Merge pull request #6440 from MicrosoftDocs/main

12/30/2024 PM Publish
MicrosoftDocs · Dec 30, 2024 · 10450bf · 10450bf
2 parents 4540f71 + 4810496
commit 10450bf
Show file tree

Hide file tree

Showing 28 changed files with 155 additions and 153 deletions.
diff --git a/docs/id-governance/apps.md b/docs/id-governance/apps.md
@@ -5,7 +5,7 @@ author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
 ms.topic: overview
-ms.date: 12/18/2024
+ms.date: 12/30/2024
 ms.author: billmath
 ms.reviewer: amycolannino
 ---

diff --git a/docs/id-governance/best-practices-secure-id-governance.md b/docs/id-governance/best-practices-secure-id-governance.md
@@ -8,7 +8,7 @@ manager: amycolannino
 editor: ''
 ms.service: entra-id-governance
 ms.topic: conceptual
-ms.date: 12/10/2024
+ms.date: 12/30/2024
 ms.author: billmath
 ---
 
@@ -18,9 +18,9 @@ This document provides best practices for securing deploying Microsoft Entra ID
 
 ## Least privilege 
 
-The principle of least privilege means giving users and workload identities the minimum level of access or permissions they need to perform their tasks. By limiting access to only required resources based on the specific roles or job functions of users, providing just-in-time access, and performing regular audits, you can reduce the risk of unauthorized actions and potential security breaches. 
+The principle of least privilege means giving users and workload identities the minimum level of access or permissions they need to perform their tasks. By limiting access to only required resources based on the specific roles or job functions of users and providing just-in-time access, you can reduce the risk of unauthorized actions. Additionally, performing regular audits helps mitigate potential security breaches.
 
-Microsoft Entra ID Governance limits the access a user has based on the role that they have been assigned. Ensure that your users have the least privileged role to perform the task that they need. 
+Microsoft Entra ID Governance limits the user access based on the role that they're assigned. Ensure that your users have the least privileged role to perform the task that they need. 
 
 For more information, see [least privilege with Microsoft Entra ID Governance](scenarios/least-privileged.md) 
 
@@ -36,7 +36,7 @@ For more information, see [Privileged Identity Management (PIM) for Groups](priv
 
 **Recommendation:** Use Entitlement Management to provide access to sensitive resources, instead of hybrid groups. 
 
-Organizations have historically relied on Active Directory groups to access applications. Synchronizing these groups to Microsoft Entra ID makes it easy to reuse these groups and provide access to resources connected with Microsoft Entra ID. However, this creates lateral movement risk as a compromised account / group on-premises can be used to gain access to resources connected in the cloud. 
+Historically, organizations relied on Active Directory groups to access applications. Synchronizing these groups to Microsoft Entra ID makes it easy to reuse these groups and provide access to resources connected with Microsoft Entra ID. However, this creates lateral movement risk as a compromised account / group on-premises can be used to gain access to resources connected in the cloud. 
 
 When providing access to sensitive applications or roles, use [entitlement management](entitlement-management-scenarios.md) to drive assignment to the application instead of security groups synchronized from Active Directory Domain Services. For groups that need to be both in Microsoft Entra ID and Active Directory Domain Services, you can synchronize those groups from Microsoft Entra ID to Active Directory Domain Services using [cloud sync](~/identity/hybrid/group-writeback-cloud-sync.md). 
 
@@ -49,7 +49,7 @@ The principle of "Deny by Default" is a security strategy that restricts access
 [Connected organizations](entitlement-management-organization.md#what-is-a-connected-organization) are a feature of entitlement management that allows users to gain access to resources across tenants. Follow these best practices when configuring connected organizations.  
 
 **Recommendations:**
- - Require an expiration date for access-to-access packages in a [connected organization](entitlement-management-organization.md#what-is-a-connected-organization). If, for example, users need access for the duration of a fixed contract, set the access package to expire at the end of the contract. 
+ - Require an expiration date for access-to-access packages in a [connected organization](entitlement-management-organization.md#what-is-a-connected-organization). If, for example, users need access during a fixed contract, set the access package to expire at the end of the contract. 
  - Require approval prior to granting access to guests from connected organizations. 
  - Periodically [review guest access](entitlement-management-external-users.md) to ensure that users only have access to resources that they still need. 
  - Carefully consider which organizations you're including as connected orgs. Periodically review the list of connected organizations and remove any that you don't collaborate with anymore. 
@@ -58,7 +58,7 @@ The principle of "Deny by Default" is a security strategy that restricts access
 
 **Recommendation:** Set the [provisioning scope](/entra/identity/app-provisioning/how-provisioning-works#scoping) to sync “assigned users and groups.” 
 
-This scope ensures that only users explicitly assigned to your sync configuration will get provisioned. The alternative setting of allowing all users and groups should only be used for applications where access is required broadly across the organization. 
+This scope ensures that only users explicitly assigned to your sync configuration get provisioned. The alternative setting of allowing all users and groups should only be used for applications where access is required broadly across the organization. 
 
 ### PIM for roles 
 
@@ -81,7 +81,7 @@ Encourage application vendors to support [OAuth](/entra/identity-platform/v2-oau
 
 **Recommendation:** Use a certificate from a [trusted certificate authority](/windows-server/identity/ad-cs/certification-authority-role) when configuring on-premises application provisioning.  
 
-When configuring on-premises application provisioning with the ECMA host, you have the option to use a self-signed certificate or a trusted certificate. While the self-signed cert is helpful for getting started quickly and testing the capability, it isn't recommended for production use, because the certificates can't be revoked and expire in 2 years by default. 
+When configuring on-premises application provisioning with the ECMA host, you have the option to use a self-signed certificate or a trusted certificate. While the self-signed certificate is helpful for getting started quickly and testing the capability, it isn't recommended for production use. This is because the certificates can't be revoked and expire in 2 years by default.
 
 
 **Recommendation:** Harden your Microsoft Entra Provisioning Agent server 
@@ -92,7 +92,7 @@ We recommend that you [harden your Microsoft Entra provisioning agent](~/identit
  - Restrict administrative access to the Microsoft Entra provisioning agent server to only domain administrators or other tightly controlled security groups.
  - Create a [dedicated account for all personnel with privileged access](/windows-server/identity/securing-privileged-access/securing-privileged-access). Administrators shouldn't be browsing the web, checking their email, and doing day-to-day productivity tasks with highly privileged accounts.
  - Follow the guidance provided in [Securing privileged access](/security/privileged-access-workstations/overview). 
- - Enable multifactor authentication (MFA) for all users that have privileged access in Microsoft Entra ID or in AD. One security issue with using Microsoft Entra provisioning agent is that if an attacker can get control over the Microsoft Entra provisioning agent server they can manipulate users in Microsoft Entra ID. To prevent an attacker from using these capabilities to take over Microsoft Entra accounts, MFA offers protections so that even if an attacker manages to, such as reset a user's password using Microsoft Entra provisioning agent they still can't bypass the second factor.
+ - Enable multifactor authentication (MFA) for all users that have privileged access in Microsoft Entra ID or in AD. One security issue with using Microsoft Entra provisioning agent is that if an attacker can get control over the Microsoft Entra provisioning agent server they can manipulate users in Microsoft Entra ID. To prevent an attacker from using these capabilities to take over Microsoft Entra accounts, MFA offers protections. Even if an attacker manages to reset a user's password using the Microsoft Entra provisioning agent, they still can't bypass the second factor.
 
  For more information and additional best practices, see [Prerequisites for Microsoft Entra Cloud Sync in Microsoft Entra ID](~/identity/hybrid/cloud-sync/how-to-prerequisites.md#harden-your-microsoft-entra-provisioning-agent-server)
 
@@ -110,7 +110,7 @@ We recommend that you [harden your Microsoft Entra provisioning agent](~/identit
 
 ## Backup and recovery 
 
-Backup your configuration so you can recover to a known good state in case of a compromise.  Use the following list to create a comprehensive backup strategy that covers the various areas of governance.
+Back up your configuration so you can recover to a known good state in case of a compromise.  Use the following list to create a comprehensive backup strategy that covers the various areas of governance.
 
  - [Microsoft Graph APIs](/graph/overview) can be used to export the current state of many Microsoft Entra configurations. 
  - [Microsoft Entra Exporter](https://github.com/microsoft/entraexporter) is a tool you can use to export your configuration settings.