MicrosoftDocs
diff --git a/‎articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md
Lines changed: 5 additions & 7 deletions b/‎articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md
Lines changed: 5 additions & 7 deletions
diff --git a/‎articles/active-directory/privileged-identity-management/concept-pim-for-groups.md
Lines changed: 21 additions & 20 deletions b/‎articles/active-directory/privileged-identity-management/concept-pim-for-groups.md
Lines changed: 21 additions & 20 deletions
diff --git a/‎articles/active-directory/privileged-identity-management/groups-activate-roles.md
Lines changed: 7 additions & 9 deletions b/‎articles/active-directory/privileged-identity-management/groups-activate-roles.md
Lines changed: 7 additions & 9 deletions
@@ -3,30 +3,28 @@ title: View audit report for Azure resource roles in Privileged Identity Managem
 description: View activity and audit history for Azure resource roles in Privileged Identity Management (PIM).
 services: active-directory
 documentationcenter: ''
-author: billmath
+author: barclayn
 manager: amycolannino
 editor: ''
 
 ms.service: active-directory
 ms.subservice: pim
 ms.topic: how-to
 ms.workload: identity
-ms.date: 06/24/2022
-ms.author: billmath
+ms.date: 09/12/2023
+ms.author: barclayn
 ms.reviewer: shaunliu
 ms.collection: M365-identity-device-management
 ---
 # View activity and audit history for Azure resource roles in Privileged Identity Management
 
-With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Microsoft Entra admin center that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md).
+Privileged Identity Management (PIM) in Microsoft Entra ID (Azure AD), enables you to view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Microsoft Entra admin center that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md).
 
 > [!NOTE]
 > If your organization has outsourced management functions to a service provider who uses [Azure Lighthouse](../../lighthouse/overview.md), role assignments authorized by that service provider won't be shown here.
 
 ## View activity and activations
 
-[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-
 To see what actions a specific user took in various resources, you can view the Azure resource activity that's associated with a given activation period.
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator).
@@ -88,7 +86,7 @@ Resource audit gives you a view of all role activity for a resource.
     [![Resource audit list filtered by Activate audit type](media/azure-pim-resource-rbac/rbac-audit-activity.png "Resource audit list filtered by Activate")](media/azure-pim-resource-rbac/rbac-audit-activity.png)
     ![Resource audit list that is filtered by Activate audit type](media/azure-pim-resource-rbac/rbac-audit-activity.png)
 
-1. Under **Action**, click **(activity)** for a user to see that user's activity detail in Azure resources.
+1. Under **Action**, select **(activity)** for a user to see that user's activity detail in Azure resources.
 
     ![User activity details for a particular action](media/azure-pim-resource-rbac/rbac-audit-activity-details.png)
 
 
@@ -3,16 +3,16 @@ title: Privileged Identity Management (PIM) for Groups
 description: How to manage Azure AD Privileged Identity Management (PIM) for Groups.
 services: active-directory
 documentationcenter: ''
-author: billmath
+author: barclayn
 manager: amycolannino
 ms.assetid: 
 ms.service: active-directory
 ms.subservice: pim
 ms.topic: overview
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 8/15/2023
-ms.author: billmath
+ms.date: 9/12/2023
+ms.author: barclayn
 ms.custom: pim 
 ms.collection: M365-identity-device-management
 
@@ -22,56 +22,57 @@ ms.collection: M365-identity-device-management
 
 # Privileged Identity Management (PIM) for Groups
 
-With Azure Active Directory (Azure AD), part of Microsoft Entra, you can provide users just-in-time membership in the group and just-in-time ownership of the group using the Azure AD Privileged Identity Management for Groups feature. These groups can be used to govern access to various scenarios that include Azure AD roles, Azure roles, as well as Azure SQL, Azure Key Vault, Intune, other application roles, and third party applications.
+Microsoft Entra ID, formerly known as Azure AD, allows you to grant users just-in-time membership and ownership of groups through Privileged Identity Management (PIM) for Groups. Groups can be used to control access to a variety of scenarios, including Azure AD roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third-party applications.
 
 ## What is PIM for Groups?
 
-PIM for Groups is part of Azure AD Privileged Identity Management – alongside with PIM for Azure AD Roles and PIM for Azure Resources, PIM for Groups enables users to activate the ownership or membership of an Azure AD security group or Microsoft 365 group. Groups can be used to govern access to various scenarios that include Azure AD roles, Azure roles, as well as Azure SQL, Azure Key Vault, Intune, other application roles, and third party applications.
+PIM for Groups is part of Azure AD Privileged Identity Management – alongside with PIM for Azure AD Roles and PIM for Azure Resources, PIM for Groups enables users to activate the ownership or membership of an Azure AD security group or Microsoft 365 group. Groups can be used to govern access to various scenarios that include Azure AD roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third party applications.
 
 With PIM for Groups you can use policies similar to ones you use in PIM for Azure AD Roles and PIM for Azure Resources: you can require approval for membership or ownership activation, enforce multi-factor authentication (MFA), require justification, limit maximum activation time, and more. Each group in PIM for Groups has two policies: one for activation of membership and another for activation of ownership in the group. Up until January 2023, PIM for Groups feature was called “Privileged Access Groups”.
 
 [!INCLUDE [PIM for Groups note](../includes/pim-for-groups-include.md)]
 
-## What are Azure AD role-assignable groups?
+## What are Entra ID role-assignable groups?
 
-With Azure Active Directory (Azure AD), part of Microsoft Entra, you can assign a cloud Azure AD security group or Microsoft 365 group to an Azure AD role. This is possible only with groups that are created as role-assignable.
+When working with Entra ID, you can assign an Entra ID security group or Microsoft 365 group to an Entra ID role. This is possible only with groups that are created as role-assignable.
 
-To learn more about Azure AD role-assignable groups, see [Create a role-assignable group in Azure Active Directory](../roles/groups-create-eligible.md). 
+To learn more about Entra ID role-assignable groups, see [Create a role-assignable group in Azure Active Directory](../roles/groups-create-eligible.md). 
 
 Role-assignable groups benefit from extra protections comparing to non-role-assignable groups:
--	For role-assignable groups, only the Global Administrator, Privileged Role Administrator, or the group Owner can manage the group. Also, no other users can change the credentials of the users who are (active) members of the group. This feature helps prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.
--	For non-role-assignable groups, various Azure AD roles can manage group – that includes Exchange Administrators, Groups Administrators, User Administrators, etc. Also, various roles Azure AD roles can change the credentials of the users who are (active) members of the group – that includes Authentication Administrators, Helpdesk Administrators, User Administrators, etc.
 
-To learn more about Azure AD built-in roles and their permissions, see [Azure AD built-in roles](../roles/permissions-reference.md).
+- **Role-assignable groups** - only the Global Administrator, Privileged Role Administrator, or the group Owner can manage the group. Also, no other users can change the credentials of the users who are (active) members of the group. This feature helps prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.
+- **Non-role-assignable groups** - various Azure AD roles can manage these groups – that includes Exchange Administrators, Groups Administrators, User Administrators, etc. Also, various roles Azure AD roles can change the credentials of the users who are (active) members of the group – that includes Authentication Administrators, Helpdesk Administrators, User Administrators, etc.
 
-One Azure AD tenant can have up to 500 role-assignable groups. To learn more about Azure AD service limits and restrictions, see [Azure AD service limits and restrictions](../enterprise-users/directory-service-limits-restrictions.md).
+To learn more about Entra ID built-in roles and their permissions, see [Azure AD built-in roles](../roles/permissions-reference.md).
 
 Azure AD role-assignable group feature is not part of Azure AD Privileged Identity Management (Azure AD PIM). For more information on licensing, see [Microsoft Entra ID Governance licensing fundamentals](../../active-directory/governance/licensing-fundamentals.md) .
 
 
 ## Relationship between role-assignable groups and PIM for Groups
 
-Groups can be role-assignable or non-role-assignable. The group can be enabled in PIM for Groups or not enabled in PIM for Groups. These are independent properties of the group. Any Azure AD security group and any Microsoft 365 group (except dynamic groups and groups synchronized from on-premises environment) can be enabled in PIM for Groups. The group does not have to be role-assignable group to be enabled in PIM for Groups.
+Groups can be role-assignable or non-role-assignable. The group can be enabled in PIM for Groups or not enabled in PIM for Groups. These are independent properties of the group. Any Entra ID security group and any Microsoft 365 group (except dynamic groups and groups synchronized from on-premises environment) can be enabled in PIM for Groups. The group doesn't have to be role-assignable group to be enabled in PIM for Groups.
 
-If you want to assign Azure AD role to a group, it has to be role-assignable. Even if you do not intend to assign Azure AD role to the group but the group provides access to sensitive resources, it is still recommended to consider creating the group as role-assignable. This is because of extra protections role-assignable groups have – see [“What are Azure AD role-assignable groups?”](#what-are-azure-ad-role-assignable-groups) in the section above.
+If you want to assign an Entra ID role to a group, it has to be role-assignable. Even if you don't intend to assign an Entra ID role to the group but the group provides access to sensitive resources, it is still recommended to consider creating the group as role-assignable. This is because of extra protections role-assignable groups have – see [“What are Entra ID role-assignable groups?”](#what-are-entra-id-role-assignable-groups) in the section above.
 
-Up until January 2023, it was required that every Privileged Access Group (former name for this PIM for Groups feature) had to be role-assignable group. This restriction is currently removed. Because of that, it is now possible to enable more than 500 groups per tenant in PIM, but only up to 500 groups can be role-assignable.
+>[!IMPORTANT]
+> Up until January 2023, it was required that every Privileged Access Group (former name for this PIM for Groups feature) had to be role-assignable group. This restriction is currently removed. Because of that, it is now possible to enable more than 500 groups per tenant in PIM, but only up to 500 groups can be role-assignable.
 
-## Making group of users eligible for Azure AD role
+## Making group of users eligible for Entra ID role
+
+There are two ways to make a group of users eligible for Entra ID role:
 
-There are two ways to make a group of users eligible for Azure AD role:
 1. Make active assignments of users to the group, and then assign the group to a role as eligible for activation.
 2. Make active assignment of a role to a group and assign users to be eligible to group membership.
 
-To provide a group of users with just-in-time access to Azure AD directory roles with permissions in SharePoint, Exchange, or Security & Microsoft Purview compliance portal (for example, Exchange Administrator role), be sure to make active assignments of users to the group, and then assign the group to a role as eligible for activation (Option #1 above). If you choose to make active assignment of a group to a role and assign users to be eligible to group membership instead, it may take significant time to have all permissions of the role activated and ready to use.
+To provide a group of users with just-in-time access to Azure AD roles with permissions in SharePoint, Exchange, or Security & Microsoft Purview compliance portal (for example, Exchange Administrator role), be sure to make active assignments of users to the group, and then assign the group to a role as eligible for activation (Option #1 above). If you choose to make active assignment of a group to a role and assign users to be eligible to group membership instead, it may take significant time to have all permissions of the role activated and ready to use.
 
 ## Privileged Identity Management and group nesting
 
-In Azure AD, role-assignable groups can’t have other groups nested inside them. To learn more, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md). This is applicable to active membership: one group cannot be an active member of another group that is role-assignable.
+In Entra ID, role-assignable groups can’t have other groups nested inside them. To learn more, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md). This is applicable to active membership: one group can't be an active member of another group that is role-assignable.
 
 One group can be an eligible member of another group, even if one of those groups is role-assignable.
 
-If a user is an active member of Group A, and Group A is an eligible member of Group B, the user can activate their membership in Group B. This activation will be only for the user that requested the activation for, it does not mean that the entire Group A becomes an active member of Group B.
+If a user is an active member of Group A, and Group A is an eligible member of Group B, the user can activate their membership in Group B. This activation is only for the user that requested the activation for, it doesn't mean that the entire Group A becomes an active member of Group B.
 
 ## Privileged Identity Management and app provisioning (Public Preview)
 
 
@@ -3,23 +3,23 @@ title: Activate your group membership or ownership in Privileged Identity Manage
 description: Learn how to activate your group membership or ownership in Privileged Identity Management (PIM).
 services: active-directory
 documentationcenter: ''
-author: billmath
+author: barclayn
 manager: amycolannino
 ms.service: active-directory
 ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 6/7/2023
-ms.author: billmath
+ms.date: 09/12/2023
+ms.author: barclayn
 ms.reviewer: ilyal
 ms.custom: pim
 ms.collection: M365-identity-device-management
 ---
 
 # Activate your group membership or ownership in Privileged Identity Management
 
-In Azure Active Directory (Azure AD), part of Microsoft Entra, you can use Privileged Identity Management (PIM) to have just-in-time membership in the group or just-in-time ownership of the group.
+You can use Privileged Identity Management (PIM) In Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), to have just-in-time membership in the group or just-in-time ownership of the group.
 
 This article is for eligible members or owners who want to activate their group membership or ownership in PIM.
 
@@ -30,8 +30,6 @@ This article is for eligible members or owners who want to activate their group
 
 ## Activate a role
 
-[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-
 When you need to take on a group membership or ownership, you can request activation by using the **My roles** navigation option in PIM.
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).
@@ -50,7 +48,7 @@ When you need to take on a group membership or ownership, you can request activa
 
 1. If necessary, specify a custom activation start time. The membership or ownership is to be activated only after the selected time.
 
-1. Depending on the group’s setting, justification for activation may be required. If required, provide it in the **Reason** box.
+1. Depending on the group’s setting, justification for activation may be required. If needed, provide the justification in the **Reason** box.
 
     :::image type="content" source="media/pim-for-groups/pim-group-7.png" alt-text="Screenshot of where to provide a justification in the Reason box." lightbox="media/pim-for-groups/pim-group-7.png":::
 
@@ -60,7 +58,7 @@ If the [role requires approval](pim-resource-roles-approval-workflow.md) to acti
 
 ## View the status of your requests
 
-You can view the status of your pending requests to activate. It is specifically important when your requests undergo approval of another person.
+You can view the status of your pending requests to activate. It is important when your requests undergo approval of another person.
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 
@@ -81,7 +79,7 @@ You can view the status of your pending requests to activate. It is specifically
 
 1. For the request that you want to cancel, select **Cancel**.
 
-When you select **Cancel**, the request will be canceled. To activate the role again, you will have to submit a new request for activation.
+When you select **Cancel**, the request is canceled. To activate the role again, you have to submit a new request for activation.
 
 ## Next steps