Merge pull request #246294 from markwahl-msft/mwahl-aad-em-co

AAD IG entitlement management connected orgs

Author: denrea

articles/active-directory/governance/entitlement-management-access-package-approval-policy.md

@@ -22,7 +22,9 @@ ms.collection: M365-identity-device-management
 ---
 # Change approval and requestor information settings for an access package in entitlement management
 
-As an access package manager, you can change the approval and requestor information settings for an access package at any time by editing an existing policy or adding a new policy for requesting access.
+Each access package must have one or more access package assignment policies, before a user can be assigned access.  When an access package is created in the Entra portal, the Entra portal automatically creates the first access package assignment policy for that access package.  The policy determines who can request access, and who if anyone must approve access.
+
+As an access package manager, you can change the approval and requestor information settings for an access package at any time by editing an existing policy or adding a new additional policy for requesting access.
 
 This article describes how to change the approval and requestor information settings for an existing access package, through an access package's policy.
 
@@ -60,7 +62,7 @@ Follow these steps to specify the approval settings for requests for the access
 
 1. Go to the **Request** tab.
 
-1. To require approval for requests from the selected users, set the **Require approval** toggle to **Yes**. Or, to have requests automatically approved, set the toggle to **No**.
+1. To require approval for requests from the selected users, set the **Require approval** toggle to **Yes**. Or, to have requests automatically approved, set the toggle to **No**. If the policy allows external users from outside your organization to request access, you should require approval, so there is oversight on who is being added to your organization's directory.
 
 1. To require users to provide a justification to request the access package, set the **Require requestor justification** toggle to **Yes**.
 

articles/active-directory/governance/entitlement-management-delegate-catalog.md

@@ -31,7 +31,7 @@ There are three ways an organization can delegate with catalogs:
 - If there are resources that don't have owners, then administrators can create catalogs, add those resources to each catalog, and then [assign non-administrators as owners to a catalog](entitlement-management-catalog-create.md#add-more-catalog-owners).  This allows users who aren't administrators and aren't resource owners to manage their own access policies for those resources.
 - If resources have owners, then administrators can assign a collection of users, such as an `All Employees` dynamic group, to the catalog creators role, so a user who are in that group and own resources can create a catalog for their own resources.
 
-This article illustrates how to delegate to users who aren't administrators, so that they can create their own catalogs. You can add those users to the Azure AD entitlement management-defined catalog creator role. You can add individual users, or you can add a group whose members are then able to create catalogs.  After creating a catalog, they can subsequently add resources they own to their catalog.
+This article illustrates how to delegate to users who aren't administrators, so that they can create their own catalogs. You can add those users to the Azure AD entitlement management-defined catalog creator role. You can add individual users, or you can add a group whose members are then able to create catalogs.  After creating a catalog, they can subsequently add resources they own to their catalog.  They can create access packages and policies, including policies referencing existing [connected organizations](entitlement-management-organization.md).
 
 If you have existing catalogs to delegate, then continue at the [create and manage a catalog of resources](entitlement-management-catalog-create.md#add-more-catalog-owners) article.
 

articles/active-directory/governance/entitlement-management-delegate-managers.md

@@ -30,6 +30,8 @@ To delegate the creation and management of access packages in a catalog, you add
 - Who needs to approve the access requests
 - How long the project lasts
 
+They can create access packages and policies, including policies referencing existing [connected organizations](entitlement-management-organization.md). Once their access packages are created, then they can have other users request or be assigned to those access packages.
+
 This video provides an overview of how to delegate access governance from catalog owner to access package manager.
 
 > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3Lq08]

articles/active-directory/governance/entitlement-management-delegate.md

@@ -61,7 +61,7 @@ Here's one way that Hana could delegate access governance to the marketing, fina
 
 1. Mamta can add other people from that department as catalog owners for this catalog, which helps share the catalog management responsibilities.
 
-1. Mamta can further delegate the creation and management of access packages in the Marketing catalog to project managers in the Marketing department. She can do this by assigning them to the access package manager role. An access package manager can create and manage access packages. 
+1. Mamta can further delegate the creation and management of access packages in the Marketing catalog to project managers in the Marketing department. She can do this by assigning them to the access package manager role on a catalog. An access package manager can create and manage access packages, along with policies, requests and assignments in that catalog. If the catalog allows it, the access package manager can configure policies to bring in users from connected organizations.
 
 The following diagram shows catalogs with resources for the marketing, finance, and legal departments. Using these catalogs, project managers can create access packages for their teams or projects.
 
@@ -115,7 +115,7 @@ The following table lists the tasks that the entitlement management roles can do
 | [Remove an access package manager](entitlement-management-delegate-managers.md#remove-an-access-package-manager) | :heavy_check_mark: |  | :heavy_check_mark: |  |  |
 | [Create a new access package in a catalog](entitlement-management-access-package-create.md) | :heavy_check_mark: |  | :heavy_check_mark:  | :heavy_check_mark:  |  |
 | [Change resource roles in an access package](entitlement-management-access-package-resources.md) | :heavy_check_mark: |  | :heavy_check_mark: | :heavy_check_mark: |  |
-| [Create and edit policies](entitlement-management-access-package-request-policy.md) | :heavy_check_mark: |  | :heavy_check_mark: | :heavy_check_mark: |  |
+| [Create and edit policies, including policies for external collaboration](entitlement-management-access-package-request-policy.md) | :heavy_check_mark: |  | :heavy_check_mark: | :heavy_check_mark: |  |
 | [Directly assign a user to an access package](entitlement-management-access-package-assignments.md#directly-assign-a-user) | :heavy_check_mark: |  | :heavy_check_mark: | :heavy_check_mark: |  :heavy_check_mark: |
 | [Directly remove a user from an access package](entitlement-management-access-package-assignments.md#remove-an-assignment) | :heavy_check_mark:  |  | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
 | [View who has an assignment to an access package](entitlement-management-access-package-assignments.md#view-who-has-an-assignment) | :heavy_check_mark: |  | :heavy_check_mark: | :heavy_check_mark: |  :heavy_check_mark: |

articles/active-directory/governance/entitlement-management-external-users.md

@@ -31,7 +31,9 @@ This article describes the settings you can specify to govern access for externa
 
 When using the [Azure AD B2B](../external-identities/what-is-b2b.md) invite experience, you must already know the email addresses of the external guest users you want to bring into your resource directory and work with. Directly inviting each user works great when you're working on a smaller or short-term project and you already know all the participants, but this process is harder to manage if you have lots of users you want to work with, or if the participants change over time.  For example, you might be working with another organization and have one point of contact with that organization, but over time additional users from that organization will also need access.
 
-With entitlement management, you can define a policy that allows users from organizations you specify to be able to self-request an access package. That policy includes whether approval is required, whether access reviews are required, and an expiration date for the access. If approval is required, you might consider inviting one or more users from the external organization to your directory, designating them as sponsors, and configuring that sponsors are approvers - since they're likely to know which external users from their organization need access. Once you've configured the access package, obtain the access package's request link so you can send that link to your contact person (sponsor) at the external organization. That contact can share with other users in their external organization, and they can use this link to request the access package. Users from that organization who have already been invited into your directory can also use that link.
+With entitlement management, you can define a policy that allows users from organizations you specify to be able to self-request an access package. That policy includes whether approval is required, whether access reviews are required, and an expiration date for the access. In most cases, you will want to require approval, in order to have appropriate oversight over which users are brought into your directory. If approval is required, then for major external organization partners, you might consider inviting one or more users from the external organization to your directory, designating them as sponsors, and configuring that sponsors are approvers - since they're likely to know which external users from their organization need access. Once you've configured the access package, obtain the access package's request link so you can send that link to your contact person (sponsor) at the external organization. That contact can share with other users in their external organization, and they can use this link to request the access package. Users from that organization who have already been invited into your directory can also use that link.
+
+You can also use entitlement management for bringing in users from organizations that do not have their own Azure AD directory.  You can configure a federated identity provider for their domain, or use email-based authentication.  You can also bring in users from social identity providers, including those with Microsoft accounts.
 
 Typically, when a request is approved, entitlement management provisions the user with the necessary access. If the user isn't already in your directory, entitlement management will first invite the user. When the user is invited, Azure AD will automatically create a B2B guest account for them but won't send the user an email. An administrator may have previously limited which organizations are allowed for collaboration, by setting a [B2B allow or blocklist](../external-identities/allow-deny-list.md) to allow or block invites to other organization's domains.  If the user's domain isn't allowed by those lists, then they won't be invited and can't be assigned access until the lists are updated.
 
@@ -43,15 +45,15 @@ The following diagram and steps provide an overview of how external users are gr
 
 ![Diagram showing the lifecycle of external users](./media/entitlement-management-external-users/external-users-lifecycle.png)
 
-1. You [add a connected organization](entitlement-management-organization.md) for the Azure AD directory or domain you want to collaborate with.
+1. You [add a connected organization](entitlement-management-organization.md) for the Azure AD directory or domain you want to collaborate with.  You can also configure a connected organization for a social identity provider.
 
-1. You create an access package in your directory that includes a policy [For users not in your directory](entitlement-management-access-package-create.md#allow-users-in-your-directory-to-request-the-access-package).
+1. You create an access package in your directory that includes a policy [For users not in your directory](entitlement-management-access-package-create.md#allow-users-in-your-directory-to-request-the-access-package) and specifies the approver and lifecycle settings.
 
 1. You send a [My Access portal link](entitlement-management-access-package-settings.md) to your contact at the external organization that they can share with their users to request the access package.
 
 1. An external user (**Requestor A** in this example) uses the My Access portal link to [request access](entitlement-management-request-access.md) to the access package. How the user signs in depends on the authentication type of the directory or domain that's defined in the connected organization and in the external users settings.
 
-1. An approver [approves the request](entitlement-management-request-approve.md) (or the request is autoapproved).
+1. An approver [approves the request](entitlement-management-request-approve.md) (assuming the policy requires approval).
 
 1. The request goes into the [delivering state](entitlement-management-process.md).
 

articles/active-directory/governance/entitlement-management-logs-and-reporting.md

@@ -188,5 +188,28 @@ $bResponse = Invoke-AzOperationalInsightsQuery -WorkspaceId $wks[0].CustomerId -
 $bResponse.Results |ft 
 ```
 
+### Using query filters
+
+You can include the `TimeGenerated` field to scope a query to a particular time range. For example, to retrieve the audit log events for entitlement management access package assignment policies being created or updated in the last 90 days, you can supply a query that includes this field as well the category and operation type.
+
+```
+AuditLogs | 
+where TimeGenerated > ago(90d) and Category == "EntitlementManagement" and Result == "success" and (AADOperationType == "CreateEntitlementGrantPolicy" or AADOperationType == "UpdateEntitlementGrantPolicy") | 
+project ActivityDateTime,OperationName, InitiatedBy, AdditionalDetails, TargetResources
+```
+
+For audit events of some services such as entitlement management, you can also expand and filter on the affected properties of the resources being changed.  For example, you can view just those audit log records for access package assignment policies being created or updated, that do not require approval for users to have an assignment added.
+
+```
+AuditLogs | 
+where TimeGenerated > ago(90d) and Category == "EntitlementManagement" and Result == "success" and (AADOperationType == "CreateEntitlementGrantPolicy" or AADOperationType == "UpdateEntitlementGrantPolicy") | 
+mv-expand TargetResources | 
+where TargetResources.type == "AccessPackageAssignmentPolicy" | 
+project ActivityDateTime,OperationName,InitiatedBy,PolicyId=TargetResources.id,PolicyDisplayName=TargetResources.displayName,MP1=TargetResources.modifiedProperties | 
+mv-expand MP1 | 
+where (MP1.displayName == "IsApprovalRequiredForAdd" and MP1.newValue == "\"False\"") |
+order by ActivityDateTime desc 
+```
+
 ## Next steps
 - [Create interactive reports with Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md)