Merge pull request #25518 from microsoftgraph/rbac-deviceLocalCredentials

Entra admin roles - device local credentials

Author: Lauragra

api-reference/beta/api/devicelocalcredentialinfo-get.md

@@ -24,7 +24,18 @@ Choose the permission or permissions marked as least privileged for this API. Us
 
 To access the actual passwords on the device, done by including `$select=credentials` as part of the query parameters, the app must be assigned the *DeviceLocalCredential.Read.All* permission and *DeviceLocalCredential.ReadBasic.All* is insufficient.
 
-[!INCLUDE [rbac-device-local-credentials-apis-read](../includes/rbac-for-apis/rbac-device-local-credentials-apis-read.md)]
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Cloud Device Administrator
+> - Helpdesk Administrator
+> - Intune Service Administrator
+> - Security Administrator
+> - Security Reader
+> - Global Reader
+> 
+> To access the actual passwords on the device by using the `$select=credentials` query parameter, the following least privileged roles are supported:
+> - Cloud Device Administrator
+> - Intune Service Administrator
 
 ## HTTP request
 To get the device local credential for a specific device object:

api-reference/beta/api/directory-list-devicelocalcredentials.md

@@ -22,7 +22,14 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directory_list_devicelocalcredentials" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directory-list-devicelocalcredentials-permissions.md)]
 
-[!INCLUDE [rbac-device-local-credentials-basic-apis-read](../includes/rbac-for-apis/rbac-device-local-credentials-basic-apis-read.md)]
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Cloud Device Administrator
+> - Helpdesk Administrator
+> - Intune Service Administrator
+> - Security Administrator
+> - Security Reader
+> - Global Reader
 
 ## HTTP request
 To get a list of deviceLocalCredentialInfo within the tenant:

api-reference/beta/includes/rbac-for-apis/rbac-device-local-credentials-apis-read.md

@@ -20,9 +20,20 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "devicelocalcredentialinfo_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/devicelocalcredentialinfo-get-permissions.md)]
 
-To access the actual passwords on the device by using the `$select=credentials` query parameter, the app must be assigned the DeviceLocalCredential.Read.All permission. DeviceLocalCredential.ReadBasic.All is insufficient.
-
-[!INCLUDE [rbac-device-local-credentials-apis-read](../includes/rbac-for-apis/rbac-device-local-credentials-apis-read.md)]
+To access the actual passwords on the device, done by including `$select=credentials` as part of the query parameters, the app must be assigned the *DeviceLocalCredential.Read.All* permission and *DeviceLocalCredential.ReadBasic.All* is insufficient.
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Cloud Device Administrator
+> - Helpdesk Administrator
+> - Intune Service Administrator
+> - Security Administrator
+> - Security Reader
+> - Global Reader
+> 
+> To access the actual passwords on the device by using the `$select=credentials` query parameter, the following least privileged roles are supported:
+> - Cloud Device Administrator
+> - Intune Service Administrator
 
 ## HTTP request
 To get the device local credential for a specific device object:

api-reference/beta/includes/rbac-for-apis/rbac-device-local-credentials-basic-apis-read.md

@@ -20,7 +20,14 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directory_list_devicelocalcredentials" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directory-list-devicelocalcredentials-permissions.md)]
 
-[!INCLUDE [rbac-device-local-credentials-basic-apis-read](../includes/rbac-for-apis/rbac-device-local-credentials-basic-apis-read.md)]
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Cloud Device Administrator
+> - Helpdesk Administrator
+> - Intune Service Administrator
+> - Security Administrator
+> - Security Reader
+> - Global Reader
 
 ## HTTP request
 To get a list of **deviceLocalCredentialInfo** objects within the tenant: