Update 6-secure-access-entitlement-managment.md

Author: v-edmckillop

articles/active-directory/fundamentals/6-secure-access-entitlement-managment.md

@@ -1,6 +1,6 @@
 ---
-title: Manage external access with Azure Active Directory Entitlement Management 
-description: How to use Azure Active Directory Entitlement Management as a part of your overall external access security plan.
+title: Manage external access with Azure Active Directory entitlement management 
+description: How to use Azure AD Entitlement Management as a part of your overall external access security plan.
 services: active-directory
 author: janicericketts
 manager: martinco
@@ -15,156 +15,165 @@ ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
 
-# Manage external access with Entitlement Management 
+# Manage external access with Azure Active Directory entitlement management 
 
+Use the entitlement management feature to manage identity and access lifecycle. You can automate access request workflows, access assignments, reviews, and expiration. Delegated non-admins use entitlement management to create access packages that external users, from other organizations, can request access to. One and multi-stage approval workflows are configurable to evaluate requests, and provision users for time-limited access with recurring reviews. Use entitlement management for policy-based provisioning and deprovisioning of external accounts.
 
-[Entitlement management](../governance/entitlement-management-overview.md) is an identity governance capability that enables organizations to manage identity and access lifecycle at scale by automating access request workflows, access assignments, reviews, and expiration. Entitlement management allows delegated non-admins to create [access packages](../governance/entitlement-management-overview.md) that external users from other organizations can request access to. One and multi-stage approval workflows can be configured to evaluate requests, and [provision](../governance/what-is-provisioning.md) users for time-limited access with recurring reviews. Entitlement management enables policy-based provisioning and deprovisioning of external accounts.
+Learn more:
 
-## Key concepts for enabling Entitlement Management
+* [What is entitlement management?](../governance/entitlement-management-overview.md)
+* [What are acess packages and what resources can I manage with them?](../governance/entitlement-management-overview.md#what-are-access-packages-and-what-resources-can-i-manage-with-them)
+* [What is provisioning?](../governance/what-is-provisioning.md)
 
-The following key concepts are important to understand for entitlement management.
-
-### Access Packages
+## Enable entitlement management
 
-An [access package](../governance/entitlement-management-overview.md) is the foundation of entitlement management. Access packages are groupings of policy-governed resources a user needs to collaborate on a project or do other tasks. For example, an access package might include:
-
-* access to specific SharePoint sites.
+The following key concepts are important to understand for entitlement management.
 
-* enterprise applications including your custom in-house and SaaS apps like Salesforce.
+### Access packages
 
-* Microsoft Teams.
+An access package is the foundation of entitlement management: groupings of policy-governed resources for users to collaborate on a project or do other tasks. For example, an access package might include:
 
-* Microsoft 365 Groups. 
+* Access to SharePoint sites
+* Enterprise applications, including your custom in-house and SaaS apps, like Salesforce
+* Microsoft Teams
+* Microsoft 365 Groups 
 
 ### Catalogs
 
-Access packages reside in [catalogs](../governance/entitlement-management-catalog-create.md). You create a catalog when you want to group related resources and access packages and delegate the ability to manage them. First you add resources to a catalog, and then you can add those resources to access packages. For example, you might want to create a “Finance” catalog, and [delegate its management](../governance/entitlement-management-delegate.md) to a member of the finance team. That person can then [add resources](../governance/entitlement-management-catalog-create.md), create access packages, and manage access approval to those packages.
+Access packages reside in catalogs. When you want to group related resources and access packages and delegate their management, you create a catalog. First, you add resources to a catalog, and then you can add resources to access packages. For example, you can create a finance catalog, and delegate its management to a member of the finance team. That person can add resources, create access packages, and manage access approval.
 
-The following diagram shows a typical governance lifecycle for an external user gaining access to an access package that has an expiration.
+Learn more:
 
-![A diagram of the external user governance cycle.](media/secure-external-access/6-governance-lifecycle.png)
+* [Create and manage a catalog of resources in entitlement management](../governance/entitlement-management-catalog-create.md)
+* [Delegation and roles in entitlement management](../governance/entitlement-management-delegate.md)
+* [Add resources to a catalog](../governance/entitlement-management-catalog-create.md#add-resources-to-a-catalog)
 
-### Self-service external access
+The following diagram shows a typical governance lifecycle of an external user gaining access to an access package, with an expiration.
 
-You can surface access packages through the [Azure AD My Access Portal](../governance/entitlement-management-request-access.md) to enable external users to request access. Policies determine who can request an access package. You specify who is allowed to request the access package:
+   ![A diagram of the external user governance cycle.](media/secure-external-access/6-governance-lifecycle.png)
 
-* Specific [connected organizations](../governance/entitlement-management-organization.md)
+### Self-service external access
 
-* All configured connected organizations
+You can make access packages available, through the Azure AD My Access portal, to enable external users to request access. Policies determine who can request an access package. See, [Request access to an access package in entitlement management](../governance/entitlement-management-request-access.md).
 
-* All users from any organization
+You specify who is allowed to request the access package:
 
-* Member or guest users already in your tenant
+* Connected organizations
+  * See, [Add a connected organization in entitlement management](../governance/entitlement-management-organization.md)
+* Configured connected organizations
+* Users from organizations
+* Member or guest users in your tenant
 
 ### Approvals   
-‎Access packages can include mandatory approval for access. **Always implement approval processes for external users**. Approvals can be a single or multi-stage approval. Approvals are determined by policies. If both internal and external users need to access the same package, you'll likely set up different access policies for different categories of connected organizations, and for internal users.
 
-### Expiration  
-‎Access packages can include an expiration date. Expiration can be set to a specific day or give the user a specific number of days for access. When the access package expires, and the user has no other access, the B2B guest user object representing the user can be deleted or blocked from signing in. We recommend that you enforce expiration on access packages for external users. Not all access packages have expirations. For those that don't, ensure that you perform access reviews.
-
-### Access reviews
-
-Access packages can require periodic [access reviews](../governance/manage-guest-access-with-access-reviews.md), which require the package owner or a designee to attest to the continued need for users’ access. 
-
-Before you set up your review, determine the following.
-
-* Who
-
-   * What are the criteria for continued access?
-
-   * Who are the specified reviewers?
-
-* How often should scheduled reviews occur?
-
-   * Built in options include monthly, quarterly, bi-annually or annually. 
-
-   * We recommend quarterly or more frequently for packages that support external access. 
-
- 
+Access packages can include mandatory approval for access. Approvals can be single or multi-stage and are determined by policies. If internal and external users need to access the same package, you can set up access policies for categories of connected organizations, and for internal users.
 
 > [!IMPORTANT]
-> Access reviews of access packages only review access granted through Entitlement Management. You must therefore set up other processes to review any access provided to external users outside of Entitlement Management.
+> Implement approval processes for external users.
 
-For more information about access reviews, see [Planning an Azure AD Access Reviews deployment](../governance/deploy-access-reviews.md).
+### Expiration  
 
-## Using automation in Entitlement Management
+Access packages can include an expiration date: a day you set, or a number of days for access. When the access package expires, and access ends, the B2B guest user object representing the user can be deleted or blocked from signing in. We recommend you enforce expiration on access packages for external users. Not all access packages have expirations.
 
-You can perform [Entitlement Management functions by using Microsoft Graph](/graph/tutorial-access-package-api), including
+> [!IMPORTANT]
+> For packages without expiration, perform regular access reviews.
 
-* [Manage access packages](/graph/api/resources/accesspackage)
+### Access reviews
 
-* [Manage access reviews](/graph/api/resources/accessreviewsv2-overview)
+Access packages can require periodic access reviews, which require the package owner or a designee to attest to the continued need for users’ access. See, [Manage guest access with access reviews](../governance/manage-guest-access-with-access-reviews.md).
 
-* [Manage connected organizations](/graph/api/resources/connectedorganization)
+Before you set up your review, determine the following criteria:
 
-* [Manage Entitlement Management settings](/graph/api/resources/entitlementmanagementsettings)
+* Who
+   * Criteria for continued access
+   * Reviewers
+* How often
+   * Built-in options are monthly, quarterly, bi-annually, or annually 
+   * We recommend quarterly, or more frequent, reviews for packages that support external access
 
-## Recommendations 
+> [!IMPORTANT]
+> Access package reviews examine access granted through entitlement management. Set up other processes to review access to external users, outside entitlement management.
 
-We recommend the practices to govern external access with Entitlement Management.
+Learn more: [Plan a Microsoft Entra access reviews deployment](../governance/deploy-access-reviews.md).
 
-**For projects with one or more business partners, [Create and use access packages](../governance/entitlement-management-access-package-create.md) to onboard and provision those partner’s users access to resources**. 
+## Using entitlement management automation
 
-* If you already have B2B users in your directory, you can also directly assign them to the appropriate access packages.
+* [Working with the Azure AD entitlement management API](/graph/api/resources/entitlementmanagement-overview?view=graph-rest-1.0)
+* [accessPackage resource type](/graph/api/resources/accesspackage?view=graph-rest-1.0)
+* [Azure AD access reviewss](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0)
+* [connectedOrganization resource type](/graph/api/resources/connectedorganization?view=graph-rest-1.0)
+* [entitlementManagementSettings resource type](/graph/api/resources/entitlementmanagementsettings?view=graph-rest-1.0)
 
-* You can assign access in the [Azure portal](../governance/entitlement-management-access-package-assignments.md), or via [Microsoft Graph](/graph/api/resources/accesspackageassignmentrequest).
+## External access governance recommendations 
 
-**Use your Identity Governance settings to remove users from your directory when their access packages expire**.
+### Best practices
 
-![Screenshot of configuring manage the lifecycle of external users.](media/secure-external-access/6-manage-external-lifecycle.png)
+We recommend the following practices to govern external access with entitlement management.
 
-These settings only apply to users who were onboarded through Entitlement Management.
+* For projects with one or more business partners, create and use access packages to onboard and provide access to resources. 
+  * [Create a new access package in entitlement management](../governance/entitlement-management-access-package-create.md)
+* If you have B2B users in your directory, you can assign them to access packages.
+* You can assign access in the Azure portal or with Microsoft Graph
+  * [View, add, and remove assignments for an access package in entitlement management](../governance/entitlement-management-access-package-assignments.md)
+  * [Create a new access package in entitlement management](../governance/entitlement-management-access-package-create)
 
-**[Delegate management of catalogs and access packages](../governance/entitlement-management-delegate.md) to business owners, who have more information on who should access**.
+### Identity Governance - Settings 
 
-![Screenshot of configuring a catalog.](media/secure-external-access/6-catalog-management.png)
+Use **Identity Governance - Settings** to remove users from your directory when their access packages expire. The following settings apply to users onboarded with entitlement management.
 
-**‎[Enforce expiration of access packages](../governance/entitlement-management-access-package-lifecycle-policy.md) to which external users have access.**
+   ![Screenshot of settings and entries for Manage the lifecycle of external users.](media/secure-external-access/6-manage-external-lifecycle.png)
 
+### Delegate catalog and package management
 
-![Screenshot of configuring access package expiration.](media/secure-external-access/6-access-package-expiration.png)
+You can delegate catalog and package managment to business owners, who have more information on who should access. See, [Delegation and roles in entitlement managements](../governance/entitlement-management-delegate.md)
 
-* If you know the end date of a project-based access package, use the On Date to set the specific date. 
+   ![Screenshot of options and entries under Roles and administrators.](media/secure-external-access/6-catalog-management.png)
 
-* Otherwise we recommend the expiration be no longer 365 days, unless it is known to be a multi-year engagement.
+### Enforce access package expiration
 
-* Allow users to extend access.
+You can to which external users have access. See, [Change lifecycle settings for an access package in entitlement management](../governance/entitlement-management-access-package-lifecycle-policy.md).
 
-* Require approval to grant the extension.
+   ![Screenshot of options and entries for Expiration.](media/secure-external-access/6-access-package-expiration.png)
 
-**[Enforce access reviews of packages](../governance/manage-guest-access-with-access-reviews.md) to avoid inappropriate access for guests.**
+* For the end date of a project-based access package, use **On date** to set the date. 
+  * Otherwise we recommend expiration to be no longer 365 days, unless it's a multi-year project
+* Allow users to extend access
+  * Require approval to grant the extension
 
-![Screenshot of creating a new access package.](media/secure-external-access/6-new-access-package.png)
+### Enforce guest-access package reviews
 
-* Enforce reviews quarterly.
+You can enforce reviews of guest-access packages to avoid inappropriate access for guests. See, [Manage guest access with access reviews](../governance/manage-guest-access-with-access-reviews.md).
 
-* For compliance-sensitive projects, set the reviewers to be specific reviewers, rather than self-review for external users. The users who are access package managers are a good place to start for reviewers. 
+   ![Screenshot of options and entries under New access package.](media/secure-external-access/6-new-access-package.png)
 
-* For less sensitive projects, having the users self-review will reduce the burden on the organization to remove access from users who are no longer with their home organization.
+* Enforce quartlery reviews
+* For compliance-related projects, set the reviewers to be reviewers, rather than self-review for external users. 
+  * You can use access package managers as reviewers
+* For less sensitive projects, users self-reviewing reduces the burden to remove access from users no longer with the organization.
 
-For more information, see [Govern access for external users in Azure AD Entitlement Management](../governance/entitlement-management-external-users.md) 
+Learn more: [Govern access for external users in entitlement management](../governance/entitlement-management-external-users.md) 
 
 ### Next steps
 
-See the following articles on securing external access to resources. We recommend you take the actions in the listed order.
+See the following articles to learn more about securing external access to resources. We recommend you follow the listed order.
 
 1. [Determine your security posture for external access](1-secure-access-posture.md)
 
-2. [Discover your current state](2-secure-access-current-state.md)
+2. [Discover the current state of external collaboration in your organization](2-secure-access-current-state.md)
 
-3. [Create a governance plan](3-secure-access-plan.md)
+3. [Create a security plan for external access](3-secure-access-plan.md)
 
-4. [Use groups for security](4-secure-access-groups.md)
+4. [Securing external access with groups](4-secure-access-groups.md)
 
-5. [Transition to Azure AD B2B](5-secure-access-b2b.md)
+5. [Transition to governed collaboration with Azure AD B2B collaboration](5-secure-access-b2b.md)
 
-6. [Secure access with Entitlement Management](6-secure-access-entitlement-managment.md) (You are here.)
+6. [Manage external access with Azure AD entitlement management](6-secure-access-entitlement-managment.md) (You are here)
 
-7. [Secure access with Conditional Access policies](7-secure-access-conditional-access.md)
+7. [Manage external access with Conditional Access policies](7-secure-access-conditional-access.md)
 
-8. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md)
+8. [Control access with sensitivity labels](8-secure-access-sensitivity-labels.md)
 
-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
+9. [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business](9-secure-access-teams-sharepoint.md)