Merge pull request #25700 from msewaweru/authopolicy-roles

Lauragra · web-flow · commit 67b40e4e81eb · 2024-11-18T18:49:12.000-08:00
Entra roles - Authorization Policy APIs
diff --git a/api-reference/beta/api/authorizationpolicy-get.md b/api-reference/beta/api/authorizationpolicy-get.md
@@ -25,6 +25,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "authorizationpolicy_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/authorizationpolicy-get-permissions.md)]
 
+[!INCLUDE [rbac-authorization-policy-apis-read](../includes/rbac-for-apis/rbac-authorization-policy-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/beta/api/authorizationpolicy-update.md b/api-reference/beta/api/authorizationpolicy-update.md
@@ -25,7 +25,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "authorizationpolicy_update" } -->
 [!INCLUDE [permissions-table](../includes/permissions/authorizationpolicy-update-permissions.md)]
 
-For delegated scenarios, the user needs to have the *Privileged Role Administrator* [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json).
+[!INCLUDE [rbac-authorization-policy-apis-update](../includes/rbac-for-apis/rbac-authorization-policy-apis-update.md)]
 
 ## HTTP request
 
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-authorization-policy-apis-read.md b/api-reference/beta/includes/rbac-for-apis/rbac-authorization-policy-apis-read.md
@@ -0,0 +1,14 @@
+---
+author: msewaweru
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Global Reader
+> - Security Reader
+> - Security Operator
+> - Security Administrator
+> - Cloud Device Administrator
+> - License Administrator
+> - Privileged Role Administrator
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-authorization-policy-apis-update.md b/api-reference/beta/includes/rbac-for-apis/rbac-authorization-policy-apis-update.md
@@ -0,0 +1,8 @@
+---
+author: msewaweru
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged role is supported for this operation.
+> - Privileged Role Administrator
diff --git a/api-reference/v1.0/api/authorizationpolicy-get.md b/api-reference/v1.0/api/authorizationpolicy-get.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "authorizationpolicy_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/authorizationpolicy-get-permissions.md)]
 
+[!INCLUDE [rbac-authorization-policy-apis-read](../includes/rbac-for-apis/rbac-authorization-policy-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/authorizationpolicy-update.md b/api-reference/v1.0/api/authorizationpolicy-update.md
@@ -23,7 +23,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "authorizationpolicy_update" } -->
 [!INCLUDE [permissions-table](../includes/permissions/authorizationpolicy-update-permissions.md)]
 
-For delegated scenarios, the user needs to have the *Privileged Role Administrator* [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json).
+[!INCLUDE [rbac-authorization-policy-apis-update](../includes/rbac-for-apis/rbac-authorization-policy-apis-update.md)]
 
 ## HTTP request
 
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-authorization-policy-apis-read.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-authorization-policy-apis-read.md
@@ -0,0 +1,14 @@
+---
+author: msewaweru
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Global Reader
+> - Security Reader
+> - Security Operator
+> - Security Administrator
+> - Cloud Device Administrator
+> - License Administrator
+> - Privileged Role Administrator
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-authorization-policy-apis-update.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-authorization-policy-apis-update.md
@@ -0,0 +1,8 @@
+---
+author: msewaweru
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged role is supported for this operation.
+> - Privileged Role Administrator
