diff --git a/docs/architecture/security-operations-consumer-accounts.md b/docs/architecture/security-operations-consumer-accounts.md
index 3cb0392e254..3284454dd63 100644
--- a/docs/architecture/security-operations-consumer-accounts.md
+++ b/docs/architecture/security-operations-consumer-accounts.md
@@ -112,7 +112,7 @@ Identity Provider deleted by nonapproved actors | High | Microsoft Entra access
| Added credentials to applications | High | Microsoft Entra audit logs | Service-Core Directory, Category-ApplicationManagement
Activity: Update Application-Certificates and secrets management
-and-
Activity: Update Service principal/Update Application | Alert when credentials are: added outside normal business hours or workflows, types not used in your environment, or added to a non-SAML flow supporting service principal. |
| App assigned to an Azure role-based access control (RBAC) role, or Microsoft Entra role | High to medium | Microsoft Entra audit logs | Type: service principal
Activity: “Add member to role”
or
“Add eligible member to role”
-or-
“Add scoped member to role.” |N/A|
| App granted highly privileged permissions, such as permissions with “.All” (Directory.ReadWrite.All) or wide-ranging permissions (Mail.) | High | Microsoft Entra audit logs |N/A | Apps granted broad permissions such as “.All” (Directory.ReadWrite.All) or wide-ranging permissions (Mail.) |
-| Administrator granting application permissions (app roles), or highly privileged delegated permissions | High | Microsoft 365 portal | “Add app role assignment to service principal”
-where-
Target(s) identifies an API with sensitive data (such as Microsoft Graph) “Add delegated permission grant”
-where-
Target(s) identifies an API with sensitive data (such as Microsoft Graph)
-and-
DelegatedPermissionGrant.Scope includes high-privilege permissions. | Alert when a global, application, or cloud application administrator consents to an application. Especially look for consent outside normal activity and change procedures. |
+| Administrator granting application permissions (app roles), or highly privileged delegated permissions | High | Microsoft 365 portal | “Add app role assignment to service principal”
-where-
Target(s) identifies an API with sensitive data (such as Microsoft Graph) “Add delegated permission grant”
-where-
Target(s) identifies an API with sensitive data (such as Microsoft Graph)
-and-
DelegatedPermissionGrant.Scope includes high-privilege permissions. | Alert when a Global Administrator, Application Administrator, or Cloud Application Administrator consents to an application. Especially look for consent outside normal activity and change procedures. |
| Application is granted permissions for Microsoft Graph, Exchange, SharePoint, or Microsoft Entra ID. | High | Microsoft Entra audit logs | “Add delegated permission grant”
-or-
“Add app role assignment to service principal”
-where-
Target(s) identifies an API with sensitive data (such as Microsoft Graph, Exchange Online, and so on) | Use the alert in the preceding row. |
| Highly privileged delegated permissions granted on behalf of all users | High | Microsoft Entra audit logs | “Add delegated permission grant”
where
Target(s) identifies an API with sensitive data (such as Microsoft Graph)
DelegatedPermissionGrant.Scope includes high-privilege permissions
-and-
DelegatedPermissionGrant.ConsentType is “AllPrincipals”. | Use the alert in the preceding row. |
| Applications that are using the ROPC authentication flow | Medium | Microsoft Entra sign-in log | Status=Success
Authentication Protocol-ROPC | High level of trust is placed in this application because the credentials can be cached or stored. If possible, move to a more secure authentication flow. Use the process only in automated application testing, if ever. |
diff --git a/docs/architecture/security-operations-devices.md b/docs/architecture/security-operations-devices.md
index 09077d6876e..ea5ba528928 100644
--- a/docs/architecture/security-operations-devices.md
+++ b/docs/architecture/security-operations-devices.md
@@ -149,7 +149,7 @@ The [Microsoft Entra Joined Device Local Administrator](../identity/role-based-a
| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
| - |- |- |- |- |
-| Users added to global or device admin roles| High| Audit logs| Activity type = Add member to role.| Look for: new users added to these Microsoft Entra roles, subsequent anomalous behavior by machines or users.
[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/4ad195f4fe6fdbc66fb8469120381e8277ebed81/Detections/AuditLogs/UserAddedtoAdminRole.yaml)
[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
+| Users added to Global Administrator or Microsoft Entra Joined Device Local Administrator roles| High| Audit logs| Activity type = Add member to role.| Look for: new users added to these Microsoft Entra roles, subsequent anomalous behavior by machines or users.
[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/4ad195f4fe6fdbc66fb8469120381e8277ebed81/Detections/AuditLogs/UserAddedtoAdminRole.yaml)
[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
## Non-Azure AD sign-ins to virtual machines
diff --git a/docs/architecture/security-operations-privileged-identity-management.md b/docs/architecture/security-operations-privileged-identity-management.md
index 93cf2bff472..41b1add0734 100644
--- a/docs/architecture/security-operations-privileged-identity-management.md
+++ b/docs/architecture/security-operations-privileged-identity-management.md
@@ -85,7 +85,7 @@ The following are recommended baseline settings:
| What to monitor| Risk level| Recommendation| Roles| Notes |
| - |- |- |- |- |
-| Microsoft Entra roles assignment| High| Require justification for activation. Require approval to activate. Set two-level approver process. On activation, require Microsoft Entra multifactor authentication. Set maximum elevation duration to 8 hrs.| Security Administrator, Privileged Role Administrator, Global Administrator| A privileged role administrator can customize PIM in their Microsoft Entra organization, including changing the experience for users activating an eligible role assignment. |
+| Microsoft Entra roles assignment| High| Require justification for activation. Require approval to activate. Set two-level approver process. On activation, require Microsoft Entra multifactor authentication. Set maximum elevation duration to 8 hrs.| Security Administrator, Privileged Role Administrator, Global Administrator| A Privileged Role Administrator can customize PIM in their Microsoft Entra organization, including changing the experience for users activating an eligible role assignment. |
| Azure Resource Role Configuration| High| Require justification for activation. Require approval to activate. Set two-level approver process. On activation, require Microsoft Entra multifactor authentication. Set maximum elevation duration to 8 hrs.| Owner, User Access Administrator | Investigate immediately if not a planned change. This setting might enable attacker access to Azure subscriptions in your environment. |
@@ -108,7 +108,7 @@ Privileged Identity Management (PIM) generates alerts when there's suspicious or
## Microsoft Entra roles assignment
-A privileged role administrator can customize PIM in their Microsoft Entra organization, which includes changing the user experience of activating an eligible role assignment:
+A Privileged Role Administrator can customize PIM in their Microsoft Entra organization, which includes changing the user experience of activating an eligible role assignment:
* Prevent bad actor to remove Microsoft Entra multifactor authentication requirements to activate privileged access.
diff --git a/docs/external-id/direct-federation.md b/docs/external-id/direct-federation.md
index 8beafa1e654..a06443677ee 100644
--- a/docs/external-id/direct-federation.md
+++ b/docs/external-id/direct-federation.md
@@ -206,7 +206,7 @@ Next, configure federation with the IdP configured in step 1 in Microsoft Entra
[!INCLUDE [portal updates](~/includes/portal-update.md)]
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
1. Browse to **Identity** > **External Identities** > **All identity providers**.
1. Select the **Custom** tab, and then select **Add new** > **SAML/WS-Fed**.
@@ -267,7 +267,7 @@ On the **All identity providers** page, you can view the list of SAML/WS-Fed ide
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
1. Browse to **Identity** > **External Identities** > **All identity providers**.
1. Select the **Custom** tab.
1. Scroll to an identity provider in the list or use the search box.
@@ -299,7 +299,7 @@ On the **All identity providers** page, you can view the list of SAML/WS-Fed ide
You can remove your federation configuration. If you do, federation guest users who have already redeemed their invitations can no longer sign in. But you can give them access to your resources again by [resetting their redemption status](reset-redemption-status.md).
To remove a configuration for an IdP in the Microsoft Entra admin center:
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
1. Browse to **Identity** > **External Identities** > **All identity providers**.
1. Select the **Custom** tab, and then scroll to the identity provider in the list or use the search box.
1. Select the link in the **Domains** column to view the IdP's domain details.
diff --git a/docs/external-id/google-federation.md b/docs/external-id/google-federation.md
index 7f4cf1424dc..60385f2883d 100644
--- a/docs/external-id/google-federation.md
+++ b/docs/external-id/google-federation.md
@@ -198,7 +198,7 @@ First, create a new project in the Google Developers Console to obtain a client
You'll now set the Google client ID and client secret. You can use the Microsoft Entra admin center or PowerShell to do so. Be sure to test your Google federation configuration by inviting yourself. Use a Gmail address and try to redeem the invitation with your invited Google account.
**To configure Google federation in the Microsoft Entra admin center**
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
1. Browse to **Identity** > **External Identities** > **All identity providers** and then on the **Google** line, select **Configure**.
1. Enter the client ID and client secret you obtained earlier. Select **Save**:
@@ -245,7 +245,7 @@ At this point, the Google identity provider is set up in your Microsoft Entra te
You can delete your Google federation setup. If you do so, Google guest users who already redeemed their invitation can't sign in. But you can give them access to your resources again by [resetting their redemption status](reset-redemption-status.md).
**To delete Google federation in the Microsoft Entra admin center**
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
1. Browse to **Identity** > **External Identities** > **All identity providers**.
1. On the **Google** line, select (**Configured**), and then select **Delete**.
diff --git a/docs/external-id/invite-internal-users.md b/docs/external-id/invite-internal-users.md
index 8e685cd4c94..a67c40002cd 100644
--- a/docs/external-id/invite-internal-users.md
+++ b/docs/external-id/invite-internal-users.md
@@ -51,7 +51,7 @@ You can use the Microsoft Entra admin center, PowerShell, or the invitation API
[!INCLUDE [portal updates](~/includes/portal-update.md)]
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
1. Browse to **Identity** > **Users** > **All users**.
1. Find the user in the list or use the search box. Then select the user.
1. In the **Overview** tab, under **My Feed**, select **Convert to external user**.
diff --git a/docs/external-id/leave-the-organization.md b/docs/external-id/leave-the-organization.md
index 05ca788ba7f..6e3b6e8a40c 100644
--- a/docs/external-id/leave-the-organization.md
+++ b/docs/external-id/leave-the-organization.md
@@ -93,7 +93,7 @@ Administrators can use the **External user leave settings** to control whether e
> [!IMPORTANT]
> You can configure **External user leave settings** only if you have [added your privacy information](~/fundamentals/properties-area.yml) to your Microsoft Entra tenant. Otherwise, this setting will be unavailable. We recommend adding your privacy information to allow external users to review your policies and email your privacy contact when necessary.
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
1. Browse to **Identity** > **External Identities** > **External collaboration settings**.
@@ -110,7 +110,7 @@ When a B2B collaboration user leaves an organization, the user's account is "sof
If desired, a tenant administrator can permanently delete the account at any time during the soft-deleted period with the following steps. This action is irrevocable.
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](~/identity/role-based-access-control/permissions-reference.md#external-identity-provider-administrator).
1. Browse to **Identity** > **Users** > **All users**
diff --git a/docs/fundamentals/copilot-entra-lifecycle-workflow.md b/docs/fundamentals/copilot-entra-lifecycle-workflow.md
index 8bd81c590ef..385e219080d 100644
--- a/docs/fundamentals/copilot-entra-lifecycle-workflow.md
+++ b/docs/fundamentals/copilot-entra-lifecycle-workflow.md
@@ -11,10 +11,7 @@ ms.date: 01/10/2025
ms.topic: conceptual
ms.service: entra
ms.custom: microsoft-copilot
-
-# Customer intent: As a lifecycle workflows Administrators or Global Administrators, I want to learn about risky user summarization in the Identity Protection UX so that I can quickly respond to identity threats.
---
-
# Manage employee lifecycle using Microsoft Security Copilot (Preview)
Microsoft Entra ID Governance applies the capabilities of [Microsoft Security Copilot](/security-copilot/microsoft-security-copilot) to save identity administrators time and effort when configuring custom workflows to manage the lifecycle of users across JML scenarios. It also helps you to customize workflows more efficiently using natural language to configure workflow information including custom tasks, execute workflows, and get workflow insights.
diff --git a/docs/global-secure-access/how-to-configure-customer-premises-equipment.md b/docs/global-secure-access/how-to-configure-customer-premises-equipment.md
index 04772190199..899f8b4434d 100644
--- a/docs/global-secure-access/how-to-configure-customer-premises-equipment.md
+++ b/docs/global-secure-access/how-to-configure-customer-premises-equipment.md
@@ -8,7 +8,7 @@ ms.topic: how-to
ms.date: 03/22/2024
ms.service: global-secure-access
-# Customer Intent: As a Global Secure Access administrator, I need to know how to configure the connection between my customer premises equipment and Microsoft's network so that I can create a tunnel from my remote network to the Global Secure Access network.
+# Customer Intent: As a Global Secure Access Administrator, I need to know how to configure the connection between my customer premises equipment and Microsoft's network so that I can create a tunnel from my remote network to the Global Secure Access network.
---
# Configure customer premises equipment for Global Secure Access
diff --git a/docs/global-secure-access/how-to-configure-kerberos-sso.md b/docs/global-secure-access/how-to-configure-kerberos-sso.md
index 639c16843e5..1856255ec1a 100644
--- a/docs/global-secure-access/how-to-configure-kerberos-sso.md
+++ b/docs/global-secure-access/how-to-configure-kerberos-sso.md
@@ -25,7 +25,7 @@ Before you get started with single sign-on, make sure your environment is ready.
### Publish resources for use with single sign-on
To test single sign-on, create a new enterprise application that publishes a file share. Using an enterprise application to publish your file share lets you assign a Conditional Access policy to the resource and enforce extra security controls, such as multifactor authentication.
-1. Sign in to [Microsoft Entra](https://entra.microsoft.com/) as at least a [Application administrator](reference-role-based-permissions.md#application-administrator).
+1. Sign in to [Microsoft Entra](https://entra.microsoft.com/) as at least a [Application Administrator](reference-role-based-permissions.md#application-administrator).
1. Browse to **Global Secure Access** > **Applications** > **Enterprise Applications**.
1. Select **New Application**.
1. Add a new app segment with the IP of your file server using port `445/TCP` and then select **Save**. The Server Message Block (SMB) protocol uses the port.
@@ -63,7 +63,7 @@ The Domain Controller ports are required to enable SSO to on-premises resources.
> [!NOTE]
> The guide focuses on enabling SSO to on-premises resources and excludes configuration required for Windows domain-joined clients to perform domain operations (password change, Group Policy, etc.).
-1. Sign in to [Microsoft Entra](https://entra.microsoft.com/) as at least a [Application administrator](reference-role-based-permissions.md#application-administrator).
+1. Sign in to [Microsoft Entra](https://entra.microsoft.com/) as at least a [Application Administrator](reference-role-based-permissions.md#application-administrator).
1. Browse to **Global Secure Access** > **Applications** > **Enterprise Applications**.
1. Select **New Application** to create a new application to publish your Domain Controllers.
1. Select **Add application segment** and then add all of your Domain Controllers’ IPs or Fully Qualified Domain Names (FQDNs) and ports as per the table. Only the Domain Controllers in the Active Directory site where the Private Access connectors are located should be published.
diff --git a/docs/global-secure-access/reference-role-based-permissions.md b/docs/global-secure-access/reference-role-based-permissions.md
index 5c24f924748..d51edb7ac1d 100644
--- a/docs/global-secure-access/reference-role-based-permissions.md
+++ b/docs/global-secure-access/reference-role-based-permissions.md
@@ -31,7 +31,7 @@ This article details the built-in Microsoft Entra roles you can assign for manag
**Limited access**: This role grants permissions to perform specific tasks, such as configuring remote networks, setting up security profiles, managing traffic forwarding profiles, and viewing traffic logs and alerts. However, Global Secure Access admins can't configure Private Access, create or manage Conditional Access policies, manage user and group assignments, or configure Office 365 logging.
> [!NOTE]
-> To perform additional Microsoft Entra tasks, such as editing Conditional Access policies, you need to be both a GSA administrator and have at least one other administrator role assigned to you. Consult the Role-based permissions table above.
+> To perform additional Microsoft Entra tasks, such as editing Conditional Access policies, you need to be both a Global Secure Access Administrator and have at least one other administrator role assigned to you. Consult the Role-based permissions table above.
### Conditional Access Administrator
diff --git a/docs/global-secure-access/troubleshoot-connectors.md b/docs/global-secure-access/troubleshoot-connectors.md
index 3130359e1a5..b372cd24b48 100644
--- a/docs/global-secure-access/troubleshoot-connectors.md
+++ b/docs/global-secure-access/troubleshoot-connectors.md
@@ -93,7 +93,7 @@ To learn more about the `Register-MicrosoftEntraPrivateNetworkConnector` command
## Verify admin is used to install the connector
-**Objective:** Verify that the user who tries to install the connector is an administrator with correct credentials. Currently, the user must be at least an application administrator for the installation to succeed.
+**Objective:** Verify that the user who tries to install the connector is an administrator with correct credentials. Currently, the user must be at least an Application Administrator for the installation to succeed.
**To verify the credentials are correct:**
@@ -118,7 +118,7 @@ Once you find the connector error from the event log, use this table of common e
| `Connector registration failed: Make sure you enabled application proxy in the Azure Management Portal and that you entered your Active Directory user name and password correctly. Error: 'AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials and search by service principal URI has failed.` | You're trying to sign in using a Microsoft Account and not a domain that is part of the organization ID of the directory you're trying to access. The admin must be part of the same domain name as the tenant domain. For example, if the Microsoft Entra domain is `contoso.com`, the admin should be `admin@contoso.com`. |
| `Failed to retrieve the current execution policy for running PowerShell scripts.` | If the connector installation fails, check to make sure that PowerShell execution policy isn't disabled.
1. Open the Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows PowerShell** and double-click **Turn on Script Execution**.
3. The execution policy can be set to either **Not Configured** or **Enabled**. If set to **Enabled**, make sure that under Options, the Execution Policy is set to either **Allow local scripts and remote signed scripts** or to **Allow all scripts**. |
| `Connector failed to download the configuration.` | The connector’s client certificate, which is used for authentication, expired. The issue occurs if you have the connector installed behind a proxy. In this case, the connector can't access the internet and isn't able to provide applications to remote users. Renew trust manually using the `Register-MicrosoftEntraPrivateNetworkConnector` cmdlet in Windows PowerShell. If your connector is behind a proxy, it's necessary to grant internet access to the connector accounts `network services` and `local system`. Granting access is accomplished by granting access to the proxy or bypassing the proxy. |
-| `Connector registration failed: Make sure you are an Application Administrator of your Active Directory to register the connector. Error: 'The registration request was denied.'` | The alias you're trying to sign in with isn't an admin on this domain. Your connector is always installed for the directory that owns the user’s domain. Make sure that the admin account you're trying to sign in with has at least application administrator permissions to the Microsoft Entra tenant. |
+| `Connector registration failed: Make sure you are an Application Administrator of your Active Directory to register the connector. Error: 'The registration request was denied.'` | The alias you're trying to sign in with isn't an admin on this domain. Your connector is always installed for the directory that owns the user’s domain. Make sure that the admin account you're trying to sign in with has at least Application Administrator permissions to the Microsoft Entra tenant. |
| `The connector was unable to connect to the service due to networking issues. The connector tried to access the following URL.` | The connector is unable to connect to the application proxy cloud service. The issue happens if you have a firewall rule blocking the connection. Allow access to the correct ports and URLs listed in [configure connectors](how-to-configure-connectors.md). |
diff --git a/docs/global-secure-access/troubleshoot-global-secure-access-client-diagnostics-health-check.md b/docs/global-secure-access/troubleshoot-global-secure-access-client-diagnostics-health-check.md
index 985778c2264..c6363f3f383 100644
--- a/docs/global-secure-access/troubleshoot-global-secure-access-client-diagnostics-health-check.md
+++ b/docs/global-secure-access/troubleshoot-global-secure-access-client-diagnostics-health-check.md
@@ -115,7 +115,8 @@ If this test fails, make sure you're using the most updated forwarding profile o
Break-glass mode prevents the Global Secure Access client from tunneling network traffic to the Global Secure Access cloud service. In Break-glass mode, all traffic profiles in the Global Secure Access portal are unchecked and the Global Secure Access client isn't expected to tunnel any traffic.
To set the client to acquire traffic and tunnel that traffic to the Global Secure Access service:
-1. Sign in to the Microsoft Entra admin center as a tenant administrator.
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator).
1. Navigate to Global Secure **Access** > **Connect** > **Traffic forwarding**.
1. Enable at least one of the traffic profiles that match your organization's needs.
diff --git a/docs/id-governance/identity-governance-applications-deploy.md b/docs/id-governance/identity-governance-applications-deploy.md
index 36f475840b9..90f6474e6ea 100644
--- a/docs/id-governance/identity-governance-applications-deploy.md
+++ b/docs/id-governance/identity-governance-applications-deploy.md
@@ -40,11 +40,11 @@ In this section, you configure Microsoft Entra entitlement management so users c
> [!NOTE]
> Following least privilege access, we recommend using the Identity Governance Administrator role here.
-1. **Access packages for governed applications should be in a designated catalog.** If you don't already have a catalog for your application governance scenario, [create a catalog](~/id-governance/entitlement-management-catalog-create.md) in Microsoft Entra entitlement management. If you have multiple catalogs to create, you can use a PowerShell script to [create each catalog](entitlement-management-catalog-create.md#create-a-catalog-with-powershell).
-1. **Populate the catalog with necessary resources.** Add the application, and any Microsoft Entra groups that the application relies upon, [as resources in that catalog](~/id-governance/entitlement-management-catalog-create.md#add-resources-to-a-catalog). If you have many resources, you can use a PowerShell script to [add each resource to a catalog](entitlement-management-catalog-create.md#add-a-resource-to-a-catalog-with-powershell).
-1. **Create an access package for each role or group which users can request.** For each of the applications, and for each of their application roles or groups, [create an access package](~/id-governance/entitlement-management-access-package-create.md) that includes that role or group as its resource. At this stage of configuring these access packages, configure the first access package assignment policy in each access package to be [a policy for direct assignment](entitlement-management-access-package-request-policy.md#none-administrator-direct-assignments-only), so that only administrators can create assignments. In that policy, set the access review requirements for existing users, if any, so that they don't keep access indefinitely. If you have many access packages, you can use a PowerShell script to [create each access package in a catalog](entitlement-management-access-package-create.md#create-an-access-package-by-using-microsoft-powershell).
+1. **Access packages for governed applications should be in a designated catalog.** If you don't already have a catalog for your application governance scenario, [create a catalog](~/id-governance/entitlement-management-catalog-create.md) in Microsoft Entra entitlement management. If you have multiple catalogs to create, you can use a PowerShell script to [create each catalog](entitlement-management-catalog-create.md#create-a-catalog-with-powershell), as shown in [create a catalog using PowerShell](entitlement-management-access-package-create-app.md#create-a-catalog-in-microsoft-entra-entitlement-management).
+1. **Populate the catalog with necessary resources.** Add the application, and any Microsoft Entra groups that the application relies upon, [as resources in that catalog](~/id-governance/entitlement-management-catalog-create.md#add-resources-to-a-catalog). If you have many resources, you can use a PowerShell script to [add each resource to a catalog](entitlement-management-catalog-create.md#add-a-resource-to-a-catalog-with-powershell), as shown in [add the application as a resource to the catalog](entitlement-management-access-package-create-app.md#add-the-application-as-a-resource-to-the-catalog).
+1. **Create an access package for each role or group which users can request.** For each of the applications, and for each of their application roles or groups, [create an access package](~/id-governance/entitlement-management-access-package-create.md) that includes that role or group as its resource. At this stage of configuring these access packages, configure the first access package assignment policy in each access package to be [a policy for direct assignment](entitlement-management-access-package-request-policy.md#none-administrator-direct-assignments-only), so that only administrators can create assignments. In that policy, set the access review requirements for existing users, if any, so that they don't keep access indefinitely. If you have many access packages, you can use a PowerShell script to [create each access package in a catalog](entitlement-management-access-package-create.md#create-an-access-package-by-using-microsoft-powershell), as shown in [create an access package for an application with a single role](entitlement-management-access-package-create-app.md#create-an-access-package-in-entitlement-management-for-an-application-with-a-single-role-using-powershell).
1. **Configure access packages to enforce separation of duties requirements.** If you have [separation of duties](entitlement-management-access-package-incompatible.md) requirements, then configure the incompatible access packages or existing groups for your access package. If your scenario requires the ability to override a separation of duties check, then you can also [set up additional access packages for those override scenarios](entitlement-management-access-package-incompatible.md#configuring-multiple-access-packages-for-override-scenarios).
-1. **Add assignments of existing users, who already have access to the application, to the access packages.** For each access package, assign existing users of the application in that corresponding role, or members of that group, to the access package and its direct assignment policy. You can [directly assign a user](entitlement-management-access-package-assignments.md) to an access package using the Microsoft Entra admin center, or in bulk via Graph or [PowerShell](entitlement-management-access-package-assignments.md#assign-a-user-to-an-access-package-with-powershell).
+1. **Add assignments of existing users, who already have access to the application, to the access packages.** For each access package, assign existing users of the application in that corresponding role, or members of that group, to the access package and its direct assignment policy. You can [directly assign a user](entitlement-management-access-package-assignments.md) to an access package using the Microsoft Entra admin center, or in bulk via Graph or [PowerShell](entitlement-management-access-package-assignments.md#assign-a-user-to-an-access-package-with-powershell) as shown in [add assignments of existing users](entitlement-management-access-package-create-app.md#add-assignments-of-existing-users-who-already-have-access-to-the-application).
1. **Create additional policies to allow users to request access.** In each access package, [create additional access package assignment policies](~/id-governance/entitlement-management-access-package-request-policy.md#open-an-existing-access-package-and-add-a-new-policy-with-different-request-settings) for users to request access. Configure the approval and recurring access review requirements in that policy.
1. **Create recurring access reviews for other groups used by the application.** If there are groups that are used by the application but aren't resource roles for an access package, then [create access reviews](create-access-review.md) for the membership of those groups.
@@ -80,7 +80,7 @@ At regular intervals, such as weekly, monthly or quarterly, based on the volume
* **Check that provisioning and deprovisioning are working as expected.** If you had previously configured provisioning of users to the application, then when the results of a review are applied, or a user's assignment to an access package expires, Microsoft Entra ID begins deprovisioning denied users from the application. You can [monitor the process of deprovisioning users](~/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md). If provisioning indicates an error with the application, you can [download the provisioning log](~/identity/monitoring-health/concept-provisioning-logs.md) to investigate if there was a problem with the application.
-* **Update the Microsoft Entra configuration with any role or group changes in the application.** If the application administrator adds new app roles in its [manifest](~/identity-platform/howto-add-app-roles-in-apps.md#app-roles-ui), updates existing roles, or relies upon additional groups, then you need to update the access packages and access reviews to account for those new roles or groups.
+* **Update the Microsoft Entra configuration with any role or group changes in the application.** If the Application Administrator adds new app roles in its [manifest](~/identity-platform/howto-add-app-roles-in-apps.md#app-roles-ui), updates existing roles, or relies upon additional groups, then you need to update the access packages and access reviews to account for those new roles or groups.
## Next steps
diff --git a/docs/id-governance/identity-governance-applications-existing-users.md b/docs/id-governance/identity-governance-applications-existing-users.md
index 633ca9b2dcd..b918b8129aa 100644
--- a/docs/id-governance/identity-governance-applications-existing-users.md
+++ b/docs/id-governance/identity-governance-applications-existing-users.md
@@ -52,7 +52,7 @@ If the user is updated in Microsoft Entra ID, no changes will be sent to the app
### Application does not use Microsoft Entra ID as its identity provider nor does it support provisioning
-For some legacy applications it might not be feasible to remove other identity providers or local credential authentication from the application, or enable support for provisioning protocols for those applications.
+For some legacy applications, it might not be feasible to remove other identity providers or local credential authentication from the application, or enable support for provisioning protocols for those applications.
That scenario of an application which does not support provisioning protocols, is covered in a separate article, [Govern the existing users of an application that does not support provisioning](identity-governance-applications-not-provisioned-users.md).
@@ -187,7 +187,7 @@ This section applies to applications that use another SQL database as the underl
This section applies to SAP applications that use SAP Cloud Identity Services as the underlying service for user provisioning.
-1. Sign in to your SAP Cloud Identity Services Admin Console, `https://.accounts.ondemand.com/admin` or `https://.trial-accounts.ondemand.com/admin` if a trial.
+1. Sign in to your SAP Cloud Identity Services Admin Console, `https://.accounts.ondemand.com/admin`, or `https://.trial-accounts.ondemand.com/admin` if a trial.
1. Navigate to **Users & Authorizations > Export Users**.
1. Select all attributes required for matching Microsoft Entra users with those in SAP. This includes the `SCIM ID`, `userName`, `emails`, and other attributes you may be using in your SAP Systems.
1. Select **Export** and wait for the browser to download the CSV file.
@@ -408,13 +408,13 @@ In other situations, such as wanting to have different reviewers for each applic
In this section, you'll configure Microsoft Entra entitlement management for a review of access package assignments that contain the app role assignments, and also configure additional policies so users can request access to your application's roles.
1. For this step, you'll need to be in the Global Administrator or Identity Governance Administrator role, or be [delegated as a catalog creator](entitlement-management-delegate-catalog.md) and the owner of the application.
-1. If you don't already have a catalog for your application governance scenario, [create a catalog](~/id-governance/entitlement-management-catalog-create.md) in Microsoft Entra entitlement management. You can use a PowerShell script to [create each catalog](entitlement-management-catalog-create.md#create-a-catalog-with-powershell).
-1. Populate the catalog with necessary resources, by adding the application, and any Microsoft Entra groups that the application relies upon, [as resources in that catalog](~/id-governance/entitlement-management-catalog-create.md#add-resources-to-a-catalog). You can use a PowerShell script to [add each resource to a catalog](entitlement-management-catalog-create.md#add-a-resource-to-a-catalog-with-powershell).
-1. For each of the applications, and for each of their application roles or groups, [create an access package](~/id-governance/entitlement-management-access-package-create.md) that includes that role or group as its resource. At this stage of configuring these access packages, configure the first access package assignment policy in each access package to be [a policy for direct assignment](entitlement-management-access-package-request-policy.md#none-administrator-direct-assignments-only), so that only administrators can create assignmentsn that policy, set the access review requirements for existing users, if any, so that they don't keep access indefinitely. If you have many access packages, you can use a PowerShell script to [create each access package in a catalog](entitlement-management-access-package-create.md#create-an-access-package-by-using-microsoft-powershell).
-1. For each access package, assign existing users of the application in that corresponding role, or members of that group, to the access package and its direct assignment policy. You can [directly assign a user](entitlement-management-access-package-assignments.md) to an access package using the Microsoft Entra admin center, or in bulk via Graph or [PowerShell](entitlement-management-access-package-assignments.md#assign-a-user-to-an-access-package-with-powershell).
+1. If you don't already have a catalog for your application governance scenario, [create a catalog](~/id-governance/entitlement-management-catalog-create.md) in Microsoft Entra entitlement management. You can use a PowerShell script to [create each catalog](entitlement-management-catalog-create.md#create-a-catalog-with-powershell), as shown in [create a catalog using PowerShell](entitlement-management-access-package-create-app.md#create-a-catalog-in-microsoft-entra-entitlement-management).
+1. Populate the catalog with necessary resources, by adding the application, and any Microsoft Entra groups that the application relies upon, [as resources in that catalog](~/id-governance/entitlement-management-catalog-create.md#add-resources-to-a-catalog). You can use a PowerShell script to [add each resource to a catalog](entitlement-management-catalog-create.md#add-a-resource-to-a-catalog-with-powershell), as shown in [add the application as a resource to the catalog](entitlement-management-access-package-create-app.md#add-the-application-as-a-resource-to-the-catalog).
+1. For each of the applications, and for each of their application roles or groups, [create an access package](~/id-governance/entitlement-management-access-package-create.md) that includes that role or group as its resource. At this stage of configuring these access packages, configure the first access package assignment policy in each access package to be [a policy for direct assignment](entitlement-management-access-package-request-policy.md#none-administrator-direct-assignments-only), so that only administrators can create assignments in that policy, set the access review requirements for existing users, if any, so that they don't keep access indefinitely. If you have many access packages, you can use a PowerShell script to [create each access package in a catalog](entitlement-management-access-package-create.md#create-an-access-package-by-using-microsoft-powershell), as shown in [create an access package for an application with a single role](entitlement-management-access-package-create-app.md#create-an-access-package-in-entitlement-management-for-an-application-with-a-single-role-using-powershell).
+1. For each access package, assign existing users of the application in that corresponding role, or members of that group, to the access package and its direct assignment policy. You can [directly assign a user](entitlement-management-access-package-assignments.md) to an access package using the Microsoft Entra admin center, or in bulk via Graph or [PowerShell](entitlement-management-access-package-assignments.md#assign-a-user-to-an-access-package-with-powershell) as shown in [add assignments of existing users](entitlement-management-access-package-create-app.md#add-assignments-of-existing-users-who-already-have-access-to-the-application).
1. If you have configured access reviews in the access package assignment policies, then when the access review starts, ask the reviewers to give input. By default, they each receive an email from Microsoft Entra ID with a link to the access panel, where they will review the access package assignments. Once the review completes, you should expect to see denied users, if any, having their application role assignments being removed in a few minutes. Subsequently, Microsoft Entra ID will begin deprovisioning denied users from the application. Based on the guidance for [how long will it take to provision users](~/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md#how-long-will-it-take-to-provision-users), wait for Microsoft Entra provisioning to start deprovisioning the denied users. Monitor the [provisioning status](~/identity/app-provisioning/check-status-user-account-provisioning.md) through the Portal or [Graph APIs](~/identity/app-provisioning/application-provisioning-configuration-api.md#monitor-the-provisioning-job-status) to ensure that all denied users were removed successfully.
1. If you have [separation of duties](entitlement-management-access-package-incompatible.md) requirements, then configure the incompatible access packages or existing groups for your access package. If your scenario requires the ability to override a separation of duties check, then you can also [set up additional access packages for those override scenarios](entitlement-management-access-package-incompatible.md#configuring-multiple-access-packages-for-override-scenarios).
-1. If you wish to allow users who don't already have access to request access, then in each access package, [create additional access package assignment policies](~/id-governance/entitlement-management-access-package-request-policy.md#open-an-existing-access-package-and-add-a-new-policy-with-different-request-settings) for users to request access.Configure the approval and recurring access review requirements in that policy.
+1. If you wish to allow users who don't already have access to request access, then in each access package, [create additional access package assignment policies](~/id-governance/entitlement-management-access-package-request-policy.md#open-an-existing-access-package-and-add-a-new-policy-with-different-request-settings) for users to request access. Configure the approval and recurring access review requirements in that policy.
## Next steps
diff --git a/docs/id-governance/privileged-identity-management/pim-getting-started.md b/docs/id-governance/privileged-identity-management/pim-getting-started.md
index 5cca1d2a5d7..905e008c4a9 100644
--- a/docs/id-governance/privileged-identity-management/pim-getting-started.md
+++ b/docs/id-governance/privileged-identity-management/pim-getting-started.md
@@ -69,9 +69,9 @@ Once Privileged Identity Management is set up, you can learn your way around.
| **My requests** | Displays your pending requests to activate eligible role assignments. |
| **Approve requests** | Displays a list of requests to activate eligible roles by users in your directory that you can approve. |
| **Review access** | Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else. |
-| **Microsoft Entra roles** | Displays a dashboard and settings for Privileged role administrators to manage Microsoft Entra role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. |
+| **Microsoft Entra roles** | Displays a dashboard and settings for Privileged Role Administrators to manage Microsoft Entra role assignments. This dashboard is disabled for anyone who isn't a Privileged Role Administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. |
| **Groups** | Manage just-in-time membership in the group or just-in-time ownership of the group. Groups can be used to provide access to Microsoft Entra roles, Azure roles, and various other scenarios. To manage a Microsoft Entra group in PIM, you must bring it under management in PIM. |
-| **Azure resources** | Displays a dashboard and settings for Privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization.|
+| **Azure resources** | Displays a dashboard and settings for Privileged Role Administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn't a Privileged Role Administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization.|
| **General settings** | Select applications that are allowed to make app-only calls to Microsoft Graph API for PIM. |
## Next steps
diff --git a/docs/identity-platform/enterprise-app-role-management.md b/docs/identity-platform/enterprise-app-role-management.md
index f41ec4fffb3..1dd214d54ee 100644
--- a/docs/identity-platform/enterprise-app-role-management.md
+++ b/docs/identity-platform/enterprise-app-role-management.md
@@ -11,7 +11,7 @@ ms.service: identity-platform
ms.topic: how-to
-#Customer intent: As a cloud Application Administrator, I want to customize the role claim in the access token for an enterprise application, so that I can define custom roles and assign them to user accounts.
+#Customer intent: As a Cloud Application Administrator, I want to customize the role claim in the access token for an enterprise application, so that I can define custom roles and assign them to user accounts.
---
# Configure the role claim
diff --git a/docs/identity/app-provisioning/application-provisioning-application-unmatched-users.md b/docs/identity/app-provisioning/application-provisioning-application-unmatched-users.md
index 4a06febe7e0..67f7e4edf7e 100644
--- a/docs/identity/app-provisioning/application-provisioning-application-unmatched-users.md
+++ b/docs/identity/app-provisioning/application-provisioning-application-unmatched-users.md
@@ -21,7 +21,7 @@ If the application does not already have any users, then this process populates
These inconsistencies between Microsoft Entra ID and an existing application's data store can happen for many reasons, including:
-* the application administrator creates users in the application directly, such as for contractors or vendors, who are not represented in a system of record HR source but did require application access,
+* the Application Administrator creates users in the application directly, such as for contractors or vendors, who are not represented in a system of record HR source but did require application access,
* identity and attribute changes, such as a person changing their name, were not being sent to either Microsoft Entra ID or the application, and so the representations are out of date in one or the other system, or
* the organization was using an identity management product which independently provisioned Windows Server AD and the application with different communities. For example, store employees needed application access but did not require Exchange mailboxes, so store employees were not represented in Windows Server AD or Microsoft Entra ID.
@@ -69,7 +69,7 @@ There may be test users in the application left over from its initial deployment
### Delete users from the applications for people who are no longer part of the organization
-The user might no longer be affiliated with the organization, and no longer needs access to the application, but is still a user in the application's data source. This can happen if the application administrator omitted to remove the user, or was not informed that the change was required. If the user is no longer needed, then it can be deleted from the application.
+The user might no longer be affiliated with the organization, and no longer needs access to the application, but is still a user in the application's data source. This can happen if the Application Administrator omitted to remove the user, or was not informed that the change was required. If the user is no longer needed, then it can be deleted from the application.
### Delete users from the application and have them be re-created from Microsoft Entra ID
@@ -81,7 +81,7 @@ A user may exist in an application and in Microsoft Entra ID, but the user in th
For example, when a SAP administrator creates a user in SAP Cloud Identity Services using its admin console, the user may not have a `userName` property. However, that property may be the one used for matching with users in Microsoft Entra ID. If the `userName` property is the one intended for matching, then you would need the SAP administrator to update those existing SAP Cloud Identity Services users to have a value of the `userName` property.
-For another example, the application administrator has set the user's email address as a property `mail` of the user in the application, when the user was first added to the application. However, later the person's email address and `userPrincipalName` is changed in Microsoft Entra ID. However, if the application did not require the email address, or the email provider had a redirect that allowed the old email address to keep forwarding, then the application administrator might have missed that there was a need for `mail` property being updated in the application's data source. This inconsistency can be resolved by either the application administrator changing the `mail` property on the application's users to have a current value, or by changing the matching rule, as described in the following sections.
+For another example, the Application Administrator has set the user's email address as a property `mail` of the user in the application, when the user was first added to the application. However, later the person's email address and `userPrincipalName` is changed in Microsoft Entra ID. However, if the application did not require the email address, or the email provider had a redirect that allowed the old email address to keep forwarding, then the Application Administrator might have missed that there was a need for `mail` property being updated in the application's data source. This inconsistency can be resolved by either the Application Administrator changing the `mail` property on the application's users to have a current value, or by changing the matching rule, as described in the following sections.
### Update users in the application with a new property
diff --git a/docs/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md b/docs/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
index 4413616cd11..378078b742f 100644
--- a/docs/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
+++ b/docs/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
@@ -103,7 +103,7 @@ In most cases, the **incremental cycle** completes in 30 minutes. However, when
4. Add scoping filters to further limit the number of users and groups in scope for provisioning.
## Audit changes to your provisioning configuration
-Provisioning configuration changes are logged in the audit logs. Users with the necessary permissions, such as application administrator and reports reader, can access logs through the audit logs UI, API, and through PowerShell. You can use the activity filter in the audit logs to identify the following actions.
+Provisioning configuration changes are logged in the audit logs. Users with the necessary permissions, such as Application Administrator and Reports Reader, can access logs through the audit logs UI, API, and through PowerShell. You can use the activity filter in the audit logs to identify the following actions.
> [!Note]
> For actions that the provisioning service performs such as creating users, updating users, and deleting users we recommend using the [provisioning logs](~/identity/monitoring-health/howto-analyze-provisioning-logs.md). For monitoring changes to your provisioning configuration, we recommend using the [audit logs](~/identity/monitoring-health/concept-audit-logs.md).
diff --git a/docs/identity/app-proxy/app-proxy-protect-ndes.md b/docs/identity/app-proxy/app-proxy-protect-ndes.md
index 5f4fa10a362..85490b06285 100644
--- a/docs/identity/app-proxy/app-proxy-protect-ndes.md
+++ b/docs/identity/app-proxy/app-proxy-protect-ndes.md
@@ -26,12 +26,12 @@ Learn how to use Microsoft Entra application proxy to protect your Network Devic
> You install the connector on any server within your corporate network with access to NDES. You don't have to install it on the NDES server itself.
1. Run the setup file, such as *MicrosoftEntraPrivateNetworkConnectorInstaller.exe*. Accept the software license terms.
1. During the install, you're prompted to register the connector with application proxy in your Microsoft Entra directory.
- Provide the credentials for a global or application administrator in your Microsoft Entra directory. The Microsoft Entra global or application administrator credentials are often different from your Azure credentials in the portal.
+ Provide the credentials for a Global Administrator or Application Administrator in your Microsoft Entra directory. The Microsoft Entra Global Administrator or Application Administrator credentials are often different from your Azure credentials in the portal.
> [!NOTE]
- > The global or application administrator account used to register the connector must belong to the same directory where you enable the application proxy service.
+ > The Global Administrator or Application Administrator account used to register the connector must belong to the same directory where you enable the application proxy service.
>
- > For example, if the Microsoft Entra domain is *contoso.com*, the global/application administrator should be `admin@contoso.com` or another valid alias on that domain.
+ > For example, if the Microsoft Entra domain is *contoso.com*, the Global Administrator or Application Administrator should be `admin@contoso.com` or another valid alias on that domain.
If Internet Explorer Enhanced Security Configuration is turned on for the server where you install the connector, the registration screen might be blocked. To allow access, follow the instructions in the error message, or turn off Internet Explorer Enhanced Security during the install process.
diff --git a/docs/identity/app-proxy/application-proxy-add-on-premises-application.md b/docs/identity/app-proxy/application-proxy-add-on-premises-application.md
index ea291e94cae..149a29e1676 100644
--- a/docs/identity/app-proxy/application-proxy-add-on-premises-application.md
+++ b/docs/identity/app-proxy/application-proxy-add-on-premises-application.md
@@ -27,7 +27,7 @@ In this tutorial, you:
To add an on-premises application to Microsoft Entra ID, you need:
- An [Microsoft Entra ID P1 or P2 subscription](https://azure.microsoft.com/pricing/details/active-directory).
-- An application administrator account.
+- An Application Administrator account.
- A synchronized set of user identities with an on-premises directory. Or create them directly in your Microsoft Entra tenants. Identity synchronization allows Microsoft Entra ID to preauthenticate users before granting them access to application proxy published applications. Synchronization also provides the necessary user identifier information to perform single sign-on (SSO).
- An understanding of application management in Microsoft Entra, see [View enterprise applications in Microsoft Entra](~/identity/enterprise-apps/view-applications-portal.md).
- An understanding of single sign-on (SSO), see [Understand single sign-on](~/identity/enterprise-apps/what-is-single-sign-on.md).
diff --git a/docs/identity/enterprise-apps/application-management-certs-faq.md b/docs/identity/enterprise-apps/application-management-certs-faq.md
index 4b81e796458..9a7ca35d12d 100644
--- a/docs/identity/enterprise-apps/application-management-certs-faq.md
+++ b/docs/identity/enterprise-apps/application-management-certs-faq.md
@@ -13,7 +13,7 @@ ms.author: jomondi
ms.reviewer: sureshja, saumadan
ms.custom: enterprise-apps
-#customer intent: As an application administrator managing certificates for apps using Microsoft Entra ID as an Identity Provider, I want to generate a list of expiring SAML signing certificates, so that I can proactively renew them before they expire.
+#customer intent: As an Application Administrator managing certificates for apps using Microsoft Entra ID as an Identity Provider, I want to generate a list of expiring SAML signing certificates, so that I can proactively renew them before they expire.
---
# Application Management certificates frequently asked questions
diff --git a/docs/identity/enterprise-apps/assign-app-owners.md b/docs/identity/enterprise-apps/assign-app-owners.md
index ceca26b0296..60e13df1599 100644
--- a/docs/identity/enterprise-apps/assign-app-owners.md
+++ b/docs/identity/enterprise-apps/assign-app-owners.md
@@ -19,7 +19,7 @@ ms.custom: enterprise-apps
# Assign enterprise application owners
-An [owner of an enterprise application](overview-assign-app-owners.md) in Microsoft Entra ID can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignments. An owner can also add or remove other owners. Unlike other application administrators, owners can manage only the enterprise applications they own. In this article, you learn how to assign an owner of an application.
+An [owner of an enterprise application](overview-assign-app-owners.md) in Microsoft Entra ID can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignments. An owner can also add or remove other owners. Unlike other Application Administrators, owners can manage only the enterprise applications they own. In this article, you learn how to assign an owner of an application.
## Prerequisites
diff --git a/docs/identity/enterprise-apps/configure-linked-sign-on.md b/docs/identity/enterprise-apps/configure-linked-sign-on.md
index 20e775592f4..35ca3288ed8 100644
--- a/docs/identity/enterprise-apps/configure-linked-sign-on.md
+++ b/docs/identity/enterprise-apps/configure-linked-sign-on.md
@@ -12,7 +12,7 @@ ms.date: 08/19/2024
ms.author: jomondi
ms.reviewer: alamaral
ms.custom: enterprise-apps
-# Customer intent: As an application administrator, I want to configure linked-based single sign-on for my application in Microsoft Entra ID, so that users can access the application through the My Apps or Microsoft 365 portal and be redirected to the correct sign-in page.
+# Customer intent: As an Application Administrator, I want to configure linked-based single sign-on for my application in Microsoft Entra ID, so that users can access the application through the My Apps or Microsoft 365 portal and be redirected to the correct sign-in page.
---
# Add linked single sign-on to an application
diff --git a/docs/identity/enterprise-apps/configure-password-single-sign-on-non-gallery-applications.md b/docs/identity/enterprise-apps/configure-password-single-sign-on-non-gallery-applications.md
index 14c48e908d4..8c79fa26bcf 100644
--- a/docs/identity/enterprise-apps/configure-password-single-sign-on-non-gallery-applications.md
+++ b/docs/identity/enterprise-apps/configure-password-single-sign-on-non-gallery-applications.md
@@ -12,7 +12,7 @@ ms.date: 06/27/2024
ms.author: jomondi
ms.reviewer: alamaral
ms.custom: enterprise-apps
-# Customer intent: As an application administrator, I want to configure password-based single sign-on (SSO) in Microsoft Entra ID, so that users can sign in to the application with a username and password and have their credentials securely stored and sent to the application after the first sign-on.
+# Customer intent: As an Application Administrator, I want to configure password-based single sign-on (SSO) in Microsoft Entra ID, so that users can sign in to the application with a username and password and have their credentials securely stored and sent to the application after the first sign-on.
---
# Add password-based single sign-on to an application
diff --git a/docs/identity/enterprise-apps/hide-application-from-user-portal.md b/docs/identity/enterprise-apps/hide-application-from-user-portal.md
index 5373033a2fa..8861571eeb1 100644
--- a/docs/identity/enterprise-apps/hide-application-from-user-portal.md
+++ b/docs/identity/enterprise-apps/hide-application-from-user-portal.md
@@ -35,7 +35,7 @@ To hide an application from the My Apps portal and Microsoft 365 launcher, you n
Use the following steps to hide an application from My Apps portal and Microsoft 365 application launcher.
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [cloud application administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator).
1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
1. Search for the application you want to hide, and select the application.
1. In the left navigation pane, select **Properties**.
diff --git a/docs/identity/enterprise-apps/migrate-adfs-plan-management-insights.md b/docs/identity/enterprise-apps/migrate-adfs-plan-management-insights.md
index 6d226c5711b..c9c4bc99d31 100644
--- a/docs/identity/enterprise-apps/migrate-adfs-plan-management-insights.md
+++ b/docs/identity/enterprise-apps/migrate-adfs-plan-management-insights.md
@@ -50,7 +50,7 @@ Microsoft Entra ID provides a centralized access location to manage your migrate
- **Secure user access to apps.** Enable [Conditional Access policies](~/identity/conditional-access/overview.md) to secure user access to applications based on device state, location, and more.
- **Automatic provisioning.** Set up [automatic provisioning of users](~/identity/app-provisioning/user-provisioning.md) with various third-party SaaS apps that users need to access. In addition to creating user identities, it includes the maintenance and removal of user identities as status or roles change.
- **Delegate user access** **management**. As appropriate, enable self-service application access to your apps and *assign a business approver to approve access to those apps*. Use [Self-Service Group Management](~/identity/users/groups-self-service-management.md)for groups assigned to collections of apps.
-- **Delegate admin access** using **Directory Role** to assign an admin role (such as Application administrator, Cloud Application administrator, or Application developer) to your user.
+- **Delegate admin access** using **Directory Role** to assign an admin role (such as Application Administrator, Cloud Application Administrator, or Application Developer) to your user.
- **Add applications to Access Packages** to provide governance and attestation.
## Audit and gain insights of your apps
diff --git a/docs/identity/enterprise-apps/overview-assign-app-owners.md b/docs/identity/enterprise-apps/overview-assign-app-owners.md
index df5e92ef8a8..20187c40cb2 100644
--- a/docs/identity/enterprise-apps/overview-assign-app-owners.md
+++ b/docs/identity/enterprise-apps/overview-assign-app-owners.md
@@ -13,14 +13,14 @@ ms.author: jomondi
ms.reviewer: saibandaru
ms.custom: enterprise-apps
-#customer intent: As an owner of an enterprise application in Microsoft Entra ID, I want to be able to manage the organization-specific configuration of the application, add or remove other owners, and have the same permissions as application administrators, so that I can effectively manage and secure the application within my organization.
+#customer intent: As an owner of an enterprise application in Microsoft Entra ID, I want to be able to manage the organization-specific configuration of the application, add or remove other owners, and have the same permissions as Application Administrators, so that I can effectively manage and secure the application within my organization.
---
# Overview of enterprise application ownership in Microsoft Entra ID
A user in Microsoft Entra ID is automatically added as an application owner when they register an application. The ownership of an enterprise application is assigned by default only when a user with no administrator roles creates a new application registration. In all other cases, ownership isn't assigned by default to an enterprise application. Users can be owners of enterprise applications but groups can't be assigned as owners.
-As an owner of an enterprise application in Microsoft Entra ID, a user can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignment. An owner can also add or remove other owners. Unlike Privileged Role Administrators, owners can manage only the enterprise applications they own. The owners have the same permissions as application administrators scoped to an individual application. To learn more about the permissions that an owner of an application has, see [Ownership permissions](~/fundamentals/users-default-permissions.md#owned-enterprise-applications)
+As an owner of an enterprise application in Microsoft Entra ID, a user can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignment. An owner can also add or remove other owners. Unlike Privileged Role Administrators, owners can manage only the enterprise applications they own. The owners have the same permissions as Application Administrators scoped to an individual application. To learn more about the permissions that an owner of an application has, see [Ownership permissions](~/fundamentals/users-default-permissions.md#owned-enterprise-applications)
> [!NOTE]
> The application may have more permissions than the owner, and thus would be an elevation of privilege over what the owner has access to as a user. An application owner can create or update users or other objects while impersonating the application. The elevation of privilege to owners can raise a security concern in some cases depending on the application's permissions.
diff --git a/docs/identity/hybrid/connect/how-to-connect-health-agent-install.md b/docs/identity/hybrid/connect/how-to-connect-health-agent-install.md
index 3c14cbd6db8..02516cba948 100644
--- a/docs/identity/hybrid/connect/how-to-connect-health-agent-install.md
+++ b/docs/identity/hybrid/connect/how-to-connect-health-agent-install.md
@@ -45,7 +45,7 @@ The following table lists requirements for using Microsoft Entra Connect Health:
> If you have a highly locked-down and restricted environment, you need to add more URLs than the URLs the table lists for Internet Explorer enhanced security. Also add URLs that are listed in the table in the next section.
>[!IMPORTANT]
->If you installed Microsoft Entra Connect Sync using an account with the hybrid administrator role, the agent will be in a disabled state. To activate the agent, you will need to re-install it using an account that is a global administrator.
+>If you installed Microsoft Entra Connect Sync using an account with the Hybrid Identity Administrator role, the agent will be in a disabled state. To activate the agent, you will need to re-install it using an account that is a Global Administrator.
### New versions of the agent and auto upgrade
diff --git a/docs/identity/hybrid/connect/how-to-connect-install-prerequisites.md b/docs/identity/hybrid/connect/how-to-connect-install-prerequisites.md
index e0a5fdd1e86..bb4a868ffe4 100644
--- a/docs/identity/hybrid/connect/how-to-connect-install-prerequisites.md
+++ b/docs/identity/hybrid/connect/how-to-connect-install-prerequisites.md
@@ -76,7 +76,7 @@ To read more about securing your Active Directory environment, see [Best practic
- You'll need either an account with the global administrator role or an account that has the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) and the [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) roles. The configurations related to federation require permissions that the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) currently doesn't have but the [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) role does.
- It isn't supported to break and analyze traffic between Microsoft Entra Connect and Microsoft Entra ID. Doing so could disrupt the service.
- If your Hybrid Identity Administrators have MFA enabled, the URL `https://secure.aadcdn.microsoftonline-p.com` *must* be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it isn't yet added. You can use Internet Explorer to add it to your trusted sites.
-- If you plan to use Microsoft Entra Connect Health for syncing, you need to use a global administrator account to install Microsoft Entra Connect Sync. If you use a hybrid administrator account, the agent is installed but in a disabled state. For more information, see [Microsoft Entra Connect Health agent installation](how-to-connect-health-agent-install.md).
+- If you plan to use Microsoft Entra Connect Health for syncing, you need to use a Global Administrator account to install Microsoft Entra Connect Sync. If you use a Hybrid Identity Administrator account, the agent is installed but in a disabled state. For more information, see [Microsoft Entra Connect Health agent installation](how-to-connect-health-agent-install.md).
diff --git a/docs/identity/hybrid/connect/reference-connect-health-faq.yml b/docs/identity/hybrid/connect/reference-connect-health-faq.yml
index f0c7c7973db..7f3dd7a7fce 100644
--- a/docs/identity/hybrid/connect/reference-connect-health-faq.yml
+++ b/docs/identity/hybrid/connect/reference-connect-health-faq.yml
@@ -135,7 +135,7 @@ sections:
- question: |
After installing Microsoft Entra Connect Sync, with an account that has the Hybrid Administrator role, why is the Connect Health for Sync Agent disabled in services?
answer: |
- In order to install the Connect Health for Sync Agent, you need to be a Global Administrator. To activate the agent, you need to reinstall the agent using a global administrator account.
+ In order to install the Connect Health for Sync Agent, you need to be a Global Administrator. To activate the agent, you need to reinstall the agent using a Global Administrator account.
- name: Health Agent registration and data freshness
questions:
diff --git a/docs/identity/hybrid/connect/reference-connect-version-history.md b/docs/identity/hybrid/connect/reference-connect-version-history.md
index 39e6bb17bc6..6188e31e19b 100644
--- a/docs/identity/hybrid/connect/reference-connect-version-history.md
+++ b/docs/identity/hybrid/connect/reference-connect-version-history.md
@@ -104,7 +104,7 @@ To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade]
### Bug fixes
- Fixed the removal of the SSPR configuration when changes are made on the Azure AD Connector and saved in the Sync Service manager UI
-- Fixed validation for the global administrator/hybrid identity administrator role done during Entra Connect Sync installation and users with global administrator/hybrid identity administrator through Privileged Identity Management (PIM).
+- Fixed validation for the Global Administrator/Hybrid Identity Administrator role done during Entra Connect Sync installation and users with Global Administrator/Hybrid Identity Administrator through Privileged Identity Management (PIM).
- Fixed the "no registered protocol handlers" error on Federate with AD FS scenario.
- Fixed "Relying party must be unique (conflict error)" error on Federate with AD FS scenario.
diff --git a/docs/identity/managed-identities-azure-resources/how-to-configure-managed-identities-scale-sets.md b/docs/identity/managed-identities-azure-resources/how-to-configure-managed-identities-scale-sets.md
index ac1d97dce2e..f2d1a097120 100644
--- a/docs/identity/managed-identities-azure-resources/how-to-configure-managed-identities-scale-sets.md
+++ b/docs/identity/managed-identities-azure-resources/how-to-configure-managed-identities-scale-sets.md
@@ -6,7 +6,7 @@ manager: CelesteDG
ms.service: entra-id
ms.subservice: managed-identities
ms.topic: quickstart
-ms.date: 05/27/2024
+ms.date: 01/16/2025
ms.author: ryanwi
ms.custom: mode-api, devx-track-azurecli, devx-track-linux, devx-track-arm-template, devx-track-azurepowershell
ms.devlang: azurecli
diff --git a/docs/identity/managed-identities-azure-resources/how-to-configure-managed-identities.md b/docs/identity/managed-identities-azure-resources/how-to-configure-managed-identities.md
index 888bf7c33be..ad399f24a80 100644
--- a/docs/identity/managed-identities-azure-resources/how-to-configure-managed-identities.md
+++ b/docs/identity/managed-identities-azure-resources/how-to-configure-managed-identities.md
@@ -6,7 +6,7 @@ manager: CelesteDG
ms.service: entra-id
ms.subservice: managed-identities
ms.topic: quickstart
-ms.date: 05/29/2024
+ms.date: 01/16/2025
ms.author: ryanwi
ms.custom: mode-api, devx-track-azurecli, devx-track-linux, devx-track-arm-template, devx-track-azurepowershell
ms.devlang: azurecli
diff --git a/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vm.md b/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vm.md
index 4036bfdc6d5..73e45c25b1a 100644
--- a/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vm.md
+++ b/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vm.md
@@ -1,7 +1,7 @@
---
author: rwike77
ms.author: ryanwi
-ms.date: 04/24/2024
+ms.date: 01/16/2025
ms.topic: include
---
@@ -20,14 +20,11 @@ In this section, you learn how to enable and disable the system-assigned managed
To enable system-assigned managed identity on a VM during its creation, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
-- Under the **Management** tab in the **Identity** section, switch **Managed service identity** to **On**.
+When creating a [Windows virtual machine](/azure/virtual-machines/windows/quick-create-portal#create-virtual-machine) or [Linux virtual machine](/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine), select the **Management** tab.
-:::image type="content" source="../media/msi-qs-configure-portal-windows-vm/enable-system-assigned-identity-vm-creation.png" alt-text="Screenshot showing how to enable system-assigned identity during VM creation.":::
-
-Refer to the following Quickstarts to create a VM:
+In the **Identity** section, select the **Enable system assigned managed identity** check-box.
-- [Create a Windows virtual machine with the Azure portal](/azure/virtual-machines/windows/quick-create-portal#create-virtual-machine)
-- [Create a Linux virtual machine with the Azure portal](/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine)
+:::image type="content" source="../media/msi-qs-configure-portal-windows-vm/enable-system-assigned-identity-vm-creation.png" alt-text="Screenshot showing how to enable system-assigned identity during VM creation.":::
### Enable system-assigned managed identity on an existing VM
@@ -38,11 +35,11 @@ To enable system-assigned managed identity on a VM that was originally provision
1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
-2. Navigate to the desired Virtual Machine and select **Identity**.
+2. Navigate to the desired Virtual Machine and in the **Security** section select **Identity**.
3. Under **System assigned**, **Status**, select **On** and then click **Save**:
- 
+ :::image type="content" source="../media/msi-qs-configure-portal-windows-vm/create-windows-vm-portal-configuration-blade.png" alt-text="Screenshot that shows the Identity page with the System assigned status set to On.":::
### Remove system-assigned managed identity from a VM
@@ -52,7 +49,7 @@ If you have a Virtual Machine that no longer needs system-assigned managed ident
1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
-2. Navigate to the desired Virtual Machine and select **Identity**.
+2. Navigate to the desired Virtual Machine and in the **Security** section select **Identity**.
3. Under **System assigned**, **Status**, select **Off** and then click **Save**:
@@ -66,32 +63,29 @@ If you have a Virtual Machine that no longer needs system-assigned managed ident
To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
-Currently, the Azure portal does not support assigning a user-assigned managed identity during the creation of a VM. Instead, refer to one of the following VM creation Quickstart articles to first create a VM, and then proceed to the next section for details on assigning a user-assigned managed identity to the VM:
-
-- [Create a Windows virtual machine with the Azure portal](/azure/virtual-machines/windows/quick-create-portal#create-virtual-machine)
-- [Create a Linux virtual machine with the Azure portal](/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine)
+Currently, the Azure portal does not support assigning a user-assigned managed identity during the creation of a VM. First create a [Windows virtual machine](/azure/virtual-machines/windows/quick-create-portal#create-virtual-machine) or [Linux virtual machine](/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine), then assign a user-assigned managed identity to the VM.
### Assign a user-assigned managed identity to an existing VM
To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
-2. Navigate to the desired VM and click **Identity**, **User assigned** and then **\+Add**.
- :::image type="content" source="../media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot1.png" alt-text="Screenshot that shows the Identity page with User assigned selected and the Add button highlighted.":::
+2. Navigate to the desired VM and click **Security** > **Identity**, **User assigned** and then **\+Add**. Click the user-assigned identity you want to add to the VM and then click **Add**.
-3. Click the user-assigned identity you want to add to the VM and then click **Add**.
+3. Select the previously created [user assigned managed identity](../how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity) from the list.
- :::image type="content" source="../media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot2.png" alt-text="Screenshot showing adding a user-assigned managed identity to VM.":::
+ :::image type="content" source="../media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot1.png" alt-text="Screenshot that shows the Identity page with User assigned selected and the Add button highlighted.":::
### Remove a user-assigned managed identity from a VM
To remove a user-assigned identity from a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
-1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
-2. Navigate to the desired VM and select **Identity**, **User assigned**, the name of the user-assigned managed identity you want to delete and then click **Remove** (click **Yes** in the confirmation pane).
+Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
+
+Navigate to the desired VM and select **Security** > **Identity**, **User assigned**, the name of the user-assigned managed identity you want to delete and then click **Remove** (click **Yes** in the confirmation pane).
- :::image type="content" source="../media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vm-screenshot.png" alt-text="Screenshot showing how to remove user-assigned managed identity from a VM":::
+:::image type="content" source="../media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vm-screenshot.png" alt-text="Screenshot showing how to remove user-assigned managed identity from a VM.":::
## Next steps
diff --git a/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vmss.md b/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vmss.md
index 95a8ef2a769..825f54d22ed 100644
--- a/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vmss.md
+++ b/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vmss.md
@@ -1,7 +1,7 @@
---
author: rwike77
ms.author: ryanwi
-ms.date: 05/27/2024
+ms.date: 01/16/2025
ms.topic: include
---
@@ -22,7 +22,7 @@ In this section, you will learn how to enable and disable the system-assigned ma
### Enable system-assigned managed identity during creation of a virtual machine scale set
-Currently, the Azure portal does not support enabling system-assigned managed identity during the creation of a virtual machine scale set. Instead, refer to the following virtual machine scale set creation Quickstart article to first create a virtual machine scale set, and then proceed to the next section for details on enabling system-assigned managed identity on a virtual machine scale set:
+Currently, the Azure portal does not support enabling system-assigned managed identity during the creation of a virtual machine scale set. First create a [Virtual Machine Scale Set](/azure/virtual-machine-scale-sets/quick-create-portal), then enable a system-assigned managed identity on the scale set:
- [Create a Virtual Machine Scale Set in the Azure portal](/azure/virtual-machine-scale-sets/quick-create-portal)
@@ -58,30 +58,27 @@ In this section, you learn how to add and remove a user-assigned managed identit
### Assign a user-assigned managed identity during the creation of a virtual machine scale set
-Currently, the Azure portal does not support assigning a user-assigned managed identity during the creation of a virtual machine scale set. Instead, refer to the following virtual machine scale set creation Quickstart article to first create a virtual machine scale set, and then proceed to the next section for details on assigning a user-assigned managed identity to it:
-
-- [Create a Virtual Machine Scale Set in the Azure portal](/azure/virtual-machine-scale-sets/quick-create-portal)
+Currently, the Azure portal does not support assigning a user-assigned managed identity during the creation of a virtual machine scale set. First create a [Virtual Machine Scale Set](/azure/virtual-machine-scale-sets/quick-create-portal), then assign a user assigned managed identity to the scale set.
### Assign a user-assigned managed identity to an existing virtual machine scale set
1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the virtual machine scale set.
-2. Navigate to the desired virtual machine scale set and click **Identity**, **User assigned** and then **\+Add**.
- 
+2. Navigate to the desired virtual machine scale set and click **Security** > **Identity**, **User assigned** and then **\+Add**.
+
+3. Select the previously created [user assigned managed identity](../how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity) from the list.
-3. Click the user-assigned identity you want to add to the virtual machine scale set and then click **Add**.
-
- :::image type="content" source="../media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot2.png" alt-text="Screenshot showing how to add a user-assigned identity to a virtual machine scale set.":::
+ :::image type="content" source="../media/msi-qs-configure-portal-windows-vmss/add-user-assigned-identity-vm-screenshot-1.png" alt-text="Screenshot that shows the Identity page with User assigned selected and the Add button highlighted.":::
### Remove a user-assigned managed identity from a virtual machine scale set
-1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
-2. Navigate to the desired virtual machine scale set and click **Identity**, **User assigned**, the name of the user-assigned managed identity you want to delete and then click **Remove** (click **Yes** in the confirmation pane).
+Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
+
+Navigate to the desired virtual machine scale set and click **Identity**, **User assigned**, the name of the user-assigned managed identity you want to delete and then click **Remove** (click **Yes** in the confirmation pane).
- :::image type="content" source="../media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vmss-screenshot.png" alt-text="A screenshot showing how to remove user-assigned identity from a virtual machine scale set.":::
+:::image type="content" source="../media/msi-qs-configure-portal-windows-vmss/remove-user-assigned-identity-vmss-screenshot.png" alt-text="A screenshot showing how to remove user-assigned identity from a virtual machine scale set.":::
## Next steps
- Using the Azure portal, give an Azure virtual machine scale set managed identity [access to another Azure resource](~/identity/managed-identities-azure-resources/howto-assign-access-portal.md).
--
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot1.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot1.png
index fe674d52d36..e7f7a337061 100644
Binary files a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot1.png and b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot1.png differ
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot2.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot2.png
deleted file mode 100644
index 6cf4d634c69..00000000000
Binary files a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vm-screenshot2.png and /dev/null differ
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vmss-screenshot1.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vmss-screenshot1.png
deleted file mode 100644
index e6d0cba471f..00000000000
Binary files a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/add-user-assigned-identity-vmss-screenshot1.png and /dev/null differ
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/create-windows-vm-portal-configuration-blade-disable.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/create-windows-vm-portal-configuration-blade-disable.png
index 19ca6817b6a..3f8d6953cd7 100644
Binary files a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/create-windows-vm-portal-configuration-blade-disable.png and b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/create-windows-vm-portal-configuration-blade-disable.png differ
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/create-windows-vm-portal-configuration-blade.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/create-windows-vm-portal-configuration-blade.png
index 1d35dea5974..049e747bc4e 100644
Binary files a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/create-windows-vm-portal-configuration-blade.png and b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/create-windows-vm-portal-configuration-blade.png differ
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/enable-system-assigned-identity-vm-creation.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/enable-system-assigned-identity-vm-creation.png
index 70f1d4c6a65..c577712968a 100644
Binary files a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/enable-system-assigned-identity-vm-creation.png and b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/enable-system-assigned-identity-vm-creation.png differ
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vm-screenshot.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vm-screenshot.png
index 41cefdcd042..9918983d27c 100644
Binary files a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vm-screenshot.png and b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vm-screenshot.png differ
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vmss-screenshot.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vmss-screenshot.png
deleted file mode 100644
index b8acdf1ce24..00000000000
Binary files a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vm/remove-user-assigned-identity-vmss-screenshot.png and /dev/null differ
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vmss/add-user-assigned-identity-vm-screenshot-1.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vmss/add-user-assigned-identity-vm-screenshot-1.png
new file mode 100644
index 00000000000..65b873e9c4c
Binary files /dev/null and b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vmss/add-user-assigned-identity-vm-screenshot-1.png differ
diff --git a/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vmss/remove-user-assigned-identity-vmss-screenshot.png b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vmss/remove-user-assigned-identity-vmss-screenshot.png
new file mode 100644
index 00000000000..4ba3761db19
Binary files /dev/null and b/docs/identity/managed-identities-azure-resources/media/msi-qs-configure-portal-windows-vmss/remove-user-assigned-identity-vmss-screenshot.png differ
diff --git a/docs/identity/role-based-access-control/security-planning.md b/docs/identity/role-based-access-control/security-planning.md
index 703db82a490..a58a953e65a 100644
--- a/docs/identity/role-based-access-control/security-planning.md
+++ b/docs/identity/role-based-access-control/security-planning.md
@@ -37,7 +37,7 @@ Securing privileged access requires changes to:
Secure your privileged access in a way that is managed and reported in the Microsoft services you care about. If you have on-premises administrator accounts, see the guidance for on-premises and hybrid privileged access in Active Directory at [Securing Privileged Access](/security/privileged-access-workstations/overview).
> [!NOTE]
-> The guidance in this article refers primarily to features of Microsoft Entra ID that are included in Microsoft Entra ID P1 and P2. Microsoft Entra ID P2 is included in the EMS E5 suite and Microsoft 365 E5 suite. This guidance assumes your organization already has Microsoft Entra ID P2 licenses purchased for your users. If you do not have these licenses, some of the guidance might not apply to your organization. Also, throughout this article, the term Global Administrator means the same thing as "company administrator" or "tenant administrator."
+> The guidance in this article refers primarily to features of Microsoft Entra ID that are included in Microsoft Entra ID P1 and P2. Microsoft Entra ID P2 is included in the EMS E5 suite and Microsoft 365 E5 suite. This guidance assumes your organization already has Microsoft Entra ID P2 licenses purchased for your users. If you do not have these licenses, some of the guidance might not apply to your organization.
## Develop a roadmap
diff --git a/docs/verified-id/admin-api.md b/docs/verified-id/admin-api.md
index 8ca48b0e55d..a35bb8e7cf8 100644
--- a/docs/verified-id/admin-api.md
+++ b/docs/verified-id/admin-api.md
@@ -31,7 +31,7 @@ The API is protected through Microsoft Entra ID and uses OAuth2 bearer tokens. T
### User bearer tokens
-The app registration needs to have the API Permission for `Verifiable Credentials Service Admin` and then when acquiring the access token the app should use scope `6a8b4b39-c021-437c-b060-5a14a3fd65f3/full_access`. The access token must be for a user with the [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator) or the [authentication policy administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-policy-administrator) role. A user with role [global reader](~/identity/role-based-access-control/permissions-reference.md#global-reader) can perform read-only API calls.
+The app registration needs to have the API Permission for `Verifiable Credentials Service Admin` and then when acquiring the access token the app should use scope `6a8b4b39-c021-437c-b060-5a14a3fd65f3/full_access`. The access token must be for a user with the [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator) or the [Authentication Policy Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-policy-administrator) role. A user with role [global reader](~/identity/role-based-access-control/permissions-reference.md#global-reader) can perform read-only API calls.
### Application bearer tokens
diff --git a/docs/verified-id/verifiable-credentials-configure-tenant-quick.md b/docs/verified-id/verifiable-credentials-configure-tenant-quick.md
index 452c1e1fa79..7b2cbcdfa70 100644
--- a/docs/verified-id/verifiable-credentials-configure-tenant-quick.md
+++ b/docs/verified-id/verifiable-credentials-configure-tenant-quick.md
@@ -27,7 +27,7 @@ Specifically, you learn how to:
## Prerequisites
-- Ensure that you have the [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator) or the [authentication policy administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-policy-administrator) permission for the directory you want to configure. If you're not the Global Administrator, you need the [application administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator) permission to complete the app registration including granting admin consent.
+- Ensure that you have the [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator) or the [Authentication Policy Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-policy-administrator) permission for the directory you want to configure. If you're not the Global Administrator, you need the [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator) permission to complete the app registration including granting admin consent.
- Ensure that you have a [custom domain registered](~/identity/users/domains-manage.md) for the Microsoft Entra tenant. If you don't have one registered, the setup defaults to the advanced setup experience.
> [!NOTE]
diff --git a/docs/verified-id/verifiable-credentials-configure-tenant.md b/docs/verified-id/verifiable-credentials-configure-tenant.md
index f5c27ea3e2f..53e55c1b4b6 100644
--- a/docs/verified-id/verifiable-credentials-configure-tenant.md
+++ b/docs/verified-id/verifiable-credentials-configure-tenant.md
@@ -36,7 +36,7 @@ The following diagram illustrates the Verified ID architecture and the component
## Prerequisites
- You need an Azure tenant with an active subscription. If you don't have an Azure subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- Ensure that you have the [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator) or the [authentication policy administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-policy-administrator) permission for the directory you want to configure. If you're not the Global Administrator, you need the [application administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator) permission to complete the app registration including granting admin consent.
+- Ensure that you have the [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator) or the [Authentication Policy Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-policy-administrator) permission for the directory you want to configure. If you're not the Global Administrator, you need the [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator) permission to complete the app registration including granting admin consent.
- Ensure that you have the [contributor](/azure/role-based-access-control/built-in-roles#contributor) role for the Azure subscription or the resource group where you are deploying Azure Key Vault.
- Ensure that you provide access permissions for Key Vault. For more information, see [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](/azure/key-vault/general/rbac-guide).