initial revision

MicrosoftDocs · Dec 20, 2023 · 56f5cc5 · 56f5cc5
1 parent 7c59151
commit 56f5cc5
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/docs/id-governance/identity-governance-overview.md b/docs/id-governance/identity-governance-overview.md
@@ -48,7 +48,7 @@ In Microsoft Entra ID Governance, you can automate the identity lifecycle for th
 - [inbound provisioning from your organization's HR sources](~/identity/app-provisioning/plan-cloud-hr-provision.md), including retrieving from Workday and SuccessFactors, to automatically maintain user identities in both Active Directory and Microsoft Entra ID.
 - [lifecycle workflows](what-are-lifecycle-workflows.md) to automate workflow tasks that run at certain key events, such before a new employee is scheduled to start work at the organization, as they change status during their time in the organization, and as they leave the organization. For example, a workflow can be configured to send an email with a temporary access pass to a new user's manager, or a welcome email to the user, on their first day.
 - [automatic assignment policies in entitlement management](entitlement-management-access-package-auto-assignment-policy.md) to add and remove a user's group memberships, application roles, and SharePoint site roles, based on changes to the user's attributes.
-- [user provisioning](what-is-provisioning.md) to create, update and remove user accounts in other applications, with connectors to hundreds of cloud and on-premises applications via SCIM, LDAP and SQL.
+- [user provisioning](what-is-provisioning.md) to create, update and remove user accounts in other applications, with connectors to [hundreds of cloud and on-premises applications](apps.md) via SCIM, LDAP and SQL.
 
 Organizations also need additional identities, for partners, suppliers and other guests, to enable them to collaborate or have access to resources.
 
@@ -65,13 +65,16 @@ Organizations need a process to manage access beyond what was initially provisio
 
 ![Access lifecycle](./media/identity-governance-overview/access-lifecycle.png)
 
-Typically, IT delegates access approval decisions to business decision makers.  Furthermore, IT can involve the users themselves.  For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. Guest users may be unaware of the handling requirements for data in an organization to which they've been invited.
+With Microsoft Entra ID Governance, IT departments can establish what access rights users should have across various resources, and what enforcement checks such as separation of duties or access removal on job change are necessary.  Microsoft Entra ID has connectors to [hundreds of cloud and on-premises applications](apps.md), and you can integrate your organization's other apps that rely upon [AD groups](entitlement-management-group-writeback.md), [other on-premises directories](~/identity/app-provisioning/on-premises-ldap-connector-configure.md) or [databases](~/identity/app-provisioning/on-premises-sql-connector-configure.md), or that have a [SOAP or REST API](~/identity/app-provisioning/on-premises-web-services-connector.md) including [SAP](sap.md), or that implement standards such as [SCIM](~/identity/app-provisioning/use-scim-to-provision-users-and-groups.md), SAML or OpenID Connect. When a user attempts to access applications, Microsoft Entra ID enforces [Conditional Access](~/identity/conditional-access/index.yml) policies. For example, Conditional Access policies can include displaying a [terms of use](~/identity/conditional-access/terms-of-use.md) and [ensuring the user has agreed to those terms](~/identity/conditional-access/require-tou.md) prior to being able to access an application. For more information, see [govern access to applications in your environment](identity-governance-applications-prepare.md), including how to [define organizational policies for governing access to applications](identity-governance-applications-define.md), [integrate applications](identity-governance-applications-integrate.md) and [deploy policies](identity-governance-applications-deploy.md).
 
-Organizations can automate the access lifecycle process through technologies such as [dynamic groups](~/identity/users/groups-dynamic-membership.md), coupled with user provisioning to [SaaS apps](~/identity/saas-apps/tutorial-list.md) or [apps integrated with SCIM](~/identity/app-provisioning/use-scim-to-provision-users-and-groups.md). Microsoft Entra ID can also provision access to apps that use [AD groups](entitlement-management-group-writeback.md), [other on-premises directories](~/identity/app-provisioning/on-premises-ldap-connector-configure.md) or [databases](~/identity/app-provisioning/on-premises-sql-connector-configure.md), or that have a [SOAP or REST API](~/identity/app-provisioning/on-premises-web-services-connector.md) including [SAP](sap.md).  Organizations can also control which [guest users have access to on-premises applications](~/external-id/hybrid-cloud-to-on-premises.md).  These access rights can then be regularly reviewed using recurring [Microsoft Entra access reviews](access-reviews-overview.md) for access recertification.   [Microsoft Entra entitlement management](entitlement-management-overview.md) also enables you to define how users request access across packages of group and team memberships, application roles, and SharePoint Online roles.  For more information, see the [simplifying identity governance tasks with automation](#simplifying-identity-governance-tasks-with-automation) section below to select the appropriate Microsoft Entra features for your access lifecycle automation scenarios.
+Access changes across apps and groups can be automated based on attribute changes. [lifecycle workflows](create-lifecycle-workflow.md) and [entitlement management](entitlement-management-overview.md) automatically add and remove users into groups or access packages, so that access to applications and resources is updated. Users can also be moved when their condition within the organization changes to different groups, and can even be removed entirely from all groups or access packages.
 
-Lifecycle access can be automated using workflows. [Workflows can be created](create-lifecycle-workflow.md) to automatically add users to groups or access packages, so that access to applications and resources is granted. Users can also be moved when their condition within the organization changes to different groups, and can even be removed entirely from all groups.
+Organizations that previously had been using an on-premises identity governance product can [migrate their organizational role model](identity-governance-organizational-roles.md) to Microsoft Entra ID Governance.
+
+Furthermore, IT can delegate access manaegment decisions to business decision makers.   For example, employees that wish to access confidential customer data in a company's marketing application in Europe may need approval from their manager, a department lead or resource owner, and a security risk officer.  [Microsoft Entra entitlement management](entitlement-management-overview.md) enables you to define how users request access across packages of group and team memberships, app roles, and SharePoint Online roles, and enforce separation of duties checks on access requests.
+
+ Organizations can also control which guest users have access, including to [on-premises applications](~/external-id/hybrid-cloud-to-on-premises.md).  These access rights can then be regularly reviewed using recurring [Microsoft Entra access reviews](access-reviews-overview.md) for access recertification.
 
-When a user attempts to access applications, Microsoft Entra ID enforces [Conditional Access](~/identity/conditional-access/index.yml) policies. For example, Conditional Access policies can include displaying a [terms of use](~/identity/conditional-access/terms-of-use.md) and [ensuring the user has agreed to those terms](~/identity/conditional-access/require-tou.md) prior to being able to access an application. For more information, see [govern access to applications in your environment](identity-governance-applications-prepare.md).
 
 ## Privileged access lifecycle