Merge pull request #78479 from markwahl-msft/markwahl-elmdoc-201905

713519 714883 add troubleshooting feedback for entitlement management

Author: rmca14

articles/active-directory/governance/entitlement-management-overview.md

@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 04/27/2019
+ms.date: 05/30/2019
 ms.author: rolyon
 ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
@@ -68,11 +68,14 @@ Here are the types of resources you can manage access to with entitlement manage
 
 - Azure AD security groups
 - Office 365 groups
-- Azure AD enterprise applications
-- SaaS applications
-- Custom-integrated applications
-- SharePoint Online site collections
-- SharePoint Online sites
+- Azure AD enterprise applications, including SaaS application and custom-integrated applications that support federation or provisioning
+- SharePoint Online site collections and sites
+
+You can also control access to other resources that rely upon Azure AD security groups or Office 365 groups.  For example:
+
+- You can give users licenses for Microsoft Office 365 by using an Azure AD security group in an access package and configuring [group-based licensing](../users-groups-roles/licensing-groups-assign.md) for that group
+- You can give users access to manage Azure resources by using an Azure AD security group in an access package and creating an [Azure role assignment](../../role-based-access-control/role-assignments-portal.md) for that group
+
 
 ## Prerequisites
 

articles/active-directory/governance/entitlement-management-process.md

@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 04/26/2019
+ms.date: 05/30/2019
 ms.author: rolyon
 ms.reviewer: mamkumar
 ms.collection: M365-identity-device-management
@@ -42,7 +42,7 @@ A user that needs access to an access package can submit an access request. Depe
 | --- | --- |
 | Submitted | User submits a request. |
 | Pending approval | If the policy for an access package requires approval, a request moves to pending approval. |
-| Expired | If no approvers review a request within the approval request timeout, the request expires. To try again, the user will have to resubmit their request. |
+| Expired | If no approvers approve a request within the approval request timeout, the request expires. To try again, the user will have to resubmit their request. |
 | Denied | Approver denies a request. |
 | Approved | Approver approves a request. |
 | Delivering | User has **not** been assigned access to all the resources in the access package. If this is an external user, the user has not yet accessed the resource directory and accepted the permissions prompt. |
@@ -69,15 +69,15 @@ The following table provides more detail about each of these email notifications
 | 7 | Your access to *[access package]* expires in X day(s) | X days before the requestor's access to the access package expires | Requestor |
 | 8 | Your access to *[access package]* has expired | When the requestor's access to an access package expires | Requestor |
 
-### Review access request emails
+### Access request emails
 
 When a requestor submits an access request for an access package that is configured to require approval, all approvers configured in the policy receive an email notification with details of the request. Details include the requestor's name, organization, access start and end date if provided, business justification, when the request was submitted, and when the request will expire. The email includes a link where approvers can approve or deny the access request. Here is a sample email notification that is sent to an approver when a requestor submits an access request.
 
 ![Review access request email](./media/entitlement-management-shared/email-approve-request.png)
 
 ### Approved or denied emails
 
-Requestors are notified when their access request is approved and available for access, or when their access request is denied. When an approver reviews an access request submitted by a requestor, they can approve or deny the access request. The approver needs to add a business justification for their decision.
+Requestors are notified when their access request is approved and available for access, or when their access request is denied. When an approver receives an access request submitted by a requestor, they can approve or deny the access request. The approver needs to add a business justification for their decision.
 
 When an access request is approved, entitlement management starts the process of granting the requestor access to each of the resources in the access package. After the requestor has been granted access to every resource in the access package, an email notification is sent to the requestor that their access request was approved and that they now have access to the access package. Here is a sample email notification that is sent to a requestor when they are granted access to an access package.
 

articles/active-directory/governance/entitlement-management-scenarios.md

@@ -48,7 +48,7 @@ There are several ways that you can configure entitlement management for your or
 > | **2.** [Add resource roles to access package](entitlement-management-access-package-edit.md#add-resource-roles)<ul><li>Groups</li><li>Applications</li><li>SharePoint sites</li></ul> | ![Add resource roles](./media/entitlement-management-scenarios/resource-roles.png) |
 > | **3.** [Add a policy](entitlement-management-access-package-edit.md#policy-for-users-in-your-directory)<ul><li>For users in your directory</li><li>Require approval</li><li>Expiration settings</li></ul> | ![Add policy](./media/entitlement-management-scenarios/policy.png) |
 
-### I want to allow users from my business partners (including users not yet in my directory) to request access to groups, applications, or SharePoint sites
+### I want to allow users from my business partners directory (including users not yet in my directory) to request access to groups, applications, or SharePoint sites
 
 > [!div class="mx-tableFixed"]
 > | Steps | Example |

articles/active-directory/governance/entitlement-management-troubleshoot.md

@@ -12,9 +12,9 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 04/25/2019
+ms.date: 05/30/2019
 ms.author: rolyon
-ms.reviewer: mwahl
+ms.reviewer: markwahl-msft
 ms.collection: M365-identity-device-management
 
 
@@ -37,15 +37,27 @@ This article describes some items you should check to help you troubleshoot Azur
 
 ## Checklist for adding a resource
 
+* For an application to be a resource in an access package, it must have at least one resource role that can be assigned. The roles are defined by the application itself and are managed in Azure AD. Note that the Azure portal may also show service principals for services that cannot be selected as applications.  In particular, **Exchange Online** and **SharePoint Online** are services, not applications that have resource roles in the directory, so they cannot be included in an access package.  Instead, use group-based licensing to establish an appropriate license for a user who needs access to those services.
+
+* For a group to be a resource in an access package, it must be able to be modifiable in Azure AD.  Groups that originate in an on-premises Active Directory cannot be assigned as resources because their owner or member attributes cannot be changed in Azure AD.  
+
+* SharePoint Online document libraries and individual documents cannot be added as resources.  Instead, create an Azure AD security group, include that group and a site role in the access package, and in SharePoint Online use that group to control access to the document library or document.
+
 * If there are users that have already been assigned to a resource that you want to manage with an access package, be sure that the users are assigned to the access package with an appropriate policy. For example, you might want to include a group in an access package that already has users in the group. If those users in the group require continued access, they must have an appropriate policy for the access packages so that they don't lose their access to the group. You can assign the access package by either asking the users to request the access package containing that resource, or by directly assigning them to the access package. For more information, see [Edit and manage an existing access package](entitlement-management-access-package-edit.md).
 
+## Checklist for providing external users access
+
+* If there is a B2B [allow list](../b2b/allow-deny-list.md), then users whose directories are not allowed will not be able to request access.
+
+* Ensure that there are no [Conditional Access policies](../conditional-access/require-managed-devices.md) that would prevent external users from requesting access or being able to use the applications in the access packages.
+
 ## Checklist for request issues
 
 * When a user wants to request access to an access package, be sure that they are using the **My Access portal link** for the access package. For more information, see [Copy My Access portal link](entitlement-management-access-package-edit.md#copy-my-access-portal-link).
 
 * When a user signs in to the My Access portal to request an access package, be sure they authenticate using their organizational account. The organizational account can be either an account in the resource directory, or in a directory that is included in one of the policies of the access package. If the user's account is not an organizational account, or the directory is not included in the policy, then the user will not see the access package. For more information, see [Request access to an access package](entitlement-management-request-access.md).
 
-* If a user is blocked from signing in to the resource directory, they will not be able to request access in the My Access portal. Before the user can request access, you must remove the sign-in block from the user's profile. To remove the sign-in block, in the Azure portal, click **Azure Active Directory**, click **Users**, click the user, and then click **Profile**. Edit the **Settings** section and change **Block sign in** to **No**. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/active-directory-users-profile-azure-portal.md)
+* If a user is blocked from signing in to the resource directory, they will not be able to request access in the My Access portal. Before the user can request access, you must remove the sign-in block from the user's profile. To remove the sign-in block, in the Azure portal, click **Azure Active Directory**, click **Users**, click the user, and then click **Profile**. Edit the **Settings** section and change **Block sign in** to **No**. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/active-directory-users-profile-azure-portal.md).  You can also check if the user was blocked due to an [Identity Protection policy](../identity-protection/howto-unblock-user.md).
 
 * In the My Access portal, if a user is both a requestor and an approver, they will not see their request for an access package on the **Approvals** page. This behavior is intentional - a user cannot approve their own request. Ensure that the access package they are requesting has additional approvers configured on the policy. For more information, see [Edit an existing policy](entitlement-management-access-package-edit.md#edit-an-existing-policy).