MicrosoftDocs
diff --git a/‎articles/active-directory/governance/entitlement-management-access-package-approval-policy.md
Lines changed: 13 additions & 14 deletions b/‎articles/active-directory/governance/entitlement-management-access-package-approval-policy.md
Lines changed: 13 additions & 14 deletions
diff --git a/‎articles/active-directory/governance/entitlement-management-process.md
Lines changed: 11 additions & 15 deletions b/‎articles/active-directory/governance/entitlement-management-process.md
Lines changed: 11 additions & 15 deletions
diff --git a/‎articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/app-service/configure-language-python.md
Lines changed: 2 additions & 2 deletions b/‎articles/app-service/configure-language-python.md
Lines changed: 2 additions & 2 deletions
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: how-to
 ms.subservice: compliance
-ms.date: 09/16/2020
+ms.date: 05/16/2021
 ms.author: ajburnle
 ms.reviewer: 
 ms.collection: M365-identity-device-management
@@ -32,10 +32,9 @@ This article describes how to change the approval and requestor information sett
 In the Approval section, you specify whether an approval is required when users request this access package. The approval settings work in the following way:
 
 - Only one of the selected approvers or fallback approvers needs to approve a request for single-stage approval. 
-- Only one of the selected approvers from each stage needs to approve a request for 2-stage approval.
-- The approver can be a Manager, Internal sponsor, or External sponsor depending on who the policy is governing access.
-- Approval from every selected approver isn't required for single or 2-stage approval.
-- The approval decision is based on whichever approver reviews the request first.
+- Only one of the selected approvers from each stage needs to approve a request for multi-stage approval for the request to progress to the next stage.
+- If one of the selected approved in a stage denies a request before another approver in that stage approves it, or if no one approves, the request terminates and the user does not receive access.
+- The approver can be a specified user or member of a group, the requestor's Manager, Internal sponsor, or External sponsor depending on who the policy is governing access.
 
 For a demonstration of how to add approvers to a request policy, watch the following video:
 
@@ -66,7 +65,7 @@ Follow these steps to specify the approval settings for requests for the access
 
 1. To require users to provide a justification to request the access package, set the **Require requestor justification** toggle to **Yes**.
 
-1. Now determine if requests will require single or 2-stage approval. Set the **How many stages** toggle to **1** for single stage approval or set the toggle to **2** for 2-stage approval.
+1. Now determine if requests will require single or multi-stage approval. Set the **How many stages** to the number of stages of approval needed.
 
     ![Access package - Requests - Approval settings](./media/entitlement-management-access-package-approval-policy/approval.png)
 
@@ -99,9 +98,9 @@ Use the following steps to add approvers after selecting how many stages you req
 
     The justification is visible to other approvers and the requestor.
 
-### 2-stage approval
+### Multi-stage approval
 
-If you selected a 2-stage approval, you'll need to add a second approver.
+If you selected a multi-stage approval, you'll need to add an approver for each additional stage.
 
 1. Add the **Second Approver**: 
 
@@ -119,16 +118,16 @@ If you selected a 2-stage approval, you'll need to add a second approver.
 
 ### Alternate approvers
 
-You can specify alternate approvers, similar to specifying the first and second approvers who can approve requests. Having alternate approvers will help ensure that the requests are approved or denied before they expire (timeout). You can list alternate approvers the first approver and second approver for 2-stage approval. 
+You can specify alternate approvers, similar to specifying the primary approvers who can approve requests on each stage. Having alternate approvers will help ensure that the requests are approved or denied before they expire (timeout). You can list alternate approvers alongside the primary approver on each stage.
 
-By specifying alternate approvers, in the event that the first or second approvers were unable to approve or deny the request, the pending request gets forwarded to the alternate approvers, per the forwarding schedule you specified during policy setup. They receive an email to approve or deny the pending request.
+By specifying alternate approvers on a stage, in the event that the primary approvers were unable to approve or deny the request, the pending request gets forwarded to the alternate approvers, per the forwarding schedule you specified during policy setup. They receive an email to approve or deny the pending request.
 
-After the request is forwarded to the alternate approvers, the first or second approvers can still approve or deny the request. Alternate approvers use the same My Access site to approve or deny the pending request.
+After the request is forwarded to the alternate approvers, the primary approvers can still approve or deny the request. Alternate approvers use the same My Access site to approve or deny the pending request.
 
-We can list people or groups of people to be approvers and alternate approvers. Please ensure that you list different sets of people to be the first, second, and alternate approvers.
-For example, if you listed Alice and Bob as the First Approver(s), list Carol and Dave as the alternate approvers. Use the following steps to add alternate approvers to an access package:
+You can list people or groups of people to be approvers and alternate approvers. Please ensure that you list different sets of people to be the first, second, and alternate approvers.
+For example, if you listed Alice and Bob as the first stage approver(s), list Carol and Dave as the alternate approvers. Use the following steps to add alternate approvers to an access package:
 
-1. Under the First Approver, Second Approver, or both, click **Show advanced request settings**.
+1. Under the approver on a stage, click **Show advanced request settings**.
 
     :::image type="content" source="media/entitlement-management-access-package-approval-policy/alternate-approvers-click-advanced-request.png" alt-text="Access package - Policy - Show advanced request settings":::
 
 
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 12/23/2020
+ms.date: 5/17/2021
 ms.author: ajburnle
 ms.reviewer: mamkumar
 ms.collection: M365-identity-device-management
@@ -59,13 +59,13 @@ The following diagram shows the experience of requestors and the email notificat
 
 ![Requestor process flow](./media/entitlement-management-process/requestor-approval-request-flow.png)
 
-### 2-stage approval
+### Multi-stage approval
 The following diagram shows the experience of stage-1 and stage-2 approvers and the email notifications they receive during the request process:
 
 ![2-stage approval process flow](./media/entitlement-management-process/2stage-approval-with-request-timeout-flow.png)
 
 ### Email notifications table
-The following table provides more detail about each of these email notifications. To manage these emails, you can use rules. For example, in Outlook, you can create rules to move the emails to a folder if the subject contains words from this table:
+The following table provides more detail about each of these email notifications. To manage these emails, you can use rules. For example, in Outlook, you can create rules to move the emails to a folder if the subject contains words from this table.  Note that the words will be based on the default language settings of the tenant where the user is requesting access.
 
 | # | Email subject | When sent | Sent to |
 | --- | --- | --- | --- |
@@ -76,9 +76,9 @@ The following table provides more detail about each of these email notifications
 | 5 | Action required reminder: Approve or deny the request by *[date]* for *[requestor]* | This reminder email will be sent to the first approver, if escalation is enabled. The email asks them to take action if they haven't. | First approver |
 | 6 | Request has expired for *[access_package]* | This email will be sent to the first approver and stage-1 alternate approvers after the request has expired. | First approver, stage-1 alternate approvers |
 | 7 | Request approved for *[requestor]* to *[access_package]* | This email will be sent to the first approver and stage-1 alternate approvers upon request completion. | First approver, stage-1 alternate approvers |
-| 8 | Request approved for *[requestor]* to *[access_package]* | This email will be sent to the first approver and stage-1 alternate approvers of a 2-stage request when the stage-1 request is approved. | First approver, stage-1 alternate approvers |
+| 8 | Request approved for *[requestor]* to *[access_package]* | This email will be sent to the first approver and stage-1 alternate approvers of a multi-stage request when the stage-1 request is approved. | First approver, stage-1 alternate approvers |
 | 9 | Request denied to *[access_package]* | This email will be sent to the requestor when their request is denied | Requestor |
-| 10 | Your request has expired for *[access_package]* | This email will be sent to the requestor at the end of a single or 2-stage request. The email notifies the requestor that the request expired. | Requestor |
+| 10 | Your request has expired for *[access_package]* | This email will be sent to the requestor at the end of a single or multi-stage request. The email notifies the requestor that the request expired. | Requestor |
 | 11 | Action required: Approve or deny request by *[date]* | This email will be sent to the second approver, if escalation is disabled, to take action. | Second approver |
 | 12 | Action required reminder: Approve or deny the request by *[date]* | This reminder email will be sent to the second approver, if escalation is disabled. The notification asks them to take action if they haven't yet. | Second approver |
 | 13 | Action required: Approve or deny the request by *[date]* for *[requestor]* | This email will be sent to second approver, if escalation is enabled, to take action. | Second approver |
@@ -94,7 +94,7 @@ The following table provides more detail about each of these email notifications
 
 When a requestor submits an access request for an access package configured to require approval, all approvers added to the policy will receive an email notification with details of the request. The details in the email include: requestor's name organization, and business justification; and the requested access start and end date (if provided). The details will also include when the request was submitted and when the request will expire.
 
-The email includes a link approvers can click on to go to My Access to approve or deny the access request. Here is a sample email notification that is sent to the first approver or second approver (if 2-stage approval is enabled) to complete an access request:
+The email includes a link approvers can click on to go to My Access to approve or deny the access request. Here is a sample email notification that is sent to an approver to complete an access request:
 
 ![Approve request to access package email](./media/entitlement-management-shared/approver-request-email.png)
 
@@ -125,25 +125,21 @@ When an access request is denied, an email notification is sent to the requestor
 
 ![Requestor request denied email](./media/entitlement-management-process/requestor-email-denied.png)
 
-### 2-stage approval access request emails
+### Multi-stage approval access request emails
 
-If 2-stage approval is enabled, at least two approvers must approve the request, one from each stage, before the requestor can receive access.
+If multi-stage approval is enabled, at least one approvers from each stage must approve the request, before the requestor can receive access.
 
-During stage-1, the first approver will receive the access request email and make a decision. If they approve the request, all first approvers and alternate approvers in stage-1 (if escalation is enabled) will receive notification that stage-1 is complete. Here is a sample email of the notification that is sent when stage-1 is complete:
-
-![2-stage access request email](./media/entitlement-management-process/approver-request-email-2stage.png)
+During stage-1, the first approver will receive the access request email and make a decision.
 
 After the first or alternate approvers approve the request in stage-1, stage-2 begins. During stage-2, the second approver will receive the access request notification email. After the second approver or alternate approvers in stage-2 (if escalation is enabled) decide to approve or deny the request, notification emails are sent to the first and second approvers, and all alternate approvers in stage-1 and stage-2, as well as the requestor.
 
 ### Expired access request emails
 
 Access requests could expire if no approver has approved or denied the request. 
 
-When the request reaches its configured expiration date and expires, it can no longer be approved or denied by the approvers. Here is a sample email of the notification sent to all of the first, second (if 2-stage approval is enabled), and alternate approvers:
-
-![Approvers expired access request email](./media/entitlement-management-process/approver-request-email-expired.png)
+When the request reaches its configured expiration date and expires, it can no longer be approved or denied by the approvers.
 
-An email notification is also sent to the requestor, notifying them that their access request has expired, and that they need to resubmit the access request. The following diagram shows the experience of the requestor and the email notifications they receive when they request to extend access:
+An email notification is sent to the requestor, notifying them that their access request has expired, and that they need to resubmit the access request. The following diagram shows the experience of the requestor and the email notifications they receive when they request to extend access:
 
 ![Requestor extend access process flow](./media/entitlement-management-process/requestor-expiration-request-flow.png) 
 
 
@@ -39,6 +39,9 @@ When assignment is *not required*, either because you've set this option to **No
 
 This setting doesn't affect whether or not an application appears on My Apps. Applications appear on users' My Apps access panels once you've assigned a user or group to the application. For background, see [Managing access to apps](what-is-access-management.md).
 
+> [!NOTE]
+> When an application requires assignment, user consent for that application is not allowed. This is true even if users consent for that app would have otherwise been allowed. Be sure to [grant tenant-wide admin consent](../manage-apps/grant-admin-consent.md) to apps that require assignment. 
+
 To require user assignment for an application:
 1. Sign in to the [Azure portal](https://portal.azure.com) with an administrator account or as an owner of the application.
 2. Select **Azure Active Directory**. In the left navigation menu, select **Enterprise applications**.
 
@@ -11,7 +11,7 @@ ms.custom: mvc, seodec18, devx-track-python, devx-track-azurecli
 
 This article describes how [Azure App Service](overview.md) runs Python apps, how you can migrate existing apps to Azure, and how you can customize the behavior of App Service when needed. Python apps must be deployed with all the required [pip](https://pypi.org/project/pip/) modules.
 
-The App Service deployment engine automatically activates a virtual environment and runs `pip install -r requirements.txt` for you when you deploy a [Git repository](deploy-local-git.md), or a [zip package](deploy-zip.md).
+The App Service deployment engine automatically activates a virtual environment and runs `pip install -r requirements.txt` for you when you deploy a [Git repository](deploy-local-git.md), or a [zip package](deploy-zip.md) if `SCM_DO_BUILD_DURING_DEPLOYMENT` is set to `1`.
 
 This guide provides key concepts and instructions for Python developers who use a built-in Linux container in App Service. If you've never used Azure App Service, first follow the [Python quickstart](quickstart-python.md) and [Python with PostgreSQL tutorial](tutorial-python-postgresql-app.md).
 
@@ -60,7 +60,7 @@ You can run an unsupported version of Python by building your own container imag
 
 ## Customize build automation
 
-App Service's build system, called Oryx, performs the following steps when you deploy your app using Git or zip packages:
+App Service's build system, called Oryx, performs the following steps when you deploy your app if the app setting `SCM_DO_BUILD_DURING_DEPLOYMENT` is set to `1`:
 
 1. Run a custom pre-build script if specified by the `PRE_BUILD_COMMAND` setting. (The script can itself run other Python and Node.js scripts, pip and npm commands, and Node-based tools like yarn, for example, `yarn install` and `yarn build`.)