Merge pull request #25425 from microsoftgraph/rbac-sp-SingleSignOnCredentials

Lauragra · web-flow · commit 535e46667250 · 2024-10-15T19:22:52.000-07:00
Entra admin roles - SPs - single sign-on credentials
diff --git a/api-reference/beta/api/serviceprincipal-createpasswordsinglesignoncredentials.md b/api-reference/beta/api/serviceprincipal-createpasswordsinglesignoncredentials.md
@@ -24,8 +24,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceprincipal_createpasswordsinglesignoncredentials" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceprincipal-createpasswordsinglesignoncredentials-permissions.md)]
 
-> [!NOTE]
-> Users can create credentials for themselves. Service principal owners and admins with the following roles can create credentials for any user or group: GlobalAdministrator, ApplicationAdministrator, CloudApplicationAdministrator. To learn more, see [Directory roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles).
+[!INCLUDE [rbac-passwordsinglesignoncredentials-apis](../includes/rbac-for-apis/rbac-passwordsinglesignoncredentials-apis.md)]
 
 ## HTTP request
 
diff --git a/api-reference/beta/api/serviceprincipal-deletepasswordsinglesignoncredentials.md b/api-reference/beta/api/serviceprincipal-deletepasswordsinglesignoncredentials.md
@@ -24,8 +24,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceprincipal_deletepasswordsinglesignoncredentials" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceprincipal-deletepasswordsinglesignoncredentials-permissions.md)]
 
-> [!NOTE]
-> Users can create credentials for themselves. Service principal owners and admins with the following roles can create credentials for any user or group: GlobalAdministrator, ApplicationAdministrator, CloudApplicationAdministrator. To learn more, see [Directory roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles).
+[!INCLUDE [rbac-passwordsinglesignoncredentials-apis](../includes/rbac-for-apis/rbac-passwordsinglesignoncredentials-apis.md)]
 
 ## HTTP request
 
diff --git a/api-reference/beta/api/serviceprincipal-getpasswordsinglesignoncredentials.md b/api-reference/beta/api/serviceprincipal-getpasswordsinglesignoncredentials.md
@@ -24,8 +24,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceprincipal_getpasswordsinglesignoncredentials" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceprincipal-getpasswordsinglesignoncredentials-permissions.md)]
 
-> [!NOTE]
-> Users can create credentials for themselves. Service principal owners and admins with the following roles can create credentials for any user or group: GlobalAdministrator, ApplicationAdministrator, CloudApplicationAdministrator. To learn more, see [Directory roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles).
+[!INCLUDE [rbac-passwordsinglesignoncredentials-apis](../includes/rbac-for-apis/rbac-passwordsinglesignoncredentials-apis.md)]
 
 ## HTTP request
 
diff --git a/api-reference/beta/api/serviceprincipal-updatepasswordsinglesignoncredentials.md b/api-reference/beta/api/serviceprincipal-updatepasswordsinglesignoncredentials.md
@@ -24,8 +24,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceprincipal_updatepasswordsinglesignoncredentials" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceprincipal-updatepasswordsinglesignoncredentials-permissions.md)]
 
-> [!NOTE]
-> Users can create credentials for themselves. Service principal owners and admins with the following roles can create credentials for any user or group: GlobalAdministrator, ApplicationAdministrator, CloudApplicationAdministrator. To learn more, see [Directory roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles).
+[!INCLUDE [rbac-passwordsinglesignoncredentials-apis](../includes/rbac-for-apis/rbac-passwordsinglesignoncredentials-apis.md)]
 
 ## HTTP request
 
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-passwordsinglesignoncredentials-apis.md b/api-reference/beta/includes/rbac-for-apis/rbac-passwordsinglesignoncredentials-apis.md
@@ -0,0 +1,11 @@
+---
+author: psignoret
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> 
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation:
+> - Users can create and manage credentials for themselves.
+> - Application Administrator
+> - Cloud Application Administrator
