Merge branch 'main' of https://github.com/microsoftgraph/microsoft-graph-docs

Author: OWinfreyATL

api-reference/beta/api/authenticationeventlistener-update.md

@@ -72,8 +72,10 @@ If successful, this method returns a `204 No Content` response code.
 
 ## Examples
 
-### Request
-The following example shows a request to update an authentication event listener's trigger conditions or priority:
+### Example 1: Update an authentication event listener's trigger conditions or priority
+
+#### Request
+The following example shows a request to update an authentication event listener's trigger conditions or priority.
 # [HTTP](#tab/http)
 <!-- {
   "blockType": "request",
@@ -129,7 +131,7 @@ Content-Type: application/json
 
 ---
 
-### Response
+#### Response
 The following example shows the response.
 <!-- {
   "blockType": "response",
@@ -139,4 +141,43 @@ The following example shows the response.
 ``` http
 HTTP/1.1 204 No Content
 ```
+### Example 2: Add an application to an authentication event listener's trigger conditions
+
+#### Request
+
+The following example shows a request to add an application to an authentication event listener's trigger conditions.
+
+<!-- {
+  "blockType": "request",
+  "name": "update_authenticationeventlistener_2"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/identity/authenticationEventListeners/0313cc37-d421-421d-857b-87804d61e33e/conditions/applications/includeApplications
+Content-Type: application/json
+
+{
+    "@odata.type": "#microsoft.graph.authenticationConditionApplication",
+    "appId": "63856651-13d9-4784-9abf-20758d509e19"
+}
+```
+
 
+#### Response
+The following example shows the response to a request to add an application to an authentication event listener's trigger conditions:
+
+<!-- {
+  "blockType": "response",
+  "@odata.type": "microsoft.graph.authenticationConditionApplication",
+  "truncated": true,
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/authenticationEventListeners('0313cc37-d421-421d-857b-87804d61e33e')/conditions/applications/includeApplications/$entity",
+    "appId": "63856651-13d9-4784-9abf-20758d509e19"
+}
+```

api-reference/beta/api/device-delete-registeredowners.md

@@ -26,6 +26,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 
 [!INCLUDE [limited-info](../../includes/limited-info.md)]
 
+[!INCLUDE [rbac-devices-apis-write](../includes/rbac-for-apis/rbac-devices-apis-write.md)]
+
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http

api-reference/beta/api/device-delete-registeredusers.md

@@ -26,7 +26,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 
 [!INCLUDE [limited-info](../../includes/limited-info.md)]
 
-The calling user must also be in at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): *Intune Administrator* or *Windows 365 Administrator*.
+[!INCLUDE [rbac-devices-apis-write](../includes/rbac-for-apis/rbac-devices-apis-write.md)]
 
 ## HTTP request
 <!-- { "blockType": "ignored" } -->

api-reference/beta/api/device-delete.md

@@ -24,7 +24,11 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "device_delete" } -->
 [!INCLUDE [permissions-table](../includes/permissions/device-delete-permissions.md)]
 
-The calling user must also be in at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): *Intune Administrator*, *Windows 365 Administrator*, or *Cloud Device Administrator*.
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Intune Administrator
+> - Windows 365 Administrator
+> - Cloud Device Administrator
 
 ## HTTP request
 

api-reference/beta/api/device-delta.md

@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "device_delta" } -->
 [!INCLUDE [permissions-table](../includes/permissions/device-delta-permissions.md)]
 
+[!INCLUDE [rbac-devices-apis-read](../includes/rbac-for-apis/rbac-devices-apis-read.md)]
+
 ## HTTP request
 To begin tracking changes, you make a request including the delta function on the **device** resource. 
 
@@ -35,7 +37,7 @@ GET /devices/delta
 
 Tracking changes incurs a round of one or more **delta** function calls. To use any query parameter other than `$deltatoken` and `$skiptoken`, you must specify it in the initial **delta** request and Microsoft Graph automatically encodes any specified parameters into the `$deltatoken` portion of the `@odata.nextLink` or `@odata.deltaLink` URL provided in the response.
 
-| Query parameter	   | Type	|Description|
+| Query parameter       | Type    |Description|
 |:---------------|:--------|:----------|
 | $deltatoken | string | A [state token](/graph/delta-query-overview) returned in the `@odata.deltaLink` URL of the previous **delta** function call for the same resource collection, indicating the completion of that round of change tracking. Save and apply the entire `@odata.deltaLink` URL including this token in the first request of the next round of change tracking for that collection.|
 | $skiptoken | string | A [state token](/graph/delta-query-overview) returned in the `@odata.nextLink` URL of the previous **delta** function call, indicating that there are further changes to be tracked in the same resource collection. |

api-reference/beta/api/device-get.md

@@ -26,33 +26,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "device_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/device-get-permissions.md)]
 
-The calling user must also be in at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
-
-* Users
-* Directory Readers
-* Directory Writers
-* Compliance Administrator
-* Device Managers
-* Application Administrator
-* Security Reader
-* Security Administrator
-* Privileged Role Administrator
-* Cloud Application Administrator
-* Customer LockBox Access Approver
-* Dynamics 365 Administrator
-* Power BI Administrator
-* Desktop Analytics Administrator
-* Microsoft Managed Desktop Administrator
-* Teams Communications Administrator
-* Teams Communications Support Engineer
-* Teams Communications Support Specialist
-* Teams Administrator
-* Compliance Data Administrator
-* Security Operator
-* Kaizala Administrator
-* Global Reader
-* Directory Reviewer
-* Windows 365 Administrator
+[!INCLUDE [rbac-devices-apis-read](../includes/rbac-for-apis/rbac-devices-apis-read.md)]
 
 ## HTTP request
 

api-reference/beta/api/device-list-memberof.md

@@ -26,6 +26,13 @@ Choose the permission or permissions marked as least privileged for this API. Us
 
 [!INCLUDE [limited-info](../../includes/limited-info.md)]
 
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Directory Readers
+> - Global Reader
+> - Intune Administrator
+> - Windows 365 Administrator
+
 ## HTTP request
 
 You can address the device using either its **id** or **deviceId**.

api-reference/beta/api/device-list-registeredowners.md

@@ -26,6 +26,13 @@ Choose the permission or permissions marked as least privileged for this API. Us
 
 [!INCLUDE [limited-info](../../includes/limited-info.md)]
 
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Directory Readers
+> - Global Reader
+> - Intune Administrator
+> - Windows 365 Administrator
+
 ## HTTP request
 
 You can address the device using either its **id** or **deviceId**.

api-reference/beta/api/device-list-registeredusers.md

@@ -27,33 +27,12 @@ Choose the permission or permissions marked as least privileged for this API. Us
 
 [!INCLUDE [limited-info](../../includes/limited-info.md)]
 
-The calling user must also be in at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
-
-* Users
-* Directory Readers
-* Directory Writers
-* Compliance Administrator
-* Device Managers
-* Application Administrator
-* Security Reader
-* Security Administrator
-* Privileged Role Administrator
-* Cloud Application Administrator
-* Customer LockBox Access Approver
-* Dynamics 365 Administrator
-* Power BI Administrator
-* Desktop Analytics Administrator
-* Microsoft Managed Desktop Administrator
-* Teams Communications Administrator
-* Teams Communications Support Engineer
-* Teams Communications Support Specialist
-* Teams Administrator
-* Compliance Data Administrator
-* Security Operator
-* Kaizala Administrator
-* Global Reader
-* Directory Reviewer
-* Windows 365 Administrator
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Directory Readers
+> - Global Reader
+> - Intune Administrator
+> - Windows 365 Administrator
 
 ## HTTP request
 

api-reference/beta/api/device-list-transitivememberof.md

@@ -26,6 +26,13 @@ Choose the permission or permissions marked as least privileged for this API. Us
 
 [!INCLUDE [limited-info](../../includes/limited-info.md)]
 
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Directory Readers
+> - Global Reader
+> - Intune Administrator
+> - Windows 365 Administrator
+
 
 ## HTTP request