Merge pull request #208133 from amsliu/pag-update

Pag update

Author: LJSpiller

articles/active-directory/governance/TOC.yml

@@ -202,6 +202,10 @@
         href: ../privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json
       - name: Complete an access review
         href: ../privileged-identity-management/pim-complete-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json
+    - name: Azure AD Privileged Access Groups (Preview)
+      items:
+      - name: Create an access review
+        href: create-access-review-privileged-access-groups.md
   - name: Lifecycle Workflows (Preview)
     items:
       - name: Deployment (Preview)

articles/active-directory/governance/create-access-review-privileged-access-groups.md

@@ -0,0 +1,72 @@
+---
+title: Create an access review of Privileged Access Groups - Azure AD (preview)
+description: Learn how to create an access review of Privileged Access Groups in Azure Active Directory. 
+services: active-directory
+author: amsliu
+manager: amycolannino
+editor: markwahl-msft
+ms.service: active-directory
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.topic: how-to
+ms.subservice: compliance
+ms.date: 09/14/2022
+ms.author: amsliu
+ms.reviewer: jgangadhar
+ms.collection: M365-identity-device-management
+---
+ 
+# Create an access review of Privileged Access Groups in Azure AD (preview)
+
+This article describes how to create one or more access reviews for Privileged Access Groups, which will include the active members of the group as well as the eligible members. Reviews can be performed on both active members of the group, who are active at the time the review is created, and the eligible members of the group.
+
+## Prerequisites
+
+- Azure AD Premium P2.
+- Only Global administrators and Privileged Role administrators can create reviews on Privileged Access Groups. For more information, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md).
+
+For more information, see [License requirements](access-reviews-overview.md#license-requirements).
+
+## Create a Privileged Access Group access review
+
+### Scope
+1. Sign in to the Azure portal and open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page.
+
+2. On the left menu, select **Access reviews**.
+
+3. Select **New access review** to create a new access review.
+
+    ![Screenshot that shows the Access reviews pane in Identity Governance.](./media/create-access-review/access-reviews.png)
+
+4. In the **Select what to review** box, select **Teams + Groups**.
+
+    ![Screenshot that shows creating an access review.](./media/create-access-review/select-what-review.png)
+
+5. Select **Teams + Groups** and then select **Select Teams + groups** under **Review Scope**. A list of groups to choose from appears on the right.
+
+     ![Screenshot that shows selecting Teams + Groups.](./media/create-access-review/create-privileged-access-groups-review.png)
+
+> [!NOTE]  
+> When a Privileged Access Group (PAG) is selected, the users under review for the group will include all eligible users and active users in that group. 
+
+6. Now you can select a scope for the review. Your options are:
+    - **Guest users only**: This option limits the access review to only the Azure AD B2B guest users in your directory.
+    - **Everyone**: This option scopes the access review to all user objects associated with the resource.
+
+
+7. If you are conducting group membership review, you can create access reviews for only the inactive users in the group. In the *Users scope* section, check the box next to **Inactive users (on tenant level)**. If you check the box, the scope of the review will focus on inactive users only, those who have not signed in either interactively or non-interactively to the tenant. Then, specify **Days inactive**  with a number of days inactive up to 730 days (two years). Users in the group inactive for the specified number of days will be the only users in the review.
+
+> [!NOTE]
+> Recently created users are not affected when configuring the inactivity time. The Access Review will check if a user has been created in the time frame configured and disregard users who haven’t existed for at least that amount of time. For example, if you set the inactivity time as 90 days and a guest user was created or invited less than 90 days ago, the guest user will not be in scope of the Access Review. This ensures that a user can sign in at least once before being removed.
+
+8. Select **Next: Reviews**.
+
+After you have reached this step, you may follow the instructions outlined under **Next: Reviews** in the [Create an access review of groups or applications](create-access-review.md#next-reviews) article to complete your access review.
+
+> [!NOTE]
+> Review of Privileged Access Groups will only assign active owner(s) as the reviewers. Eligible owners are not included. At least one fallback reviewer is required for a Privileged Access Groups review. If there are no active owner(s) when the review begins, the fallback reviewer(s) will be assigned to the review.
+
+## Next steps
+
+- [Create an access review of groups or applications](create-access-review.md)
+- [Approve activation requests for privileged access group members and owners (preview)](../privileged-identity-management/groups-approval-workflow.md)

articles/active-directory/governance/create-access-review.md

@@ -10,7 +10,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: how-to
 ms.subservice: compliance
-ms.date: 08/24/2022
+ms.date: 09/09/2022
 ms.author: amsliu
 ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
@@ -95,6 +95,9 @@ If you are reviewing access to an application, then before creating the review,
 
    If you choose either **Managers of users** or **Group owner(s)**, you can also specify a fallback reviewer. Fallback reviewers are asked to do a review when the user has no manager specified in the directory or if the group doesn't have an owner.
 
+    >[!IMPORTANT]
+    > For Privileged Access Groups (Preview), you must select **Group owner(s)**. It is mandatory to assign at least one fallback reviewer to the review. The review will only assign active owner(s) as the reviewer(s). Eligible owners are not included. If there are no active owners when the review begins, the fallback reviewer(s) will be assigned to the review.
+
       ![Screenshot that shows New access review.](./media/create-access-review/new-access-review.png)
 
 1. In the **Specify recurrence of review** section, specify the following selections:
@@ -297,8 +300,10 @@ After one or more access reviews have started, you might want to modify or updat
 
 ## Next steps
 
+- [Complete an access review of groups or applications](complete-access-review.md)
+- [Create an access review of Privileged Access Groups (preview)](create-access-review-privileged-access-groups.md)
 - [Review access to groups or applications](perform-access-review.md)
 - [Review access for yourself to groups or applications](review-your-access.md)
-- [Complete an access review of groups or applications](complete-access-review.md)
+