Merge pull request #25519 from microsoftgraph/rbac-directoryRoles

Entra admin roles - directory roles/templates

Author: Lauragra

api-reference/beta/api/directoryroletemplate-get.md

@@ -27,6 +27,9 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directoryroletemplate_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryroletemplate-get-permissions.md)]
 
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Global Reader* is the least privileged role supported for this operation.
+
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http

api-reference/beta/api/directoryroletemplate-list.md

@@ -27,6 +27,9 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directoryroletemplate_list" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryroletemplate-list-permissions.md)]
 
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Global Reader* is the least privileged role supported for this operation.
+
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http

api-reference/beta/includes/rbac-for-apis/rbac-directory-role-apis-read.md

@@ -4,41 +4,41 @@ ms.reviewer: msodsrbac
 ms.topic: include
 ---
 
-In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
-
-- User Administrator
-- Helpdesk Administrator
-- Service Support Administrator
-- Billing Administrator
-- User
-- Mailbox Administrator
-- Directory Readers
-- Directory Writers
-- Application Administrator
-- Security Reader
-- Security Administrator
-- Privileged Role Administrator
-- Cloud Application Administrator
-- Customer LockBox Access Approver
-- Dynamics 365 Administrator
-- Power BI Administrator
-- Azure Information Protection Administrator
-- Desktop Analytics Administrator
-- License Administrator
-- Microsoft Managed Desktop Administrator
-- Authentication Administrator
-- Privileged Authentication Administrator
-- Teams Communications Administrator
-- Teams Communications Support Engineer
-- Teams Communications Support Specialist
-- Teams Administrator
-- Insights Administrator
-- Compliance Data Administrator
-- Security Operator
-- Kaizala Administrator
-- Global Reader
-- Volume Licensing Business Center User
-- Volume Licensing Service Center User
-- Modern Commerce Administrator
-- Microsoft Store for Business User
-- Directory Reviewer
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - User Administrator
+> - Helpdesk Administrator
+> - Service Support Administrator
+> - Billing Administrator
+> - User
+> - Mailbox Administrator
+> - Directory Readers
+> - Directory Writers
+> - Application Administrator
+> - Security Reader
+> - Security Administrator
+> - Privileged Role Administrator
+> - Cloud Application Administrator
+> - Customer LockBox Access Approver
+> - Dynamics 365 Administrator
+> - Power BI Administrator
+> - Azure Information Protection Administrator
+> - Desktop Analytics Administrator
+> - License Administrator
+> - Microsoft Managed Desktop Administrator
+> - Authentication Administrator
+> - Privileged Authentication Administrator
+> - Teams Communications Administrator
+> - Teams Communications Support Engineer
+> - Teams Communications Support Specialist
+> - Teams Administrator
+> - Insights Administrator
+> - Compliance Data Administrator
+> - Security Operator
+> - Kaizala Administrator
+> - Global Reader
+> - Volume Licensing Business Center User
+> - Volume Licensing Service Center User
+> - Modern Commerce Administrator
+> - Microsoft Store for Business User
+> - Directory Reviewer

api-reference/beta/includes/rbac-for-apis/rbac-directory-role-apis-write.md

@@ -4,5 +4,6 @@ ms.reviewer: msodsrbac
 ms.topic: include
 ---
 
-In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Privileged Role Administrator* is the least privileged role supported for this operation.
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Privileged Role Administrator* is the least privileged role supported for this operation.
 

api-reference/v1.0/api/directoryrole-delete-member.md

@@ -29,6 +29,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directoryrole_delete_member" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryrole-delete-member-permissions.md)]
 
+[!INCLUDE [rbac-directory-role-apis-write](../includes/rbac-for-apis/rbac-directory-role-apis-write.md)]
+
 ## HTTP request
 
 You can address the directory role using either its **id** or **roleTemplateId**.

api-reference/v1.0/api/directoryrole-delta.md

@@ -24,6 +24,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directoryrole_delta" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryrole-delta-permissions.md)]
 
+[!INCLUDE [rbac-directory-role-apis-read](../includes/rbac-for-apis/rbac-directory-role-apis-read.md)]
+
 ## HTTP request
 
 To begin tracking changes, you make a request including the **delta** function on the [directoryRole](../resources/directoryrole.md) resource.
@@ -43,7 +45,7 @@ You only need to specify any desired query parameters once upfront.
 In subsequent requests, copy and apply the `@odata.nextLink` or `@odata.deltaLink` URL from the previous response, as that URL already 
 includes the encoded, desired parameters.
 
-| Query parameter	   | Type	|Description|
+| Query parameter       | Type    |Description|
 |:---------------|:--------|:----------|
 | $deltatoken | string | A [state token](/graph/delta-query-overview) returned in the `@odata.deltaLink` URL of the previous **delta** function call for the same resource collection, indicating the completion of that round of change tracking. Save and apply the entire `@odata.deltaLink` URL including this token in the first request of the next round of change tracking for that collection.|
 | $skiptoken | string | A [state token](/graph/delta-query-overview) returned in the `@odata.nextLink` URL of the previous **delta** function call, indicating there are further changes to be tracked in the same resource collection. |

api-reference/v1.0/api/directoryrole-get.md

@@ -27,6 +27,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directoryrole_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryrole-get-permissions.md)]
 
+[!INCLUDE [rbac-directory-role-apis-read](../includes/rbac-for-apis/rbac-directory-role-apis-read.md)]
+
 ## HTTP request
 
 You can address the directory role using either its **id** or **roleTemplateId**.

api-reference/v1.0/api/directoryrole-list-members.md

@@ -30,6 +30,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 
 [!INCLUDE [limited-info](../../includes/limited-info.md)]
 
+[!INCLUDE [rbac-directory-role-apis-read](../includes/rbac-for-apis/rbac-directory-role-apis-read.md)]
+
 ## HTTP request
 
 You can address the directory role using either its **id** or **roleTemplateId**.

api-reference/v1.0/api/directoryrole-list-scopedmembers.md

@@ -25,6 +25,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directoryrole_list_scopedmembers" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryrole-list-scopedmembers-permissions.md)]
 
+[!INCLUDE [rbac-directory-role-apis-read](../includes/rbac-for-apis/rbac-directory-role-apis-read.md)]
+
 ## HTTP request
 
 You can address the directory role using either its **id** or **roleTemplateId**.

api-reference/v1.0/api/directoryrole-list.md

@@ -29,6 +29,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directoryrole_list" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryrole-list-permissions.md)]
 
+[!INCLUDE [rbac-directory-role-apis-read](../includes/rbac-for-apis/rbac-directory-role-apis-read.md)]
+
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http