MicrosoftDocs
diff --git a/‎articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md
Lines changed: 15 additions & 14 deletions b/‎articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md
Lines changed: 15 additions & 14 deletions
diff --git a/‎articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md
Lines changed: 38 additions & 41 deletions b/‎articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md
Lines changed: 38 additions & 41 deletions
diff --git a/‎articles/active-directory/privileged-identity-management/pim-how-to-complete-review.md
Lines changed: 20 additions & 13 deletions b/‎articles/active-directory/privileged-identity-management/pim-how-to-complete-review.md
Lines changed: 20 additions & 13 deletions
@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: pim
-ms.date: 04/09/2019
+ms.date: 10/22/2019
 ms.author: curtand
 ms.collection: M365-identity-device-management
 ---
@@ -33,25 +33,25 @@ Follow these steps to make a user eligible for an Azure AD admin role.
 
     If you haven't started Privileged Identity Management in the Azure portal yet, go to [Start using Privileged Identity Management](pim-getting-started.md).
 
-1. Click **Azure AD roles**.
+1. Select **Azure AD roles**.
 
-1. Click **Roles** or **Members**.
+1. Select **Roles** or **Members**.
 
     ![Azure AD roles with Roles and Members menu options highlighted](./media/pim-how-to-add-role-to-user/pim-directory-roles.png)
 
-1. Click **Add member** to open Add managed members.
+1. Select **Add member** to open Add managed members.
 
-1. Click **Select a role**, click a role you want to manage, and then click **Select**.
+1. Select **Select a role**, select a role you want to manage, and then select **Select**.
 
     ![Select a role pane listing Azure AD roles](./media/pim-how-to-add-role-to-user/pim-select-a-role.png)
 
-1. Click **Select members**, select the users you want to assign to the role, and then click **Select**.
+1. Select **Select members**, select the users you want to assign to the role, and then select **Select**.
 
     ![Select members pane where you can select a user](./media/pim-how-to-add-role-to-user/pim-select-members.png)
 
-1. In Add managed members, click **OK** to add the user to the role.
+1. In Add managed members, select **OK** to add the user to the role.
 
-1. In the list of roles, click the role you just assigned to see the list of members.
+1. In the list of roles, select the role you just assigned to see the list of members.
 
      When the role is assigned, the user you selected will appear in the members list as **Eligible** for the role.
 
@@ -67,15 +67,15 @@ By default, new users are only Eligible for an Azure AD admin role. Follow these
 
 1. Open **Azure AD Privileged Identity Management**.
 
-1. Click **Azure AD roles**.
+1. Select **Azure AD roles**.
 
-1. Click **Members**.
+1. Select **Members**.
 
     ![Azure AD roles - Members list showing role and activation state](./media/pim-how-to-add-role-to-user/pim-directory-role-list-members.png)
 
-1. Click an **Eligible** role that you want to make permanent.
+1. Select an **Eligible** role that you want to make permanent.
 
-1. Click **More** and then click **Make perm**.
+1. Select **More** and then select **Make perm**.
 
     ![Pane listing a user that is eligible for a role with the More menu options open](./media/pim-how-to-add-role-to-user/pim-make-perm.png)
 
@@ -111,7 +111,9 @@ Follow these steps to remove a specific user from an Azure AD admin role.
 
 ## Authorization error when assigning roles
 
-If you recently enabled Privileged Identity Management for an Azure subscription and you get an authorization error when you try to make a user eligible for an Azure AD admin role, it might be because the MS-PIM service principal does not yet have the appropriate permissions. To assign roles, the MS-PIM service principal must be assigned the [User Access Administrator role](../../role-based-access-control/built-in-roles.md#user-access-administrator) in Azure role-based access control for Azure resource access (as opposed to Azure AD administration roles). Instead of waiting until MS-PIM is assigned the User Access Administrator role, you can assign it manually.
+Scenario: As an active owner or user access administrator for an Azure resource, you are able to see your resource inside Privileged Identity Management but can't perform any actions such as making an eligible assignment or viewing a list of role assignments from the resource overview page. Any of these actions results in an authorization error.
+
+To assign roles, the MS-PIM service principal must be assigned the [User Access Administrator role](../../role-based-access-control/built-in-roles.md#user-access-administrator) in Azure role-based access control for Azure resource access (as opposed to Azure AD administration roles). Instead of waiting until MS-PIM is assigned the User Access Administrator role, you can assign it manually.
 
 The following steps assign the User Access Administrator role to the MS-PIM service principal for a subscription.
 
@@ -143,7 +145,6 @@ The following steps assign the User Access Administrator role to the MS-PIM serv
 
    ![Access control (IAM) blade showing User Access Administrator role assignment for MS-PIM](./media/pim-how-to-add-role-to-user/ms-pim-user-access-administrator.png)
 
-
 ## Next steps
 
 - [Configure Azure AD admin role settings in Privileged Identity Management](pim-how-to-change-default-settings.md)
 
@@ -1,5 +1,5 @@
 ---
-title: Configure Azure AD role settings in PIM - Azure Active Directory | Microsoft Docs
+title: Configure Azure AD role settings in Privileged Identity Management - Azure Active Directory | Microsoft Docs
 description: Learn how to configure Azure AD role settings in Azure AD Privileged Identity Management (PIM).
 services: active-directory
 documentationcenter: ''
@@ -11,14 +11,14 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: pim
-ms.date: 05/31/2019
+ms.date: 10/22/2019
 ms.author: curtand
 ms.custom: pim
 ms.collection: M365-identity-device-management
 ---
-# Configure Azure AD role settings in PIM
+# Configure Azure AD role settings in Privileged Identity Management
 
-A privileged role administrator can customize Azure Active Directory (Azure AD) Privileged Identity Management (PIM) in their organization, including changing the experience for a user who is activating an eligible role assignment.
+A Privileged role administrator can customize Privileged Identity Management (PIM) in their Azure Active Directory (Azure AD) organization, including changing the experience for a user who is activating an eligible role assignment.
 
 ## Open role settings
 
@@ -46,71 +46,68 @@ Use the **Activations** slider to set the maximum time, in hours, that a role st
 
 ## Notifications
 
-Use the **Notifications** switch to specify whether administrators will receive email notifications when roles are activated. This can be useful for detecting unauthorized or illegitimate activations.
+Use the **Notifications** switch to specify whether administrators will receive email notifications when roles are activated. This notification can be useful for detecting unauthorized or illegitimate activations.
 
 When set to **Enable**, notifications are sent to:
 
-- Privileged Role Administrator
-- Security Administrator
-- Global Administrator
+- Privileged role administrator
+- Security administrator
+- Global administrator
 
-For more information, see [Email notifications in PIM](pim-email-notifications.md).
+For more information, see [Email notifications in Privileged Identity Management](pim-email-notifications.md).
 
 ## Incident/Request ticket
 
-Use the **Incident/Request ticket** switch to specify whether to require eligible administrators to include a ticket number when they activate their role. This can be useful when you perform role access audits.
+Use the **Incident/Request ticket** switch to require eligible administrators to include a ticket number when they activate their role. This practice can make role access audits more effective.
 
 ## Multi-Factor Authentication
 
-Use the **Multi-Factor Authentication** switch to specify whether to require users to verify their identity with MFA before they can activate their roles. They only have to verify this once per session, not every time they activate a role. There are two tips to keep in mind when you enable MFA:
+Use the **Multi-Factor Authentication** switch to specify whether to require users to verify their identity with MFA before they can activate their roles. They only have to verify their identity once per session, not every time they activate a role. There are two tips to keep in mind when you enable MFA:
 
-* Users who have Microsoft accounts for their email addresses (typically @outlook.com, but not always) cannot register for Azure MFA. If you want to assign roles to users with Microsoft accounts, you should either make them permanent admins or disable MFA for that role.
-* You cannot disable MFA for highly privileged roles for Azure AD and Office365. This is a safety feature because these roles should be carefully protected:  
+- Users who have Microsoft accounts for their email addresses (typically @outlook.com, but not always) cannot register for Azure Multi-Factor Authentication. If you want to assign roles to users with Microsoft accounts, you should either make them permanent admins or disable multi-factor authentication for that role.
+- You cannot disable Azure Multi-Factor Authentication for highly privileged roles for Azure AD and Office 365. This safety feature helps protect the following roles:  
 
-  * Azure Information Protection Administrator
-  * Billing Administrator
-  * Cloud Application Administrator
-  * Compliance Administrator
-  * Conditional Access Administrator
-  * CRM Service Administrator
-  * Customer LockBox Access Approver
-  * Directory Writers
-  * Exchange Administrator
-  * Global Administrator
-  * Intune Service Administrator
-  * Power BI Service Administrator
-  * Privileged Role Administrator
-  * Security Administrator
-  * SharePoint Service Administrator
-  * Skype for Business Administrator
-  * User Administrator
-
-For more information, see [Multi-factor authentication (MFA) and PIM](pim-how-to-require-mfa.md).
+  - Azure Information Protection administrator
+  - Billing administrator
+  - Cloud application administrator
+  - Compliance administrator
+  - Conditional access administrator
+  - Dynamics 365 administrator
+  - Customer LockBox access approver
+  - Directory writers
+  - Exchange administrator
+  - Global administrator
+  - Intune administrator
+  - Power BI administrator
+  - Privileged role administrator
+  - Security administrator
+  - SharePoint administrator
+  - Skype for Business administrator
+  - User administrator
+
+For more information, see [Multi-factor authentication and Privileged Identity Management](pim-how-to-require-mfa.md).
 
 ## Require approval
 
-If you want to require approval to activate a role, follow these steps.
+If you want to delegate the required approval to activate a role, follow these steps.
 
 1. Set the **Require approval** switch to **Enabled**. The pane expands with options to select approvers.
 
     ![Azure AD roles - Settings - Require approval](./media/pim-how-to-change-default-settings/pim-directory-roles-settings-require-approval.png)
 
-    If you **DO NOT** specify any approvers, the Privileged Role Administrators become the default approvers. Privileged Role Administrators would be required to approve **ALL** activation requests for this role.
+    If you don't specify any approvers, the Privileged role administrator becomes the default approver and is then required to approve all activation requests for this role.
 
 1. To specify approvers, click **Select approvers**.
 
     ![Azure AD roles - Settings - Require approval](./media/pim-how-to-change-default-settings/pim-directory-roles-settings-require-approval-select-approvers.png)
 
-1. Select one or more approvers and then click **Select**. You can select users or groups. At least 2 approvers is recommended. Self-approval is not allowed.
-
-    Your selections will appear in the list of selected approvers.
-
-1. Once you have specified your all your role settings, click **Save** to save your changes.
+1. Select one or more approvers in addition to the Privileged role administrator and then click **Select**. You can select users or groups. We recommend at least two approvers is. Even if you add yourself as an approver, you can't self-approve a role activation. Your selections will appear in the list of selected approvers.
 
+1. After you have specified your all your role settings, select **Save** to save your changes.
 
 <!--PLACEHOLDER: Need an explanation of what the temporary Global Administrator setting is for.-->
 
 ## Next steps
 
-- [Assign Azure AD roles in PIM](pim-how-to-add-role-to-user.md)
-- [Configure security alerts for Azure AD roles in PIM](pim-how-to-configure-security-alerts.md)
+- [Assign Azure AD roles in Privileged Identity Management](pim-how-to-add-role-to-user.md)
+- [Configure security alerts for Azure AD roles in Privileged Identity Management](pim-how-to-configure-security-alerts.md)
@@ -11,44 +11,51 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: pim
-ms.date: 06/06/2017
+ms.date: 10/22/2019
 ms.author: curtand
 ms.custom: pim
 ms.collection: M365-identity-device-management
 ---
-# Complete an access review of Azure AD roles in PIM
-Privileged role administrators can review privileged access once an [access review has been started](pim-how-to-start-security-review.md). Azure Active Directory (Azure AD) Privileged Identity Management (PIM) will automatically send an email prompting users to review their access. If a user did not get an email, you can send them the instructions in [how to perform an access review](pim-how-to-perform-security-review.md).
+# Complete an access review of Azure AD roles in Privileged Identity Management
+
+Privileged role administrators can review privileged access once an [access review has been started](pim-how-to-start-security-review.md).  Privileged Identity Management (PIM) will automatically send an email to users in your Azure Active Directory (Azure AD) organization prompting them to review their access. If a user did not get an email, you can send them the instructions in [how to perform an access review](pim-how-to-perform-security-review.md).
 
 After the access review period is over, or all the users have finished their self-review, follow the steps in this article to manage the review and see the results.
 
 ## Manage access reviews
-1. Go to the [Azure portal](https://portal.azure.com/) and select the **Azure AD Privileged Identity Management** application on your dashboard.
-2. Select the **Access reviews** section of the dashboard.
-3. Select the access review that you want to manage.
 
-On the access review's detail blade, there are a number options for managing that review.
+1. Go to the [Azure portal](https://portal.azure.com/) and select the **Azure AD Privileged Identity Management** service on your dashboard.
+1. Select the **Access reviews** section of the dashboard.
+1. Select the access review that you want to manage.
+
+On the access review's detail blade, there are a number of options for managing that review.
 
-![PIM access review buttons - screenshot](./media/pim-how-to-complete-review/review-buttons.png)
+![Privileged Identity Management access review buttons - screenshot](./media/pim-how-to-complete-review/review-buttons.png)
 
 ### Remind
-If an access review is set up so that the users review themselves, the **Remind** button sends out a notification. 
+
+If an access review is set up so that the users review themselves, the **Remind** button sends out a notification.
 
 ### Stop
+
 All access reviews have an end date, but you can use the **Stop** button to finish it early. If any users haven't been reviewed by this time, they won't be able to after you stop the review. You cannot restart a review after it's been stopped.
 
 ### Apply
+
 After an access review is completed, either because you reached the end date or stopped it manually, the **Apply** button implements the outcome of the review. If a user's access was denied in the review, this is the step that will remove their role assignment.  
 
 ### Export
+
 If you want to apply the results of the access review manually, you can export the review. The **Export** button will start downloading a CSV file. You can manage the results in Excel or other programs that open CSV files.
 
 ### Delete
-If you are not interested in the review any further, delete it. The **Delete** button removes the review from the PIM application.
+
+If you are not interested in the review any further, delete it. The **Delete** button removes the review from the Privileged Identity Management service.
 
 > [!IMPORTANT]
-> You will not get a warning before deletion occurs, so be sure that you want to delete that review. 
+> You will not be required to confirm this destructive change, so verify that you want to delete that review.
 
 ## Next steps
 
-- [Start an access review for Azure AD roles in PIM](pim-how-to-start-security-review.md)
-- [Perform an access review of my Azure AD roles in PIM](pim-how-to-perform-security-review.md)
+- [Start an access review for Azure AD roles in Privileged Identity Management](pim-how-to-start-security-review.md)
+- [Perform an access review of my Azure AD roles in Privileged Identity Management](pim-how-to-perform-security-review.md)