[Microsoft Entra ID] ID Protection Standardization

Author: MicrosoftGuyJFlo

articles/active-directory/identity-protection/concept-workload-identity-risk.md

@@ -15,7 +15,6 @@ ms.reviewer: etbasser
 
 ms.collection: M365-identity-device-management
 ---
-
 # Securing workload identities
 
 Azure AD Identity Protection has historically protected users in detecting, investigating, and remediating identity-based risks. We're now extending these capabilities to workload identities to protect applications and service principals.
@@ -40,10 +39,10 @@ To make use of workload identity risk, including the new **Risky workload identi
 
 - Workload Identities Premium licensing: You can view and acquire licenses on the [Workload Identities blade](https://portal.azure.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade) in the Azure portal.
 - One of the following administrator roles assigned
-   - Global Administrator
    - Security Administrator
    - Security Operator
    - Security Reader Users assigned the Conditional Access administrator role can create policies that use risk as a condition.
+   - Global Administrator
 
 ## Workload identity risk detections
 
@@ -63,7 +62,7 @@ We detect risk on workload identities across sign-in behavior and offline indica
 
 Organizations can find workload identities that have been flagged for risk in one of two locations:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Reader](../roles/permissions-reference.md#security-reader).
 1. Browse to **Azure Active Directory** > **Security** > **Risky workload identities**.
 1. Or browse to **Azure Active Directory** > **Security** > **Risk detections**.
    1. Select the **Workload identity detections** tab.'
@@ -89,7 +88,7 @@ For improved security and resilience of your workload identities, Continuous Acc
 
 ## Investigate risky workload identities
 
-Identity Protection provides organizations with two reports they can use to investigate workload identity risk. These reports are the risky workload identities, and risk detections for workload identities. All reports allow for downloading of events in .CSV format for further analysis outside of the Azure portal. 
+Identity Protection provides organizations with two reports they can use to investigate workload identity risk. These reports are the risky workload identities, and risk detections for workload identities. All reports allow for downloading of events in .CSV format for further analysis. 
 
 Some of the key questions to answer during your investigation include:
 
@@ -102,7 +101,7 @@ The [Azure Active Directory security operations guide for Applications](../archi
 
 Once you determine if the workload identity was compromised, dismiss the account’s risk, or confirm the account as compromised in the Risky workload identities report. You can also select “Disable service principal” if you want to block the account from further sign-ins.
 
-:::image type="content" source="media/concept-workload-identity-risk/confirm-compromise-or-dismiss-risk.png" alt-text="Confirm workload identity compromise or dismiss the risk in the Azure portal." lightbox="media/concept-workload-identity-risk/confirm-compromise-or-dismiss-risk.png":::
+:::image type="content" source="media/concept-workload-identity-risk/confirm-compromise-or-dismiss-risk.png" alt-text="Confirm workload identity compromise or dismiss the risk." lightbox="media/concept-workload-identity-risk/confirm-compromise-or-dismiss-risk.png":::
 
 ## Remediate risky workload identities
 

articles/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy.md

@@ -34,7 +34,7 @@ For more information on Azure AD multifactor authentication, see [What is Azure
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Administrator](../roles/permissions-reference.md#security-administrator)
 1. Browse to **Azure Active Directory** > **Security** > **Identity Protection** > **MFA registration policy**.
    1. Under **Assignments** > **Users**
       1. Under **Include**, select **All users** or **Select individuals and groups** if limiting your rollout.

articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md

@@ -64,7 +64,7 @@ Before organizations enable remediation policies, they may want to [investigate]
 
 ### User risk policy in Conditional Access
 
-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).
 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
 1. Select **New policy**.
 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
@@ -90,7 +90,7 @@ After confirming your settings using [report-only mode](../conditional-access/ho
 
 ### Sign-in risk policy in Conditional Access
 
-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).
 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
 1. Select **New policy**.
 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md

@@ -66,7 +66,7 @@ Administrators are given two options when resetting a password for their users:
 
 If after investigation and confirming that the user account isn't at risk of being compromised, then you can choose to dismiss the risky user.
 
-To **Dismiss user risk**, search for and select **Azure AD Risky users** in the Azure portal or the Entra portal, select the affected user, and select **Dismiss user(s) risk**.
+To **Dismiss user risk**, search for and select **Azure AD Risky users** in the Azure portal or the Microsoft Entra admin center, select the affected user, and select **Dismiss user(s) risk**.
 
 When you select **Dismiss user risk**, the user is no longer at risk, and all the risky sign-ins of this user and corresponding risk detections are dismissed as well. 
 

articles/active-directory/identity-protection/howto-identity-protection-simulate-risk.md

@@ -75,10 +75,10 @@ Simulating the atypical travel condition is difficult because the algorithm uses
 **To simulate an atypical travel risk detection, perform the following steps**:
 
 1. Using your standard browser, navigate to [https://myapps.microsoft.com](https://myapps.microsoft.com).  
-2. Enter the credentials of the account you want to generate an atypical travel risk detection for.
-3. Change your user agent. You can change user agent in Microsoft Edge from Developer Tools (F12).
-4. Change your IP address. You can change your IP address by using a VPN, a Tor add-on, or creating a new virtual machine in Azure in a different data center.
-5. Sign-in to [https://myapps.microsoft.com](https://myapps.microsoft.com) using the same credentials as before and within a few minutes after the previous sign-in.
+1. Enter the credentials of the account you want to generate an atypical travel risk detection for.
+1. Change your user agent. You can change user agent in Microsoft Edge from Developer Tools (F12).
+1. Change your IP address. You can change your IP address by using a VPN, a Tor add-on, or creating a new virtual machine in Azure in a different data center.
+1. Sign-in to [https://myapps.microsoft.com](https://myapps.microsoft.com) using the same credentials as before and within a few minutes after the previous sign-in.
 
 The sign-in shows up in the Identity Protection dashboard within 2-4 hours.
 
@@ -88,25 +88,26 @@ The sign-in shows up in the Identity Protection dashboard within 2-4 hours.
 
 This risk detection indicates that the application's valid credentials have been leaked. This leak can occur when someone checks in the credentials in a public code artifact on GitHub. Therefore, to simulate this detection, you need a GitHub account and can [sign up a GitHub account](https://docs.github.com/get-started/signing-up-for-github) if you don't have one already.
 
-**To simulate Leaked Credentials in GitHub for Workload Identities, perform the following steps**:
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Browse to **Azure Active Directory** > **App registrations**.
-3. Select **New registration** to register a new application or reuse an existing stale application.
-4. Select **Certificates & Secrets** > **New client Secret** , add a description of your client secret and set an expiration for the secret or specify a custom lifetime and select **Add**. Record the secret's value for later use for your GitHub Commit.
+### Simulate Leaked Credentials in GitHub for Workload Identities
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Administrator](../roles/permissions-reference.md#security-administrator).
+1. Browse to **Azure Active Directory** > **App registrations**.
+1. Select **New registration** to register a new application or reuse an existing stale application.
+1. Select **Certificates & Secrets** > **New client Secret** , add a description of your client secret and set an expiration for the secret or specify a custom lifetime and select **Add**. Record the secret's value for later use for your GitHub Commit.
 
    > [!Note]
    > **You can not retrieve the secret again after you leave this page**.
    
-5. Get the TenantID and Application(Client)ID in the **Overview** page.
-6. Ensure you disable the application via **Azure Active Directory** > **Enterprise Application** > **Properties** > Set **Enabled for users to sign-in** to **No**.
-7. Create a **public** GitHub Repository, add the following config and commit the change as a file with the .txt extension.
+1. Get the TenantID and Application(Client)ID in the **Overview** page.
+1. Ensure you disable the application via **Azure Active Directory** > **Enterprise Application** > **Properties** > Set **Enabled for users to sign-in** to **No**.
+1. Create a **public** GitHub Repository, add the following config and commit the change as a file with the .txt extension.
    ```GitHub file
      "AadClientId": "XXXX-2dd4-4645-98c2-960cf76a4357",
      "AadSecret": "p3n7Q~XXXX",
      "AadTenantDomain": "XXXX.onmicrosoft.com",
      "AadTenantId": "99d4947b-XXX-XXXX-9ace-abceab54bcd4",
    ```
-7. In about 8 hours, you'll be able to view a leaked credential detection under **Azure Active Directory** > **Security** > **Risk Detection** > **Workload identity detections** where the additional info will contain the URL of your GitHub commit.
+1. In about 8 hours, you'll be able to view a leaked credential detection under **Azure Active Directory** > **Security** > **Risk Detection** > **Workload identity detections** where the additional info will contain the URL of your GitHub commit.
 
 ## Testing risk policies
 
@@ -116,7 +117,7 @@ This section provides you with steps for testing the user and the sign-in risk p
 
 To test a user risk security policy, perform the following steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Administrator](../roles/permissions-reference.md#security-administrator).
 1. Browse to **Azure Active Directory** > **Security** > **Identity Protection** > **Overview**.
 1. Select **Configure user risk policy**.
    1. Under **Assignments**
@@ -136,7 +137,7 @@ To test a user risk security policy, perform the following steps:
 
 To test a sign-in risk policy, perform the following steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Administrator](../roles/permissions-reference.md#security-administrator).
 1. Browse to **Azure Active Directory** > **Security** > **Identity Protection** > **Overview**.
 1. Select **Configure sign-in risk policy**.
    1. Under **Assignments**