Merge pull request #25645 from microsoftgraph/rbac-EntraHealth

Entra admin roles - Microsoft Entra Health

Author: Lauragra

api-reference/beta/api/serviceactivity-getmetricsforconditionalaccesscompliantdevicessigninsuccess.md

@@ -20,13 +20,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceactivity_getmetricsforconditionalaccesscompliantdevicessigninsuccess" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceactivity-getmetricsforconditionalaccesscompliantdevicessigninsuccess-permissions.md)]
 
-In addition to the delegated permissions, the signed-in user who is accessing the data needs to belong to at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json), which allow them to read sign-in reports:
-
-+ Global Reader
-+ Reports Reader
-+ Security Administrator
-+ Security Operator
-+ Security Reader
+[!INCLUDE [rbac-entra-health-service-activity-apis](../includes/rbac-for-apis/rbac-entra-health-service-activity-apis.md)]
 
 ## HTTP request
 

api-reference/beta/api/serviceactivity-getmetricsforconditionalaccessmanageddevicessigninsuccess.md

@@ -20,13 +20,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceactivity_getmetricsforconditionalaccessmanageddevicessigninsuccess" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceactivity-getmetricsforconditionalaccessmanageddevicessigninsuccess-permissions.md)]
 
-In addition to the delegated permissions, the signed-in user who is accessing the data needs to belong to at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json), which allow them to read sign-in reports:
-
-+ Global Reader
-+ Reports Reader
-+ Security Administrator
-+ Security Operator
-+ Security Reader
+[!INCLUDE [rbac-entra-health-service-activity-apis](../includes/rbac-for-apis/rbac-entra-health-service-activity-apis.md)]
 
 ## HTTP request
 

api-reference/beta/api/serviceactivity-getmetricsformfasigninfailure.md

@@ -20,13 +20,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceactivity_getmetricsformfasigninfailure" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceactivity-getmetricsformfasigninfailure-permissions.md)]
 
-In addition to the delegated permissions, the signed-in user who is accessing the data needs to belong to at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json), which allow them to read sign-in reports:
-
-+ Global Reader
-+ Reports Reader
-+ Security Administrator
-+ Security Operator
-+ Security Reader
+[!INCLUDE [rbac-entra-health-service-activity-apis](../includes/rbac-for-apis/rbac-entra-health-service-activity-apis.md)]
 
 ## HTTP request
 

api-reference/beta/api/serviceactivity-getmetricsformfasigninsuccess.md

@@ -20,13 +20,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceactivity_getmetricsformfasigninsuccess" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceactivity-getmetricsformfasigninsuccess-permissions.md)]
 
-In addition to the delegated permissions, the signed-in user who is accessing the data needs to belong to at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json), which allow them to read sign-in reports:
-
-+ Global Reader
-+ Reports Reader
-+ Security Administrator
-+ Security Operator
-+ Security Reader
+[!INCLUDE [rbac-entra-health-service-activity-apis](../includes/rbac-for-apis/rbac-entra-health-service-activity-apis.md)]
 
 ## HTTP request
 

api-reference/beta/api/serviceactivity-getmetricsforsamlsigninsuccess.md

@@ -20,13 +20,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceactivity_getmetricsforsamlsigninsuccess" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceactivity-getmetricsforsamlsigninsuccess-permissions.md)]
 
-In addition to the delegated permissions, the signed-in user who is accessing the data needs to belong to at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json), which allow them to read sign-in reports:
-
-+ Global Reader
-+ Reports Reader
-+ Security Administrator
-+ Security Operator
-+ Security Reader
+[!INCLUDE [rbac-entra-health-service-activity-apis](../includes/rbac-for-apis/rbac-entra-health-service-activity-apis.md)]
 
 ## HTTP request
 

api-reference/beta/includes/rbac-for-apis/rbac-entra-health-service-activity-apis.md

@@ -0,0 +1,13 @@
+---
+author: Zacharypeng
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation:
+>
+> - Global Reader
+> - Reports Reader
+> - Security Reader
+> - Security Administrator
+> - Security Operator

api-reference/beta/toc/reports/toc.yml

@@ -148,6 +148,22 @@ items:
             href: ../../resources/azureadauthentication.md
           - name: Get SLA attainment
             href: ../../api/azureadauthentication-get.md
+      - name: Service activity
+        items:
+        - name: Service activity
+          items:
+          - name: Service activity
+            href: ../../resources/serviceactivity.md
+          - name: Get MFA sign-in success metrics
+            href: ../../api/serviceactivity-getmetricsformfasigninsuccess.md
+          - name: Get MFA sign-in failure metrics
+            href: ../../api/serviceactivity-getmetricsformfasigninfailure.md
+          - name: Get managed devices Conditional Access sign-in metrics
+            href: ../../api/serviceactivity-getmetricsforconditionalaccessmanageddevicessigninsuccess.md
+          - name: Get compliant devices Conditional Access sign-in metrics
+            href: ../../api/serviceactivity-getmetricsforconditionalaccesscompliantdevicessigninsuccess.md
+          - name: Get SAML sign-in metrics
+            href: ../../api/serviceactivity-getmetricsforsamlsigninsuccess.md
       - name: Health monitoring
         items:
         - name: Overview
@@ -220,20 +236,6 @@ items:
           href: ../../resources/userregistrationmethodsummary.md
         - name: List
           href: ../../api/authenticationmethodsroot-usersregisteredbymethod.md
-    - name: Service activity
-      items:
-      - name: Service activity
-        href: ../../resources/serviceactivity.md
-      - name: Get MFA sign-in success metrics
-        href: ../../api/serviceactivity-getmetricsformfasigninsuccess.md
-      - name: Get MFA sign-in failure metrics
-        href: ../../api/serviceactivity-getmetricsformfasigninfailure.md
-      - name: Get managed devices Conditional Access sign-in metrics
-        href: ../../api/serviceactivity-getmetricsforconditionalaccessmanageddevicessigninsuccess.md
-      - name: Get compliant devices Conditional Access sign-in metrics
-        href: ../../api/serviceactivity-getmetricsforconditionalaccesscompliantdevicessigninsuccess.md
-      - name: Get SAML sign-in metrics
-        href: ../../api/serviceactivity-getmetricsforsamlsigninsuccess.md
     - name: Service principal sign in activity
       items:
       - name: Service principal sign in activity

api-reference/beta/toc/toc.mapping.json

@@ -2250,7 +2250,6 @@
               "shouldSort": true,
               "resources": [
                 "appCredentialSignInActivity",
-                "serviceActivity",
                 "servicePrincipalSignInActivity"
               ],
               "childNodes": [
@@ -2290,6 +2289,12 @@
                         "azureADAuthentication"
                       ]
                     },
+                    {
+                      "name": "Service activity",
+                      "resources": [
+                        "serviceActivity"
+                      ]
+                    },
                     {
                       "name": "Health monitoring",
                       "overview": "../../resources/healthmonitoring-overview.md",