Merge pull request #6457 from rolyon/rolyon-rbac-refactor-redirected-…

…links

[Entra RBAC] Refactor redirected links

docs/architecture/govern-service-accounts.md

@@ -52,7 +52,7 @@ We recommend the following practices for service account privileges.
 - Don't assign built-in roles to service accounts
   - See, [`oAuth2PermissionGrant` resource type](/graph/api/resources/oauth2permissiongrant)
 - The service principal is assigned a privileged role
-  - [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
+  - [Create a custom role in Microsoft Entra ID](../identity/role-based-access-control/custom-create.md)
 - Don't include service accounts as members of any groups with elevated permissions
   - See, [Get-MgDirectoryRoleMember](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdirectoryrolemember):
 

docs/architecture/protect-m365-from-on-premises-attacks.md

@@ -88,7 +88,7 @@ In Microsoft Entra ID, users who have privileged roles, such as administrators,
 
 - To enable a rich role assignment experience that includes delegation and multiple roles at the same time, consider using Microsoft Entra security groups or Microsoft 365 Groups. These groups are collectively called *cloud groups*.
 
-  Also, enable role-based access control. See [Assign Microsoft Entra roles to groups](~/identity/role-based-access-control/groups-assign-role.md). You can use administrative units to restrict the scope of roles to a portion of the organization. See [Administrative units in Microsoft Entra ID](~/identity/role-based-access-control/administrative-units.md).
+  Also, enable role-based access control. See [Assign Microsoft Entra roles](../identity/role-based-access-control/manage-roles-portal.md). You can use administrative units to restrict the scope of roles to a portion of the organization. See [Administrative units in Microsoft Entra ID](~/identity/role-based-access-control/administrative-units.md).
 
 - Deploy emergency access accounts. Do *not* use on-premises password vaults to store credentials. See [Manage emergency access accounts in Microsoft Entra ID](~/identity/role-based-access-control/security-emergency-access.md).
 

docs/external-id/reference-cross-tenant-custom-roles.md

@@ -13,7 +13,7 @@ ms.custom: it-pro
 
 # Create custom roles for managing cross-tenant access settings
 
-Your organization can [define custom roles](/entra/identity/role-based-access-control/custom-create) to manage cross-tenant access settings. These roles allow for precise control without relying on built-in management roles. This article provides guidance on creating recommended custom roles for managing cross-tenant access settings.
+Your organization can [define custom roles](../identity/role-based-access-control/custom-create.md) to manage cross-tenant access settings. These roles allow for precise control without relying on built-in management roles. This article provides guidance on creating recommended custom roles for managing cross-tenant access settings.
 
 ## Cross-tenant access administrator
 

docs/id-governance/entitlement-management-overview.md

@@ -69,7 +69,7 @@ You can also control access to other resources that rely upon Microsoft Entra se
 
 - You can give users licenses for Microsoft 365 by using a Microsoft Entra security group in an access package and configuring [group-based licensing](~/identity/users/licensing-groups-assign.md) for that group.
 - You can give users access to manage Azure resources by using a Microsoft Entra security group in an access package and creating an [Azure role assignment](/azure/role-based-access-control/role-assignments-portal) for that group.
-- You can give users access to manage Microsoft Entra roles by using groups assignable to Microsoft Entra roles in an access package and [assigning a Microsoft Entra role to that group](~/identity/role-based-access-control/groups-assign-role.md).
+- You can give users access to manage Microsoft Entra roles by using groups assignable to Microsoft Entra roles in an access package and [assigning a Microsoft Entra role to that group](../identity/role-based-access-control/manage-roles-portal.md).
 
 ## How do I control who gets access?
 

docs/id-governance/privileged-identity-management/pim-how-to-add-role-to-user.md

@@ -69,7 +69,7 @@ Follow these steps to make a user eligible for a Microsoft Entra admin role.
 
 ## Assign a role with restricted scope
 
-For certain roles, the scope of the granted permissions can be restricted to a single admin unit, service principal, or application. This procedure is an example if assigning a role that has the scope of an administrative unit. For a list of roles that support scope via administrative unit, see [Assign scoped roles to an administrative unit](~/identity/role-based-access-control/admin-units-assign-roles.md). This feature is currently being rolled out to Microsoft Entra organizations.
+For certain roles, the scope of the granted permissions can be restricted to a single admin unit, service principal, or application. This procedure is an example if assigning a role that has the scope of an administrative unit. For a list of roles that support scope via administrative unit, see [Assign roles with administrative unit scope](../../identity/role-based-access-control/manage-roles-portal.md). This feature is currently being rolled out to Microsoft Entra organizations.
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](~/identity/role-based-access-control/permissions-reference.md#privileged-role-administrator).
 

docs/identity-platform/howto-add-app-roles-in-apps.md

@@ -73,7 +73,7 @@ Before you can assign app roles to applications, you need to assign yourself as
 
 ## Assign app roles to applications
 
-After adding app roles in your application, you can assign an app role to a client app by using the Microsoft Entra admin center or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments). Assigning an app role to an application shouldn't be confused with [assigning roles to users](/entra/identity/role-based-access-control/manage-roles-portal).
+After adding app roles in your application, you can assign an app role to a client app by using the Microsoft Entra admin center or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments). Assigning an app role to an application shouldn't be confused with [assigning roles to users](../identity/role-based-access-control/manage-roles-portal.md).
 
 When you assign app roles to an application, you create *application permissions*. Application permissions are typically used by daemon apps or back-end services that need to authenticate and make authorized API call as themselves, without the interaction of a user.
 

docs/identity/conditional-access/concept-condition-filters-for-devices.md

@@ -55,7 +55,7 @@ Policy 1: All users with an administrator role, accessing the Windows Azure Serv
    1. Under **Include**, select **Directory roles**, then all roles with administrator in the name.
 
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
    1. Select **Done**.
@@ -72,7 +72,7 @@ Policy 2: All users with an administrator role, accessing the Windows Azure Serv
    1. Under **Include**, select **Directory roles**, then all roles with administrator in the name
 
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
    1. Select **Done**.

docs/identity/conditional-access/concept-conditional-access-users-groups.md

@@ -50,7 +50,7 @@ The following options are available to include when creating a Conditional Acces
 > If users or groups are a member of over 2048 groups their access may be blocked. This limit applies to both direct and nested group membership.
 
 > [!WARNING]
-> Conditional Access policies do not support users assigned a directory role [scoped to an administrative unit](~/identity/role-based-access-control/admin-units-assign-roles.md) or directory roles scoped directly to an object, like through [custom roles](/entra/identity/role-based-access-control/custom-create).
+> Conditional Access policies do not support users assigned a directory role [scoped to an administrative unit](../role-based-access-control/manage-roles-portal.md) or directory roles scoped directly to an object, like through [custom roles](../role-based-access-control/custom-create.md).
 
 > [!NOTE]
 > When targeting policies to B2B direct connect external users, these policies will also be applied to B2B collaboration users accessing Teams or SharePoint Online who are also eligible for B2B direct connect. The same applies for policies targeted to B2B collaboration external users, meaning users accessing Teams shared channels will have B2B collaboration policies apply if they also have a guest user presence in the tenant.

docs/identity/conditional-access/concept-filter-for-applications.md

@@ -32,7 +32,7 @@ Custom security attributes are security sensitive and can only be managed by del
 | [Attribute Definition Administrator](../role-based-access-control/permissions-reference.md#attribute-definition-administrator) | Define and manage the definition of custom security attributes. |
 | [Attribute Definition Reader](../role-based-access-control/permissions-reference.md#attribute-definition-reader) | Read the definition of custom security attributes. |
 
-Assign the appropriate role to the users who manage or report on these attributes at the directory scope. For detailed steps, see [Assign a role](/entra/identity/role-based-access-control/manage-roles-portal#assign-a-role).
+Assign the appropriate role to the users who manage or report on these attributes at the directory scope. For detailed steps, see [Assign Microsoft Entra roles](../role-based-access-control/manage-roles-portal.md#assign-roles-with-tenant-scope).
 
 [!INCLUDE [security-attributes-roles](../../includes/security-attributes-roles.md)]
 

docs/identity/conditional-access/policy-admin-phish-resistant-mfa.md

@@ -57,7 +57,7 @@ For external user scenarios, the MFA authentication methods that a resource tena
    1. Under **Include**, select **Directory roles** and choose at least the previously listed roles.
 
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, select **All resources (formerly 'All cloud apps')**.

docs/identity/conditional-access/policy-alt-admin-device-compliand-hybrid.md

@@ -43,7 +43,7 @@ The following steps help create a Conditional Access policy to require multifact
    1. Under **Include**, select **Directory roles** and choose at least the previously listed roles.
 
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, select **All resources (formerly 'All cloud apps')**.

docs/identity/conditional-access/policy-old-require-mfa-admin-portals.md

@@ -35,7 +35,7 @@ Microsoft recommends you require phishing-resistant multifactor authentication o
    1. Under **Include**, select **Directory roles** and choose at least the previously listed roles.
 
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, **Select resources**, select **Microsoft Admin Portals**.

docs/identity/conditional-access/policy-old-require-mfa-admin.md

@@ -39,7 +39,7 @@ The following steps help create a Conditional Access policy to require those ass
    1. Under **Include**, select **Directory roles** and choose at least the previously listed roles.
 
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, select **All resources (formerly 'All cloud apps')**.

docs/identity/devices/assign-local-admin.md

@@ -34,10 +34,10 @@ By adding users to the Microsoft Entra Joined Device Local Administrator role, y
 
 ## Manage administrator roles
 
-To view and update the membership of an [administrator role](~/identity/role-based-access-control/permissions-reference.md) role, see:
+To view and update the membership of an [administrator role](../role-based-access-control/permissions-reference.md) role, see:
 
-- [View all members of an administrator role in Microsoft Entra ID](/entra/identity/role-based-access-control/manage-roles-portal)
-- [Assign a user to administrator roles in Microsoft Entra ID](~/fundamentals/how-subscriptions-associated-directory.yml)
+- [View all members of an administrator role in Microsoft Entra ID](../role-based-access-control/view-assignments.md)
+- [Assign a user to administrator roles in Microsoft Entra ID](../role-based-access-control/manage-roles-portal.md)
 
 ## Manage the Microsoft Entra Joined Device Local Administrator role
 

docs/identity/devices/howto-manage-local-admin-passwords.md

@@ -68,9 +68,9 @@ LAPS is available to all customers with Microsoft Entra ID Free or higher licens
 
 ### Required roles or permission
 
-Other than the built-in Microsoft Entra roles like [Cloud Device Administrator](../role-based-access-control/permissions-reference.md#cloud-device-administrator) and [Intune Administrator](../role-based-access-control/permissions-reference.md#intune-administrator) that are granted *device.LocalCredentials.Read.All*, you can use [Microsoft Entra custom roles](/entra/identity/role-based-access-control/custom-create) or administrative units to authorize local administrator password recovery. For example:
+Other than the built-in Microsoft Entra roles like [Cloud Device Administrator](../role-based-access-control/permissions-reference.md#cloud-device-administrator) and [Intune Administrator](../role-based-access-control/permissions-reference.md#intune-administrator) that are granted *device.LocalCredentials.Read.All*, you can use [Microsoft Entra custom roles](../role-based-access-control/custom-create.md) or administrative units to authorize local administrator password recovery. For example:
 
-- Custom roles must be assigned the *microsoft.directory/deviceLocalCredentials/password/read* permission to authorize local administrator password recovery. You can create a custom role and grant permissions using the [Microsoft Entra admin center](https://entra.microsoft.com), [Microsoft Graph API](/entra/identity/role-based-access-control/custom-create#create-a-role-with-the-microsoft-graph-api) or [PowerShell](/entra/identity/role-based-access-control/custom-create#create-a-role-using-powershell). Once you create a custom role, you can assign it to users.
+- Custom roles must be assigned the *microsoft.directory/deviceLocalCredentials/password/read* permission to authorize local administrator password recovery. You can [create a custom role](../role-based-access-control/custom-create.md) and grant permissions using the [Microsoft Entra admin center](https://entra.microsoft.com), Microsoft Graph API, or PowerShell. Once you create a custom role, you can assign it to users.
 
 - You can also create a Microsoft Entra ID [administrative unit](../role-based-access-control/administrative-units.md), add devices, and assign the Cloud Device Administrator role scoped to the administrative unit to authorize local administrator password recovery.
 

docs/identity/enterprise-apps/migrate-applications-from-secrets.md

@@ -68,7 +68,7 @@ Identity federation allows you to access Microsoft Entra protected resources wit
 
 ### Create a least-privileged custom role to rotate application credentials
 
-Microsoft Entra roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege. A custom role can be created to rotate application credentials, ensuring that only the necessary permissions are granted to complete the task. To learn more, see [Create a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create).
+Microsoft Entra roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege. A custom role can be created to rotate application credentials, ensuring that only the necessary permissions are granted to complete the task. To learn more, see [Create a custom role in Microsoft Entra ID](../role-based-access-control/custom-create.md).
 
 ### Ensure you have a process to triage and monitor applications 
 

docs/identity/role-based-access-control/admin-units-manage.md

@@ -181,5 +181,5 @@ DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-uni
 ## Next steps
 
 - [Add users, groups, or devices to an administrative unit](admin-units-members-add.md)
-- [Assign Microsoft Entra roles with administrative unit scope](admin-units-assign-roles.md)
+- [Assign Microsoft Entra roles with administrative unit scope](manage-roles-portal.md)
 - [Microsoft Entra administrative units: Troubleshooting and FAQ](admin-units-faq-troubleshoot.yml)

docs/identity/role-based-access-control/admin-units-members-add.md

@@ -263,6 +263,6 @@ Body
 ## Next steps
 
 - [Administrative units in Microsoft Entra ID](administrative-units.md)
-- [Assign Microsoft Entra roles with administrative unit scope](admin-units-assign-roles.md)
+- [Assign Microsoft Entra roles with administrative unit scope](manage-roles-portal.md)
 - [Manage users or devices for an administrative unit with rules for dynamic membership groups](admin-units-members-dynamic.md)
 - [Remove users, groups, or devices from an administrative unit](admin-units-members-remove.md)