and settings for privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant. |
+| **Azure AD roles** | Displays a dashboard and settings for Privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant. |
+| **Azure resources** | Displays a dashboard and settings for Privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant. |
 
 ## Add a PIM tile to the dashboard
 
-To make it easier to open Privileged Identity Management, add a Privileged Identity Management tile to your Azure portal dashboard.
+To make it easier to open Privileged Identity Management, add a PIM tile to your Azure portal dashboard.
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 
@@ -89,4 +98,4 @@ To make it easier to open Privileged Identity Management, add a Privileged Ident
 ## Next steps
 
 - [Assign Azure AD roles in Privileged Identity Management](pim-how-to-add-role-to-user.md)
-- [Discover Azure resources to manage in Privileged Identity Management](pim-resource-roles-discover-resources.md)
+- [Manage Azure resource access in Privileged Identity Management](pim-resource-roles-discover-resources.md)

articles/active-directory/privileged-identity-management/pim-security-wizard.md

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: pim
-ms.date: 11/08/2019
+ms.date: 04/21/2020
 ms.author: curtand
 ms.custom: pim ; H1Hack27Feb2017
 ms.collection: M365-identity-device-management
@@ -21,14 +21,17 @@ ms.collection: M365-identity-device-management
 
 If you're the first person to use Privileged Identity Management (PIM) in your Azure Active Directory (Azure AD)organization, you are presented with a wizard to get started. The wizard helps you understand the security risks of privileged identities and how to use Privileged Identity Management to reduce those risks. You don't need to make any changes to existing role assignments in the wizard, if you prefer to do it later.
 
+> [!Important]
+> The security wizard is temporarily unavailable. Thank you for your patience.
+
 ## Wizard overview
 
 Before your organization starts using Privileged Identity Management, all role assignments are permanent: the users are always in these roles even if they do not presently need their privileges. The first step of the wizard shows you a list of high-privileged roles and how many users are currently in those roles. You can drill in to a particular role to learn more about users if one or more of them are unfamiliar.
 
 The second step of the wizard gives you an opportunity to change administrator's role assignments.  
 
 > [!WARNING]
-> It is important that you have at least one Global administrator, and more than one Privileged role administrator with an organizational account (not a Microsoft account). If there is only one Privileged role administrator, the organization can't manage Privileged Identity Management if that account is deleted.
+> It is important that you have at least one Global administrator, and more than one Privileged role administrator with a work or school account (not a Microsoft account). If there is only one Privileged role administrator, the organization can't manage Privileged Identity Management if that account is deleted.
 > Also, keep role assignments permanent if a user has a Microsoft account (in other words, an account they use to sign in to Microsoft services like Skype and Outlook.com). If you plan to require multi-factor authentication for activation for that role, that user will be locked out.
 
 ## Run the wizard