Merge pull request #25697 from msewaweru/deviceregpolicy-roles

Lauragra · web-flow · commit 5df3b0cd5904 · 2024-11-18T18:48:37.000-08:00
Entra roles - Device registration policy APIs
diff --git a/api-reference/beta/api/deviceregistrationpolicy-get.md b/api-reference/beta/api/deviceregistrationpolicy-get.md
@@ -22,12 +22,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "deviceregistrationpolicy_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/deviceregistrationpolicy-get-permissions.md)]
 
-When calling on behalf of a user, the user needs to belong to the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
-+ Global Reader
-+ Cloud Device Administrator
-+ Intune Administrator
-+ Windows 365 Administrator
-+ Directory Reviewer
+[!INCLUDE [rbac-device-registration-policy-apis-read](../includes/rbac-for-apis/rbac-device-registration-policy-apis-read.md)]
 
 ## HTTP request
 
diff --git a/api-reference/beta/api/deviceregistrationpolicy-update.md b/api-reference/beta/api/deviceregistrationpolicy-update.md
@@ -21,7 +21,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "deviceregistrationpolicy_update" } -->
 [!INCLUDE [permissions-table](../includes/permissions/deviceregistrationpolicy-update-permissions.md)]
 
-When calling on behalf of a user, the user needs the *Cloud Device Administrator* [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json).
+[!INCLUDE [rbac-device-registration-policy-apis-update](../includes/rbac-for-apis/rbac-device-registration-policy-apis-update.md)]
 
 ## HTTP request
 
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-device-registration-policy-apis-read.md b/api-reference/beta/includes/rbac-for-apis/rbac-device-registration-policy-apis-read.md
@@ -0,0 +1,12 @@
+---
+author: msewaweru
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Global Reader
+> - Cloud Device Administrator
+> - Intune Administrator
+> - Windows 365 Administrator
+> - Directory Reviewer
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-device-registration-policy-apis-update.md b/api-reference/beta/includes/rbac-for-apis/rbac-device-registration-policy-apis-update.md
@@ -0,0 +1,8 @@
+---
+author: msewaweru
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged role is supported for this operation.
+> - Cloud Device Administrator
