Merge pull request #291258 from rolyon/rolyon-rbac-check-access-redesign-v2

[Azure RBAC] Check access redesign v2

Author: AnnaMHuff

articles/role-based-access-control/check-access.md

@@ -6,7 +6,7 @@ author: rolyon
 manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: quickstart
-ms.date: 07/18/2023
+ms.date: 12/12/2024
 ms.author: rolyon
 ms.custom: mode-other
 #Customer intent: As a new user, I want to quickly see access for myself, user, group, or application, to make sure they have the appropriate permissions.
@@ -28,51 +28,73 @@ Follow these steps to open the Azure resource that you want to check access for.
 
 1. Open the Azure resource you want to check access for, such as **Management groups**, **Subscriptions**, **Resource groups**, or a particular resource.
 
-1. Click the specific resource in that scope.
+1. Select the specific resource in that scope.
 
     The following shows an example resource group.
 
-    ![Screenshot of resource group overview.](./media/shared/rg-overview.png)
+    :::image type="content" source="./media/shared/rg-overview.png" alt-text="Screenshot of resource group overview." lightbox="./media/shared/rg-overview.png":::
 
-## Step 2: Check access for a user
+## Step 2: Check your access
 
-Follow these steps to check the access for a single user, group, service principal, or managed identity to the previously selected Azure resource.
+Follow these steps to check your access to the previously selected Azure resource.
+
+If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, [Microsoft Entra Privileged Identity Management (PIM)](/entra/id-governance/privileged-identity-management/pim-configure) functionality is integrated so you should follow the steps on the **PIM** tab.
+
+# [Default](#tab/default)
 
-1. Click **Access control (IAM)**.
+1. Select **Access control (IAM)**.
 
     The following shows an example of the Access control (IAM) page for a resource group.
 
-    ![Screenshot of resource group access control and Check access tab.](./media/shared/rg-access-control.png)
+    :::image type="content" source="./media/shared/rg-access-control.png" alt-text="Screenshot of resource group access control and Check access tab." lightbox="./media/shared/rg-access-control.png":::
 
-1. On the **Check access** tab, click the **Check access** button.
+1. On the **Check access** tab, select the **View my access** button.
 
-1. In the **Check access** pane, click **User, group, or service principal**.
+    An assignments pane appears that lists your access at this scope and inherited to this scope. Assignments at child scopes aren't listed.
 
-1. In the search box, enter a string to search the directory for display names, email addresses, or object identifiers.
+    :::image type="content" source="./media/check-access/rg-check-access-assignments.png" alt-text="Screenshot of role and deny assignments pane." lightbox="./media/check-access/rg-check-access-assignments.png":::
 
-    ![Screenshot of Check access select list.](./media/shared/rg-check-access-select.png)
+# [PIM](#tab/pim)
 
-1. Click the user to open the **assignments** pane.
+1. Select **Access control (IAM)**.
 
-    On this pane, you can see the access for the selected user at this scope and inherited to this scope. Assignments at child scopes aren't listed. You see the following assignments:
+1. On the **Check access** tab, view your role assignments at this scope and inherited to this scope. Assignments at child scopes aren't listed.
 
-    - Role assignments added with Azure RBAC.
-    - Deny assignments added using Azure Blueprints or Azure managed apps.
-    - Classic Service Administrator or Co-Administrator assignments for classic deployments. 
+    The following shows an example of the Access control (IAM) page for a resource group.
 
-    ![Screenshot of role and deny assignments pane for a user.](./media/shared/rg-check-access-assignments-user.png)
 
-## Step 3: Check your access
+    :::image type="content" source="./media/check-access/rg-access-control-pim.png" alt-text="Screenshot of resource group access control and Check access tab for PIM integration." lightbox="./media/check-access/rg-access-control-pim.png":::
 
-Follow these steps to check your access to the previously selected Azure resource.
+    This page lists any [eligible and time-bound role assignments](pim-integration.md). To activate any eligible role assignments, select **Activate role**. For more information, see [Activate eligible Azure role assignments](./role-assignments-eligible-activate.md).
 
-1. Click **Access control (IAM)**.
+---
 
-1. On the **Check access** tab, click the **View my access** button.
+## Step 3: Check access for a user
 
-    An assignments pane appears that lists your access at this scope and inherited to this scope. Assignments at child scopes aren't listed.
+Follow these steps to check the access for a single user, group, service principal, or managed identity to the previously selected Azure resource.
+
+1. Select **Access control (IAM)**.
+
+1. On the **Check access** tab, select the **Check access** button.
+
+    A **Check access** pane appears.
+
+1. Select **User, group, or service principal**.
+
+1. In the search box, enter a string to search the directory for name or email addresses.
+
+    :::image type="content" source="./media/shared/rg-check-access-select.png" alt-text="Screenshot of Check access select list." lightbox="./media/shared/rg-check-access-select.png":::
+
+1. Select the user to open the **assignments** pane.
+
+    On this pane, you can see the access for the selected user at this scope and inherited to this scope. Assignments at child scopes aren't listed. You see the following assignments:
+
+    - Role assignments added with Azure RBAC.
+    - Deny assignments added using Azure Blueprints or Azure managed apps.
+
+    If there are any [eligible or time-bound role assignments](pim-integration.md), you can view these assignments on the **Eligible assignments** tab.
 
-    ![Screenshot of role and deny assignments pane.](./media/check-access/rg-check-access-assignments.png)
+    :::image type="content" source="./media/shared/rg-check-access-assignments-user.png" alt-text="Screenshot of role and deny assignments pane for a user." lightbox="./media/shared/rg-check-access-assignments-user.png":::
 
 ## Next steps
 

articles/role-based-access-control/media/check-access/rg-access-control-pim.png

@@ -4,7 +4,7 @@ description: Learn about the integration of Azure role-based access control (Azu
 author: rolyon
 ms.service: role-based-access-control
 ms.topic: conceptual
-ms.date: 11/11/2024
+ms.date: 12/12/2024
 ms.author: rolyon
 ---
 
@@ -16,7 +16,7 @@ This article describes the integration of Azure role-based access control (Azure
 
 ## PIM functionality
 
-If you have PIM, you can create eligible and time-bound role assignments using the **Access control (IAM)** page in the Azure portal. You can create eligible role assignments for users, but you can't create eligible role assignments for applications, service principals, or managed identities because they can't perform the activation steps. You can create eligible role assignments at management group, subscription, and resource group scope, but not at resource scope.
+If you have PIM, you can create eligible and time-bound role assignments using the **Access control (IAM)** page in the Azure portal. You can create eligible role assignments for users, but you can't create eligible role assignments for applications, service principals, or managed identities because they can't perform the activation steps. On the Access control (IAM) page, you can create eligible role assignments at management group, subscription, and resource group scope, but not at resource scope.
 
 Here's an example of the **Assignment type** tab when you add a role assignment using the **Access control (IAM)** page. This capability is being deployed in stages, so it might not be available yet in your tenant or your interface might look different.
 

articles/role-based-access-control/media/check-access/rg-check-access-assignments.png

@@ -5,7 +5,7 @@ author: rolyon
 manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
-ms.date: 11/11/2024
+ms.date: 12/12/2024
 ms.author: rolyon
 ---
 
@@ -16,7 +16,7 @@ Eligible Azure role assignments provide just-in-time access to a role for a limi
 ## Prerequisites
 
 - Microsoft Entra ID P2 license or Microsoft Entra ID Governance license
-- [Eligible role assignment](./role-assignments-portal.yml#step-6-select-assignment-type)
+- [Eligible role assignment](pim-integration.md#pim-functionality)
 - `Microsoft.Authorization/roleAssignments/read` permission, such as [Reader](./built-in-roles/general.md#reader)
 
 ## Activate group membership (if needed)
@@ -31,19 +31,17 @@ These steps describe how to activate an eligible role assignment using the Azure
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 
-1. Click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
+1. Click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, or **Resource groups**.
+
+    On the Access control (IAM) page, you can activate eligible role assignments at management group, subscription, and resource group scope, but not at resource scope.
 
 1. Click the specific resource.
 
 1. Click **Access control (IAM)**.
 
-1. Click **Activate role**.
-
-    The **assignments** pane appears and lists your eligible role assignments.
-
     :::image type="content" source="./media/role-assignments-eligible-activate/activate-role.png" alt-text="Screenshot of Access control page and Activate role assignments pane." lightbox="./media/role-assignments-eligible-activate/activate-role.png":::
 
-1. Add a check mark next to a role you want to activate and then click **Activate role**.
+1. In the **Action** column, click **Activate** for the role you want to activate.
 
     The **Activate** pane appears with activate settings.
 
@@ -65,7 +63,7 @@ These steps describe how to activate an eligible role assignment using the Azure
 
     When activation is complete, you see a message that the role was successfully activated.
 
-    Once an eligible role assignment has been activated, it will be listed as an active time-bound role assignment on the **Role assignments** tab. For more information, see [List Azure role assignments using the Azure portal](./role-assignments-list-portal.yml#list-role-assignments-at-a-scope).
+    Once an eligible role assignment has been activated, it will be listed as an active time-bound role assignment on the **Check access** and  **Role assignments** tabs. For more information, see [List Azure role assignments using the Azure portal](./role-assignments-list-portal.yml#list-role-assignments-at-a-scope).
 
 ## Next steps
 

articles/role-based-access-control/media/role-assignments-eligible-activate/activate-role.png

@@ -6,7 +6,7 @@ metadata:
   author: rolyon
   ms.author: rolyon
   manager: amycolannino
-  ms.date: 11/11/2024
+  ms.date: 12/12/2024
   ms.service: role-based-access-control
   ms.topic: how-to
   ms.custom:
@@ -154,7 +154,6 @@ procedureSection:
 
         - Role assignments added with Azure RBAC.
         - Deny assignments added using Azure Blueprints or Azure managed apps.
-        - Classic Service Administrator or Co-Administrator assignments for classic deployments. 
 
         ![Screenshot of assignments pane.](./media/shared/rg-check-access-assignments-user.png)