Module updates

Author: Rob-Barefoot

learn-pr/wwl-azure/guided-project-new-employee-access/5-validate-success.yml

@@ -10,6 +10,6 @@ metadata:
   ms.topic: unit
   ms.custom:
   - N/A
-durationInMinutes: 10
+durationInMinutes: 2
 content: |
   [!include[](includes/5-validate-success.md)]

learn-pr/wwl-azure/guided-project-new-employee-access/7-knowledge-check.yml

@@ -0,0 +1,51 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge check
+  description: "Knowledge check"
+  ms.date: 03/29/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 5
+content: |
+  [!include[](includes/7-knowledge-check.md)]
+quiz:
+  title: "Check your knowledge"
+  questions:
+  - content: "What is the benefit of assigning RBAC roles to a group instead of individual users?"
+    choices:
+    - content: "Groups automatically inherit permissions from the subscription."
+      isCorrect: false
+      explanation: "Groups do not automatically inherit permissions. Roles must be explicitly assigned."
+    - content: "It simplifies access management when users join or leave the team."
+      isCorrect: true
+      explanation: "When you assign a role to a group, new members automatically get the role and removed members automatically lose it."
+    - content: "Groups can hold more permissions than individual users."
+      isCorrect: false
+      explanation: "The same roles and permissions are available for both users and groups."
+  - content: "What RBAC role provides view-only access to Azure resources without allowing changes?"
+    choices:
+    - content: "Contributor"
+      isCorrect: false
+      explanation: "The Contributor role allows creating and managing resources, not just viewing them."
+    - content: "Owner"
+      isCorrect: false
+      explanation: "The Owner role grants full access including the ability to assign roles to others."
+    - content: "Reader"
+      isCorrect: true
+      explanation: "The Reader role grants view-only access. Users can see resources but cannot create, modify, or delete them."
+  - content: "At what scope level was the RBAC role assigned in this guided project?"
+    choices:
+    - content: "Subscription"
+      isCorrect: false
+      explanation: "The role was scoped more narrowly than the entire subscription to follow least-privilege principles."
+    - content: "Resource group"
+      isCorrect: true
+      explanation: "The Reader role was assigned at the resource group level, limiting access to only the resources in that group."
+    - content: "Individual resource"
+      isCorrect: false
+      explanation: "While you can scope roles to individual resources, this project scoped the role at the resource group level."

learn-pr/wwl-azure/guided-project-new-employee-access/8-summary.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.summary
+title: Summary
+metadata:
+  title: Summary
+  description: "Summary"
+  ms.date: 03/16/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 2
+content: |
+  [!include[](includes/8-summary.md)]

learn-pr/wwl-azure/guided-project-new-employee-access/includes/2-exercise-create-user-group.md

@@ -88,6 +88,4 @@ Complete the group membership by adding the new user. This establishes the conne
 4.  Search for and select **gp-rg-readers**, then select **Select**.
 
 > [!NOTE]
-> **Validation step:** Confirm the user is now a member of **gp-rg-readers**. Any RBAC permissions assigned to this group will apply to all members.
-
-> [!NOTE]
+> **Validation step:** Confirm the user is now a member of **gp-rg-readers**. Any RBAC permissions assigned to this group will apply to all members.

learn-pr/wwl-azure/guided-project-new-employee-access/includes/3-exercise-assign-role.md

@@ -31,6 +31,4 @@ Grant the Reader role to your security group at the resource group scope. This g
 13. Select **Review + assign** again to complete the assignment.
 
 > [!NOTE]
-> **Validation step:** Confirm the Reader role is assigned to **gp-rg-readers** at the resource group scope. Select the **Role assignments** tab on the **Access control (IAM)** page to verify.
-
-> [!NOTE]
+> **Validation step:** Confirm the Reader role is assigned to **gp-rg-readers** at the resource group scope. Select the **Role assignments** tab on the **Access control (IAM)** page to verify.

learn-pr/wwl-azure/guided-project-new-employee-access/includes/5-validate-success.md

@@ -1,5 +1,3 @@
-## Validate success
-
 Review the validation steps you completed during the exercises. Confirm that each item below is true before moving on.
 
 -   [ ] The **gp-rg-readers** security group exists in your tenant.

learn-pr/wwl-azure/guided-project-new-employee-access/includes/6-clean-up-resources.md

@@ -1,11 +1,9 @@
-## Clean up resources
-
 Complete these steps to remove the resources and identities you created in this project.
 
 > [!WARNING]
 > Resource deletion is permanent. Verify that you're deleting only resources created for this guided project before you proceed.
 
-### Delete the resource group
+## Delete the resource group
 
 Deleting the resource group removes all resources and RBAC role assignments scoped to it.
 
@@ -16,7 +14,7 @@ Deleting the resource group removes all resources and RBAC role assignments scop
 5.  In the confirmation dialog that appears, select **Delete** again to confirm.
 6.  Wait for the notification that confirms the resource group is deleted.
 
-### Delete the user and group
+## Delete the user and group
 
 1.  In the portal search bar, search for **Microsoft Entra ID** and select **Microsoft Entra ID**.
 2.  In the left menu under **Manage**, select **Users**.
@@ -28,7 +26,7 @@ Deleting the resource group removes all resources and RBAC role assignments scop
 8.  Find and select **gp-rg-readers**.
 9.  Select **Delete** from the top menu bar and confirm the deletion.
 
-### Disable Temporary Access Pass (if enabled)
+## Disable Temporary Access Pass (if enabled)
 
 > [!NOTE]
 > Only complete this section if you enabled Temporary Access Pass during this project. If TAP was already enabled in your tenant before you started, skip this section.
@@ -39,7 +37,7 @@ Deleting the resource group removes all resources and RBAC role assignments scop
 4.  Set **Enable** to **Off**.
 5.  Select **Save**.
 
-### Verify cleanup
+## Verify cleanup
 
 1.  In the portal search bar, search for **Resource groups** and confirm **rg-gp-access-model** no longer appears in the list.
 2.  In **Microsoft Entra ID** > **Users**, confirm the user account no longer appears.

learn-pr/wwl-azure/guided-project-new-employee-access/includes/7-knowledge-check.md

@@ -0,0 +1 @@
+Choose the best response for each question.

learn-pr/wwl-azure/guided-project-new-employee-access/includes/8-summary.md

@@ -0,0 +1,11 @@
+You completed a full guided project that mapped to a real IT operations task.
+
+## What you accomplished
+
+-   Implemented least-privilege onboarding with group-based RBAC.
+-   Scoped permissions at the resource group level.
+-   Validated effective access before project completion.
+
+## Next step
+
+Repeat the project once from memory to reinforce the workflow and decision points.

learn-pr/wwl-azure/guided-project-new-employee-access/index.yml

@@ -41,6 +41,7 @@ units:
 - learn.wwl.guided-project-new-employee-access.exercise-verify-least-privilege
 - learn.wwl.guided-project-new-employee-access.validate-success
 - learn.wwl.guided-project-new-employee-access.clean-up-resources
+- learn.wwl.guided-project-new-employee-access.knowledge-check
 - learn.wwl.guided-project-new-employee-access.summary
 badge:
   uid: learn.wwl.guided-project-new-employee-access.badge