Governance Licensing updates

MicrosoftDocs · Mar 11, 2024 · 0d6cf64 · 0d6cf64
1 parent 8ee8c55
commit 0d6cf64
Showing 1 changed file with 18 additions and 18 deletions.
diff --git a/docs/id-governance/identity-governance-overview.md b/docs/id-governance/identity-governance-overview.md
@@ -39,16 +39,16 @@ For many organizations, identity lifecycle for employees and other workers is ti
 
 In Microsoft Entra ID Governance, you can automate the identity lifecycle for these individuals using:
 
-- [inbound provisioning from your organization's HR sources](~/identity/app-provisioning/plan-cloud-hr-provision.md), including retrieving from Workday and SuccessFactors, to automatically maintain user identities in both Active Directory and Microsoft Entra ID.
+- [inbound provisioning from your organization's HR sources](../identity/app-provisioning/plan-cloud-hr-provision.md), including retrieving from Workday and SuccessFactors, to automatically maintain user identities in both Active Directory and Microsoft Entra ID.
 - [lifecycle workflows](what-are-lifecycle-workflows.md) to automate workflow tasks that run at certain key events, such before a new employee is scheduled to start work at the organization, as they change status during their time in the organization, and as they leave the organization. For example, a workflow can be configured to send an email with a temporary access pass to a new user's manager, or a welcome email to the user, on their first day.
 - [automatic assignment policies in entitlement management](entitlement-management-access-package-auto-assignment-policy.md) to add and remove a user's group memberships, application roles, and SharePoint site roles, based on changes to the user's attributes.
-- [user provisioning](what-is-provisioning.md) to create, update and remove user accounts in other applications, with connectors to [hundreds of cloud and on-premises applications](apps.md) via SCIM, LDAP and SQL.
+- [user provisioning](what-is-provisioning.md) to create, update, and remove user accounts in other applications, with connectors to [hundreds of cloud and on-premises applications](apps.md) via SCIM, LDAP and SQL.
 
 Organizations also need additional identities, for partners, suppliers and other guests, to enable them to collaborate or have access to resources.
 
 In Microsoft Entra ID Governance, you can enable business groups to determine which of these guests should have access, and for how long, using:
 
-- [entitlement management](entitlement-management-overview.md) in which you can specify the other organizations whose users are allowed to request access to your organization's resources. When one of those users's request is approved, they are automatically added by entitlement management as a [B2B](~/external-id/what-is-b2b.md) guest to your organization's directory, and assigned appropriate access. And entitlement management automatically removes the B2B guest user from your organization's directory when their access rights expire or are revoked.
+- [entitlement management](entitlement-management-overview.md) in which you can specify the other organizations whose users are allowed to request access to your organization's resources. When one of those users's request is approved, they're automatically added by entitlement management as a [B2B](../external-id/what-is-b2b.md) guest to your organization's directory, and assigned appropriate access. And entitlement management automatically removes the B2B guest user from your organization's directory when their access rights expire or are revoked.
 - [access reviews](access-reviews-overview.md) that automates recurring reviews of existing guests already in your organization's directory, and removes those users from your organization's directory when they no longer need access.
 
 For more information, see [What is identity lifecycle management](what-is-identity-lifecycle-management.md).
@@ -59,15 +59,15 @@ Organizations need a process to manage access beyond what was initially provisio
 
 ![Access lifecycle](./media/identity-governance-overview/access-lifecycle.png)
 
-With Microsoft Entra ID Governance, IT departments can establish what access rights users should have across various resources, and what enforcement checks such as separation of duties or access removal on job change are necessary.  Microsoft Entra ID has connectors to [hundreds of cloud and on-premises applications](apps.md), and you can integrate your organization's other apps that rely upon [AD groups](entitlement-management-group-writeback.md), [other on-premises directories](~/identity/app-provisioning/on-premises-ldap-connector-configure.md) or [databases](~/identity/app-provisioning/on-premises-sql-connector-configure.md), that have a [SOAP or REST API](~/identity/app-provisioning/on-premises-web-services-connector.md) including [SAP](sap.md), or that implement standards such as [SCIM](~/identity/app-provisioning/use-scim-to-provision-users-and-groups.md), SAML or OpenID Connect. When a user attempts to sign into to one of those applications, Microsoft Entra ID enforces [Conditional Access](~/identity/conditional-access/index.yml) policies. For example, Conditional Access policies can include displaying a [terms of use](~/identity/conditional-access/terms-of-use.md) and [ensuring the user has agreed to those terms](~/identity/conditional-access/require-tou.md) prior to being able to access an application. For more information, see [govern access to applications in your environment](identity-governance-applications-prepare.md), including how to [define organizational policies for governing access to applications](identity-governance-applications-define.md), [integrate applications](identity-governance-applications-integrate.md) and [deploy policies](identity-governance-applications-deploy.md).
+With Microsoft Entra ID Governance, IT departments can establish what access rights users should have across various resources, and what enforcement checks such as separation of duties or access removal on job change are necessary.  Microsoft Entra ID has connectors to [hundreds of cloud and on-premises applications](apps.md), and you can integrate your organization's other apps that rely upon [AD groups](entitlement-management-group-writeback.md), [other on-premises directories](../identity/app-provisioning/on-premises-ldap-connector-configure.md) or [databases](../identity/app-provisioning/on-premises-sql-connector-configure.md), that have a [SOAP or REST API](../identity/app-provisioning/on-premises-web-services-connector.md) including [SAP](sap.md), or that implement standards such as [SCIM](../identity/app-provisioning/use-scim-to-provision-users-and-groups.md), SAML or OpenID Connect. When a user attempts to sign into to one of those applications, Microsoft Entra ID enforces [Conditional Access](../identity/conditional-access/index.yml) policies. For example, Conditional Access policies can include displaying a [terms of use](../identity/conditional-access/terms-of-use.md) and [ensuring the user has agreed to those terms](../identity/conditional-access/require-tou.md) prior to being able to access an application. For more information, see [govern access to applications in your environment](identity-governance-applications-prepare.md), including how to [define organizational policies for governing access to applications](identity-governance-applications-define.md), [integrate applications](identity-governance-applications-integrate.md) and [deploy policies](identity-governance-applications-deploy.md).
 
 Access changes across apps and groups can be automated based on attribute changes. [Microsoft Entra lifecycle workflows](create-lifecycle-workflow.md) and [Microsoft Entra entitlement management](entitlement-management-overview.md) automatically add and remove users into groups or access packages, so that access to applications and resources is updated. Users can also be moved when their condition within the organization changes to different groups, and can even be removed entirely from all groups or access packages.
 
 Organizations that previously had been using an on-premises identity governance product can [migrate their organizational role model](identity-governance-organizational-roles.md) to Microsoft Entra ID Governance.
 
-Furthermore, IT can delegate access management decisions to business decision makers.   For example, employees that wish to access confidential customer data in a company's marketing application in Europe may need approval from their manager, a department lead or resource owner, and a security risk officer.  [Entitlement management](entitlement-management-overview.md) enables you to define how users request access across packages of group and team memberships, app roles, and SharePoint Online roles, and enforce separation of duties checks on access requests.
+Furthermore, IT can delegate access management decisions to business decision makers.   For example, employees that wish to access confidential customer data in a company's marketing application in Europe could need approval from their manager, a department lead or resource owner, and a security risk officer.  [Entitlement management](entitlement-management-overview.md) enables you to define how users request access across packages of group and team memberships, app roles, and SharePoint Online roles, and enforce separation of duties checks on access requests.
 
- Organizations can also control which guest users have access, including to [on-premises applications](~/external-id/hybrid-cloud-to-on-premises.md).  These access rights can then be regularly reviewed using recurring [Microsoft Entra access reviews](access-reviews-overview.md) for access recertification.
+ Organizations can also control which guest users have access, including to [on-premises applications](../external-id/hybrid-cloud-to-on-premises.md).  These access rights can then be regularly reviewed using recurring [Microsoft Entra access reviews](access-reviews-overview.md) for access recertification.
 
 
 ## Privileged access lifecycle
@@ -76,10 +76,10 @@ Furthermore, IT can delegate access management decisions to business decision ma
 
 ![Privileged access lifecycle](./media/identity-governance-overview/privileged-access-lifecycle.png)
 
-[Microsoft Entra Privileged Identity Management (PIM)](~/id-governance/privileged-identity-management/pim-configure.md) provides additional controls tailored to securing access rights for resources, across Microsoft Entra, Azure, other Microsoft Online Services and other applications.  The just-in-time access, and role change alerting capabilities provided by Microsoft Entra PIM, in addition to multi-factor authentication and Conditional Access, provide a comprehensive set of governance controls to help secure your company's resources (directory, Microsoft 365, and Azure resource roles). As with other forms of access, organizations can use access reviews to configure recurring access re-certification for all users in privileged administrator roles.
+[Microsoft Entra Privileged Identity Management (PIM)](../id-governance/privileged-identity-management/pim-configure.md) provides additional controls tailored to securing access rights for resources, across Microsoft Entra, Azure, other Microsoft Online Services and other applications.  The just-in-time access, and role change alerting capabilities provided by Microsoft Entra PIM, in addition to multifactor authentication and Conditional Access, provide a comprehensive set of governance controls to help secure your company's resources (directory, Microsoft 365, and Azure resource roles). As with other forms of access, organizations can use access reviews to configure recurring access re-certification for all users in privileged administrator roles.
 
 ## License requirements
-[!INCLUDE [active-directory-entra-governance-license.md](~/includes/entra-entra-governance-license.md)]
+[!INCLUDE [active-directory-entra-governance-license.md](../includes/entra-entra-governance-license.md)]
 
 ## Getting started
 
@@ -91,38 +91,38 @@ While each organization may have its own unique requirements, the following conf
 
 - [Plan an access reviews deployment to manage resource access lifecycle](deploy-access-reviews.md)
 - [Zero Trust identity and device access configurations](/microsoft-365/enterprise/microsoft-365-policies-configurations)
-- [Securing privileged access](~/identity/role-based-access-control/security-planning.md)
+- [Securing privileged access](../identity/role-based-access-control/security-planning.md)
 
 You may also wish to engage with one of Microsoft's [services and integration partners](services-and-integration-partners.md) to plan your deployment or integrate with the applications and other systems in your environment.
 
-If you have any feedback about Identity Governance features, click **Got feedback?** in the Microsoft Entra admin center to submit your feedback. The team regularly reviews your feedback.
+If you have any feedback about Identity Governance features, select **Got feedback?** in the Microsoft Entra admin center to submit your feedback. The team regularly reviews your feedback.
 
 ## Simplifying identity governance tasks with automation
 
 Once you've started using these identity governance features, you can easily automate common identity governance scenarios. The following table shows how to get started with automation for each scenario:
 
 | Scenario to automate | Automation guide |
 | ------- | --------------------- |
-| Creating, updating and deleting AD and Microsoft Entra user accounts automatically for employees |[Plan cloud HR to Microsoft Entra user provisioning](~/identity/app-provisioning/plan-cloud-hr-provision.md)|
-| Updating the membership of a group, based on changes to the member user's attributes | [Create a dynamic group](~/identity/users/groups-create-rule.md)|
-| Assigning licenses | [group-based licensing](~/identity/users/licensing-groups-assign.md) |
+| Creating, updating and deleting AD and Microsoft Entra user accounts automatically for employees |[Plan cloud HR to Microsoft Entra user provisioning](../identity/app-provisioning/plan-cloud-hr-provision.md)|
+| Updating the membership of a group, based on changes to the member user's attributes | [Create a dynamic group](../identity/users/groups-create-rule.md)|
+| Assigning licenses | [group-based licensing](../identity/users/licensing-groups-assign.md) |
 | Adding and removing a user's group memberships, application roles, and SharePoint site roles, based on changes to the user's attributes | [Configure an automatic assignment policy for an access package in entitlement management](entitlement-management-access-package-auto-assignment-policy.md)|
 | Adding and removing a user's group memberships, application roles, and SharePoint site roles, on a specific date | [Configure lifecycle settings for an access package in entitlement management](entitlement-management-access-package-lifecycle-policy.md)|
 | Running custom workflows when a user requests or receives access, or access is removed | [Trigger Logic Apps in entitlement management](entitlement-management-logic-apps-integration.md) |
 | Regularly having memberships of guests in Microsoft groups and Teams reviewed, and removing guest memberships that are denied |[Create an access review](create-access-review.md) |
 | Removing guest accounts that were denied by a reviewer |[Review and remove external users who no longer have resource access](access-reviews-external-users.md) |
 | Removing guest accounts that have no access package assignments |[Manage the lifecycle of external users](entitlement-management-external-users.md#manage-the-lifecycle-of-external-users) |
-| Provisioning users into on-premises and cloud applications that have their own directories or databases | [Configure automatic user provisioning](~/identity/app-provisioning/user-provisioning.md) with user assignments or [scoping filters](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md) |
+| Provisioning users into on-premises and cloud applications that have their own directories or databases | [Configure automatic user provisioning](../identity/app-provisioning/user-provisioning.md) with user assignments or [scoping filters](../identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md) |
 | Other scheduled tasks | [Automate identity governance tasks with Azure Automation](identity-governance-automation.md) and Microsoft Graph via the [Microsoft.Graph.Identity.Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) PowerShell module|
 
 ## Appendix - least privileged roles for managing in Identity Governance features
 
-It's a best practice to use the least privileged role to perform administrative tasks in Identity Governance. We recommend that you use Microsoft Entra PIM to activate a role as needed to perform these tasks. The following are the least privileged [directory roles](~/identity/role-based-access-control/permissions-reference.md) to configure Identity Governance features:
+It's a best practice to use the least privileged role to perform administrative tasks in Identity Governance. We recommend that you use Microsoft Entra PIM to activate a role as needed to perform these tasks. The following are the least privileged [directory roles](../identity/role-based-access-control/permissions-reference.md) to configure Identity Governance features:
 
 | Feature | Least privileged role |
 | ------- | --------------------- |
 | Entitlement management | Identity Governance Administrator |
-| Access reviews | User Administrator (with the exception of access reviews of Azure or Microsoft Entra roles, which require Privileged Role Administrator) |
+| Access reviews | User Administrator (except for access reviews of Azure or Microsoft Entra roles, which require Privileged Role Administrator) |
 | Privileged Identity Management | Privileged Role Administrator |
 | Terms of use | Security Administrator or Conditional Access Administrator |
 
@@ -134,5 +134,5 @@ It's a best practice to use the least privileged role to perform administrative
 - [What are Lifecycle Workflows?](what-are-lifecycle-workflows.md)
 - [What is Microsoft Entra entitlement management?](entitlement-management-overview.md)
 - [What are Microsoft Entra access reviews?](access-reviews-overview.md)
-- [What is Microsoft Entra Privileged Identity Management?](~/id-governance/privileged-identity-management/pim-configure.md)
-- [What can I do with Terms of use?](~/identity/conditional-access/terms-of-use.md)
+- [What is Microsoft Entra Privileged Identity Management?](../id-governance/privileged-identity-management/pim-configure.md)
+- [What can I do with Terms of use?](../identity/conditional-access/terms-of-use.md)