Merge pull request #228074 from v-edmckillop/patch-121

denrea · web-flow · commit bb63ae584195 · 2023-02-21T15:10:18.000-08:00
Update 3-secure-access-plan.md
diff --git a/articles/active-directory/fundamentals/3-secure-access-plan.md b/articles/active-directory/fundamentals/3-secure-access-plan.md
@@ -1,5 +1,5 @@
 ---
-title: Create a security plan for external access to Azure Active Directory 
+title: Create a security plan for external access to resources
 description: Plan the security for external access to your organization's resources.
 services: active-directory
 author: gargi-sinha
@@ -8,64 +8,69 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 12/15/2022
+ms.date: 02/21/2023
 ms.author: gasinh
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
 
-# Create a security plan for external access 
+# Create a security plan for external access to resources
 
-Before you create an external-access security plan, ensure the following conditions are met.
+Before you create an external-access security plan, review the following two articles, which add context and information for the security plan.
 
-* [Determine your security posture for external access](1-secure-access-posture.md)
+* [Determine your security posture for external access with Azure AD](1-secure-access-posture.md)
 * [Discover the current state of external collaboration in your organization](2-secure-access-current-state.md)
 
+## Security plan documentation
+
 For your security plan, document the following information:
 
-* Applications and resources to be grouped for access
+* Applications and resources grouped for access
 * Sign-in conditions for external users
-  * Device state, sign-in location, client application requirements, and user risk
-* Policies that determine when to review and remove access
-* User populations to be grouped for a similar experience
+  * Device state, sign-in location, client application requirements, user risk, etc.
+* Policies to determine timing for reviews and access removal 
+* User populations grouped for similar experiences
 
-After you document the information, use Microsoft identity and access management policies, or another identity provider (IdP) to implement the plan.
+To implement the security plan, you can use Microsoft identity and access management policies, or another identity provider (IdP).
 
-## Resources to be grouped for access
+Learn more: [Identity and access management overview](/compliance/assurance/assurance-identity-and-access-management)
 
-To group resources for access: 
+## Use groups for access
 
-* Microsoft Teams groups files, conversation threads, and other resources. Formulate an external access strategy for Microsoft Teams.
-  * See, [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business](9-secure-access-teams-sharepoint.md)
-* Use entitlement management access packages to create and delegate management of packages of applications, groups, teams, SharePoint sites, etc. 
+See the following links to articles about resource grouping strategies: 
+
+* Microsoft Teams groups files, conversation threads, and other resources
+  * Formulate an external access strategy for Teams
+  * See, [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business with Azure AD](9-secure-access-teams-sharepoint.md)
+* Use entitlement management access packages to create and delegate package management of applications, groups, teams, SharePoint sites, etc. 
   * [Create a new access package in entitlement management](../governance/entitlement-management-access-package-create.md) 
 * Apply Conditional Access policies to up to 250 applications, with the same access requirements
   *  [What is Conditional Access?](../conditional-access/overview.md) 
-* Use Cross Tenant Access Settings Inbound Access to define access for application groups of external users 
+* Define access for external user application groups
   *  [Overview: Cross-tenant access with Azure AD External Identities](../external-identities/cross-tenant-access-overview.md) 
 
-Document the applications to be grouped. Considerations include:
+Document the grouped applications. Considerations include:
 
-* **Risk profile** - Assess the risk if a bad actor gains access to an application. 
-  * Identify application as high, medium, or low risk. Avoid grouping high-risk with low-risk.
+* **Risk profile** - assess the risk if a bad actor gains access to an application 
+  * Identify application as High, Medium, or Low risk. We recommend you don't group High-risk with Low-risk.
   * Document applications that can't be shared with external users
-* **Compliance frameworks** - Determine compliance frameworks for apps
+* **Compliance frameworks** - determine compliance frameworks for apps
   * Identify access and review requirements
-* **Applications for roles or departments** - Assess applications to be grouped for a role or department access
-* **Collaboration applications** - Identify collaboration applications external users can access, such as Teams and SharePoint
+* **Applications for roles or departments** - assess applications grouped for role, or department, access
+* **Collaboration applications** - identify collaboration applications external users can access, such as Teams or SharePoint
   * For productivity applications, external users might have licenses, or you might provide access
 
-For application and resource group access by external users, document the following information:
+Document the following information for application and resource group access by external users.
 
 * Descriptive group name, for example High_Risk_External_Access_Finance 
 * Applications and resources in the group
-* Application and resource owners and contact information
-* Access is controlled by IT, or delegated to a business owner
+* Application and resource owners and their contact information
+* The IT team controls access, or control is delegated to a business owner
 * Prerequisites for access: background check, training, etc.
 * Compliance requirements to access resources
 * Challenges, for example multi-factor authentication (MFA) for some resources
-* Cadence for reviews, by whom, and where it's documented
+* Cadence for reviews, by whom, and where results are documented
 
 > [!TIP]
 > Use this type of governance plan for internal access.
@@ -82,7 +87,7 @@ Consider the following risk-based policies to trigger MFA.
 
 * **Low** - MFA for some application sets
 * **Medium** - MFA when other risks are present
-* **High** - External users always use MFA
+* **High** - external users always use MFA
 
 Learn more: 
 
@@ -98,14 +103,14 @@ Use the following table to help assess policy to address risk.
 | --- | --- |
 | Device| Require compliant devices |
 | Mobile apps| Require approved apps |
-| Identity protection is high risk| Require user to change password |
+| Identity protection is High risk| Require user to change password |
 | Network location| To access confidential projects, require sign-in from an IP address range |
 
-To use device state as policy input, the device is registered or joined to your tenant. Configure cross-tenant access settings must be configured to trust the device claims from the home tenant. See, [Modify inbound access settings](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#modify-inbound-access-settings).
+To use device state as policy input, register or join the device to your tenant. To trust the device claims from the home tenant, configure cross-tenant access settings. See, [Modify inbound access settings](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#modify-inbound-access-settings).
 
-You can use identity-protection risk policies. However, mitigate issue in the user home tenant. See, [Common Conditional Access policy: Sign-in risk-based multifactor authentication](../conditional-access/howto-conditional-access-policy-risk.md).
+You can use identity-protection risk policies. However, mitigate issues in the user home tenant. See, [Common Conditional Access policy: Sign-in risk-based multifactor authentication](../conditional-access/howto-conditional-access-policy-risk.md).
 
-For network locations, you can restrict access to IP addresses ranges you own. Use this method if external partners access applications while at your location. See, [Conditional Access: Block access by location](../conditional-access/howto-conditional-access-policy-location.md)
+For network locations, you can restrict access to IP addresses ranges that you own. Use this method if external partners access applications while at your location. See, [Conditional Access: Block access by location](../conditional-access/howto-conditional-access-policy-location.md)
 
 ## Document access review policies
 
@@ -115,13 +120,13 @@ Document policies that dictate when to review resource access, and remove accoun
 * Internal business policies and processes
 * User behavior
 
-Your policies will be customized, however consider the following parameters:
+Generally, organizations customize policy, however consider the following parameters:
 
 * **Entitlement management access reviews**:
   * [Change lifecycle settings for an access package in entitlement management](../governance/entitlement-management-access-package-lifecycle-policy.md)
   * [Create an access review of an access package in entitlement management](../governance/entitlement-management-access-reviews-create.md)
   * [Add a connected organization in entitlement management](../governance/entitlement-management-organization.md): group users from a partner and schedule reviews
-* **Microsoft 365 groups**: 
+* **Microsoft 365 groups**
   * [Microsoft 365 group expiration policy](/microsoft-365/solutions/microsoft-365-groups-expiration-policy?view=o365-worldwide&preserve-view=true)
 * **Options**: 
   * If external users don't use access packages or Microsoft 365 groups, determine when accounts become inactive or deleted
@@ -130,20 +135,20 @@ Your policies will be customized, however consider the following parameters:
 
 ## Access control methods
 
-Some features, for example entitlement management, are available with an Azure AD Premium 2 (P2) license. Microsoft 365 E5 and Office 365 E5 licenses include Azure AD P2 licenses. 
-
-Other combinations of Microsoft 365, Office 365, and Azure AD have functionality to manage external users. See, [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
+Some features, for example entitlement management, are available with an Azure AD Premium 2 (P2) license. Microsoft 365 E5 and Office 365 E5 licenses include Azure AD P2 licenses. Learn more in the following entitlement management section.
 
 > [!NOTE]
 > Licenses are for one user. Therefore users, administrators, and business owners can have delegated access control. This scenario can occur with Azure AD P2 or Microsoft 365 E5, and you don't have to enable licenses for all users. The first 50,000 external users are free. If you don't enable P2 licenses for other internal users, they can't use entitlement management. 
 
+Other combinations of Microsoft 365, Office 365, and Azure AD have functionality to manage external users. See, [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
+
 ## Govern access with Azure AD P2 and Microsoft 365 or Office 365 E5
 
 Azure AD P2 and Microsoft 365 E5 have all the security and governance tools.
 
 ### Provision, sign-in, review access, and deprovision access
 
-Entries in bold are recommended.
+Entries in bold are recommended actions.
 
 | Feature| Provision external users| Enforce sign-in requirements| Review access| Deprovision access |
 | - | - | - | - | - |
@@ -154,7 +159,7 @@ Entries in bold are recommended.
 
 ### Resource access 
  
-Entries in bold are recommended.
+Entries in bold are recommended actions.
 
 |Feature | App and resource access| SharePoint and OneDrive access| Teams access| Email and document security |
 | - |-|-|-|-|
@@ -165,15 +170,15 @@ Entries in bold are recommended.
 
 ### Entitlement management 
 
-Use entitlement management to provision and deprovision access to groups and teams, applications, and SharePoint sites. Define the connected organizations allowed access, self-service requests, and approval workflows. To ensure access ends correctly, define expiration policies and access reviews for packages. 
+Use entitlement management to provision and deprovision access to groups and teams, applications, and SharePoint sites. Define the connected organizations granted access, self-service requests, and approval workflows. To ensure access ends correctly, define expiration policies and access reviews for packages. 
 
 Learn more: [Create a new access package in entitlement management](../governance/entitlement-management-access-package-create.md) 
 
 ## Governance with Azure AD P1, Microsoft 365, Office 365 E3
 
 ### Provision, sign-in, review access, and deprovision access
 
-Items in bold are recommended.
+Items in bold are recommended actions.
 
 |Feature | Provision external users| Enforce sign-in requirements| Review access| Deprovision access |
 | - |-|-|-|-|
@@ -200,4 +205,4 @@ Items in bold are recommended.
 * [Manage external access with entitlement management](6-secure-access-entitlement-managment.md)
 * [Secure access with Conditional Access policies](7-secure-access-conditional-access.md)
 * [Control access with sensitivity labels](8-secure-access-sensitivity-labels.md)
-* [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business](9-secure-access-teams-sharepoint.md)
+* [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business](9-secure-access-teams-sharepoint.md)
