MicrosoftDocs
diff --git a/‎articles/active-directory/develop/workload-identity-federation-create-trust-user-assigned-managed-identity.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/workload-identity-federation-create-trust-user-assigned-managed-identity.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/workload-identity-federation-create-trust.md
Lines changed: 5 additions & 5 deletions b/‎articles/active-directory/develop/workload-identity-federation-create-trust.md
Lines changed: 5 additions & 5 deletions
diff --git a/‎articles/active-directory/fundamentals/3-secure-access-plan.md
Lines changed: 46 additions & 41 deletions b/‎articles/active-directory/fundamentals/3-secure-access-plan.md
Lines changed: 46 additions & 41 deletions
@@ -137,7 +137,7 @@ For a workflow triggered by a pull request event, specify an **Entity type** of
 
 Fill in the **Cluster issuer URL**, **Namespace**, **Service account name**, and **Name** fields:
 
-- **Cluster issuer URL** is the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.
+- **Cluster issuer URL** is the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.
 - **Service account name** is the name of the Kubernetes service account, which provides an identity for processes that run in a Pod. 
 - **Namespace** is the service account namespace.
 - **Name** is the name of the federated credential, which can't be changed later.
 
@@ -64,7 +64,6 @@ To add a federated identity for GitHub actions, follow these steps:
 
     :::image type="content" source="media/workload-identity-federation-create-trust/add-credential.png" alt-text="Screenshot of the Add a credential window, showing sample values." :::
 
-
 Use the following values from your Azure AD application registration for your GitHub workflow:
 
 - `AZURE_CLIENT_ID` the **Application (client) ID** 
@@ -146,7 +145,7 @@ Select the **Kubernetes accessing Azure resources** scenario from the dropdown m
 
 Fill in the **Cluster issuer URL**, **Namespace**, **Service account name**, and **Name** fields:
 
-- **Cluster issuer URL** is the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.
+- **Cluster issuer URL** is the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.
 - **Service account name** is the name of the Kubernetes service account, which provides an identity for processes that run in a Pod. 
 - **Namespace** is the service account namespace.
 - **Name** is the name of the federated credential, which can't be changed later.
@@ -220,7 +219,7 @@ az ad app federated-credential create --id f6475511-fd81-4965-a00e-41e7792b7b9c
 
 ### Kubernetes example
 
-*issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).  
+*issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).  
 
 *subject* is the subject name in the tokens issued to the service account. Kubernetes uses the following format for subject names: `system:serviceaccount:<SERVICE_ACCOUNT_NAMESPACE>:<SERVICE_ACCOUNT_NAME>`.
 
@@ -309,6 +308,7 @@ az ad app federated-credential delete --id f6475511-fd81-4965-a00e-41e7792b7b9c
 ::: zone pivot="identity-wif-apps-methods-powershell"
 
 ## Prerequisites
+
 - To run the example scripts, you have two options:
   - Use [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open by using the **Try It** button in the upper-right corner of code blocks.
   - Run scripts locally with Azure PowerShell, as described in the next section.
@@ -364,7 +364,7 @@ New-AzADAppFederatedCredential -ApplicationObjectId $appObjectId -Audience api:/
 ### Kubernetes example
 
 - *ApplicationObjectId*: the object ID of the app (not the application (client) ID) you previously registered in Azure AD.
-- *Issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).  
+- *Issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).  
 - *Subject* is the subject name in the tokens issued to the service account. Kubernetes uses the following format for subject names: `system:serviceaccount:<SERVICE_ACCOUNT_NAMESPACE>:<SERVICE_ACCOUNT_NAME>`.
 - *Name* is the name of the federated credential, which can't be changed later.
 - *Audience* lists the audiences that can appear in the `aud` claim of the external token.
@@ -464,7 +464,7 @@ And you get the response:
 
 Run the following method to configure a federated identity credential on an app and create a trust relationship with a Kubernetes service account.  Specify the following parameters:
 
-- *issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/cluster-configuration.md#oidc-issuer) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).  
+- *issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).  
 - *subject* is the subject name in the tokens issued to the service account. Kubernetes uses the following format for subject names: `system:serviceaccount:<SERVICE_ACCOUNT_NAMESPACE>:<SERVICE_ACCOUNT_NAME>`.
 - *name* is the name of the federated credential, which can't be changed later.
 - *audiences* lists the audiences that can appear in the external token.  This field is mandatory.  The recommended value is "api://AzureADTokenExchange".
 
@@ -1,5 +1,5 @@
 ---
-title: Create a security plan for external access to Azure Active Directory 
+title: Create a security plan for external access to resources
 description: Plan the security for external access to your organization's resources.
 services: active-directory
 author: gargi-sinha
@@ -8,64 +8,69 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 12/15/2022
+ms.date: 02/21/2023
 ms.author: gasinh
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
 
-# Create a security plan for external access 
+# Create a security plan for external access to resources
 
-Before you create an external-access security plan, ensure the following conditions are met.
+Before you create an external-access security plan, review the following two articles, which add context and information for the security plan.
 
-* [Determine your security posture for external access](1-secure-access-posture.md)
+* [Determine your security posture for external access with Azure AD](1-secure-access-posture.md)
 * [Discover the current state of external collaboration in your organization](2-secure-access-current-state.md)
 
+## Security plan documentation
+
 For your security plan, document the following information:
 
-* Applications and resources to be grouped for access
+* Applications and resources grouped for access
 * Sign-in conditions for external users
-  * Device state, sign-in location, client application requirements, and user risk
-* Policies that determine when to review and remove access
-* User populations to be grouped for a similar experience
+  * Device state, sign-in location, client application requirements, user risk, etc.
+* Policies to determine timing for reviews and access removal 
+* User populations grouped for similar experiences
 
-After you document the information, use Microsoft identity and access management policies, or another identity provider (IdP) to implement the plan.
+To implement the security plan, you can use Microsoft identity and access management policies, or another identity provider (IdP).
 
-## Resources to be grouped for access
+Learn more: [Identity and access management overview](/compliance/assurance/assurance-identity-and-access-management)
 
-To group resources for access: 
+## Use groups for access
 
-* Microsoft Teams groups files, conversation threads, and other resources. Formulate an external access strategy for Microsoft Teams.
-  * See, [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business](9-secure-access-teams-sharepoint.md)
-* Use entitlement management access packages to create and delegate management of packages of applications, groups, teams, SharePoint sites, etc. 
+See the following links to articles about resource grouping strategies: 
+
+* Microsoft Teams groups files, conversation threads, and other resources
+  * Formulate an external access strategy for Teams
+  * See, [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business with Azure AD](9-secure-access-teams-sharepoint.md)
+* Use entitlement management access packages to create and delegate package management of applications, groups, teams, SharePoint sites, etc. 
   * [Create a new access package in entitlement management](../governance/entitlement-management-access-package-create.md) 
 * Apply Conditional Access policies to up to 250 applications, with the same access requirements
   *  [What is Conditional Access?](../conditional-access/overview.md) 
-* Use Cross Tenant Access Settings Inbound Access to define access for application groups of external users 
+* Define access for external user application groups
   *  [Overview: Cross-tenant access with Azure AD External Identities](../external-identities/cross-tenant-access-overview.md) 
 
-Document the applications to be grouped. Considerations include:
+Document the grouped applications. Considerations include:
 
-* **Risk profile** - Assess the risk if a bad actor gains access to an application. 
-  * Identify application as high, medium, or low risk. Avoid grouping high-risk with low-risk.
+* **Risk profile** - assess the risk if a bad actor gains access to an application 
+  * Identify application as High, Medium, or Low risk. We recommend you don't group High-risk with Low-risk.
   * Document applications that can't be shared with external users
-* **Compliance frameworks** - Determine compliance frameworks for apps
+* **Compliance frameworks** - determine compliance frameworks for apps
   * Identify access and review requirements
-* **Applications for roles or departments** - Assess applications to be grouped for a role or department access
-* **Collaboration applications** - Identify collaboration applications external users can access, such as Teams and SharePoint
+* **Applications for roles or departments** - assess applications grouped for role, or department, access
+* **Collaboration applications** - identify collaboration applications external users can access, such as Teams or SharePoint
   * For productivity applications, external users might have licenses, or you might provide access
 
-For application and resource group access by external users, document the following information:
+Document the following information for application and resource group access by external users.
 
 * Descriptive group name, for example High_Risk_External_Access_Finance 
 * Applications and resources in the group
-* Application and resource owners and contact information
-* Access is controlled by IT, or delegated to a business owner
+* Application and resource owners and their contact information
+* The IT team controls access, or control is delegated to a business owner
 * Prerequisites for access: background check, training, etc.
 * Compliance requirements to access resources
 * Challenges, for example multi-factor authentication (MFA) for some resources
-* Cadence for reviews, by whom, and where it's documented
+* Cadence for reviews, by whom, and where results are documented
 
 > [!TIP]
 > Use this type of governance plan for internal access.
@@ -82,7 +87,7 @@ Consider the following risk-based policies to trigger MFA.
 
 * **Low** - MFA for some application sets
 * **Medium** - MFA when other risks are present
-* **High** - External users always use MFA
+* **High** - external users always use MFA
 
 Learn more: 
 
@@ -98,14 +103,14 @@ Use the following table to help assess policy to address risk.
 | --- | --- |
 | Device| Require compliant devices |
 | Mobile apps| Require approved apps |
-| Identity protection is high risk| Require user to change password |
+| Identity protection is High risk| Require user to change password |
 | Network location| To access confidential projects, require sign-in from an IP address range |
 
-To use device state as policy input, the device is registered or joined to your tenant. Configure cross-tenant access settings must be configured to trust the device claims from the home tenant. See, [Modify inbound access settings](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#modify-inbound-access-settings).
+To use device state as policy input, register or join the device to your tenant. To trust the device claims from the home tenant, configure cross-tenant access settings. See, [Modify inbound access settings](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#modify-inbound-access-settings).
 
-You can use identity-protection risk policies. However, mitigate issue in the user home tenant. See, [Common Conditional Access policy: Sign-in risk-based multifactor authentication](../conditional-access/howto-conditional-access-policy-risk.md).
+You can use identity-protection risk policies. However, mitigate issues in the user home tenant. See, [Common Conditional Access policy: Sign-in risk-based multifactor authentication](../conditional-access/howto-conditional-access-policy-risk.md).
 
-For network locations, you can restrict access to IP addresses ranges you own. Use this method if external partners access applications while at your location. See, [Conditional Access: Block access by location](../conditional-access/howto-conditional-access-policy-location.md)
+For network locations, you can restrict access to IP addresses ranges that you own. Use this method if external partners access applications while at your location. See, [Conditional Access: Block access by location](../conditional-access/howto-conditional-access-policy-location.md)
 
 ## Document access review policies
 
@@ -115,13 +120,13 @@ Document policies that dictate when to review resource access, and remove accoun
 * Internal business policies and processes
 * User behavior
 
-Your policies will be customized, however consider the following parameters:
+Generally, organizations customize policy, however consider the following parameters:
 
 * **Entitlement management access reviews**:
   * [Change lifecycle settings for an access package in entitlement management](../governance/entitlement-management-access-package-lifecycle-policy.md)
   * [Create an access review of an access package in entitlement management](../governance/entitlement-management-access-reviews-create.md)
   * [Add a connected organization in entitlement management](../governance/entitlement-management-organization.md): group users from a partner and schedule reviews
-* **Microsoft 365 groups**: 
+* **Microsoft 365 groups**
   * [Microsoft 365 group expiration policy](/microsoft-365/solutions/microsoft-365-groups-expiration-policy?view=o365-worldwide&preserve-view=true)
 * **Options**: 
   * If external users don't use access packages or Microsoft 365 groups, determine when accounts become inactive or deleted
@@ -130,20 +135,20 @@ Your policies will be customized, however consider the following parameters:
 
 ## Access control methods
 
-Some features, for example entitlement management, are available with an Azure AD Premium 2 (P2) license. Microsoft 365 E5 and Office 365 E5 licenses include Azure AD P2 licenses. 
-
-Other combinations of Microsoft 365, Office 365, and Azure AD have functionality to manage external users. See, [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
+Some features, for example entitlement management, are available with an Azure AD Premium 2 (P2) license. Microsoft 365 E5 and Office 365 E5 licenses include Azure AD P2 licenses. Learn more in the following entitlement management section.
 
 > [!NOTE]
 > Licenses are for one user. Therefore users, administrators, and business owners can have delegated access control. This scenario can occur with Azure AD P2 or Microsoft 365 E5, and you don't have to enable licenses for all users. The first 50,000 external users are free. If you don't enable P2 licenses for other internal users, they can't use entitlement management. 
 
+Other combinations of Microsoft 365, Office 365, and Azure AD have functionality to manage external users. See, [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
+
 ## Govern access with Azure AD P2 and Microsoft 365 or Office 365 E5
 
 Azure AD P2 and Microsoft 365 E5 have all the security and governance tools.
 
 ### Provision, sign-in, review access, and deprovision access
 
-Entries in bold are recommended.
+Entries in bold are recommended actions.
 
 | Feature| Provision external users| Enforce sign-in requirements| Review access| Deprovision access |
 | - | - | - | - | - |
@@ -154,7 +159,7 @@ Entries in bold are recommended.
 
 ### Resource access 
 
-Entries in bold are recommended.
+Entries in bold are recommended actions.
 
 |Feature | App and resource access| SharePoint and OneDrive access| Teams access| Email and document security |
 | - |-|-|-|-|
@@ -165,15 +170,15 @@ Entries in bold are recommended.
 
 ### Entitlement management 
 
-Use entitlement management to provision and deprovision access to groups and teams, applications, and SharePoint sites. Define the connected organizations allowed access, self-service requests, and approval workflows. To ensure access ends correctly, define expiration policies and access reviews for packages. 
+Use entitlement management to provision and deprovision access to groups and teams, applications, and SharePoint sites. Define the connected organizations granted access, self-service requests, and approval workflows. To ensure access ends correctly, define expiration policies and access reviews for packages. 
 
 Learn more: [Create a new access package in entitlement management](../governance/entitlement-management-access-package-create.md) 
 
 ## Governance with Azure AD P1, Microsoft 365, Office 365 E3
 
 ### Provision, sign-in, review access, and deprovision access
 
-Items in bold are recommended.
+Items in bold are recommended actions.
 
 |Feature | Provision external users| Enforce sign-in requirements| Review access| Deprovision access |
 | - |-|-|-|-|
@@ -200,4 +205,4 @@ Items in bold are recommended.
 * [Manage external access with entitlement management](6-secure-access-entitlement-managment.md)
 * [Secure access with Conditional Access policies](7-secure-access-conditional-access.md)
 * [Control access with sensitivity labels](8-secure-access-sensitivity-labels.md)
-* [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business](9-secure-access-teams-sharepoint.md)
+* [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business](9-secure-access-teams-sharepoint.md)