Merge pull request #25014 from microsoftgraph/globalAdminCleanUp

Lauragra · web-flow · commit ae9e94be6803 · 2024-08-21T19:58:55.000-07:00
Entra docs - SFI Wave 2 remediation
diff --git a/api-reference/beta/api/user-update.md b/api-reference/beta/api/user-update.md
@@ -53,7 +53,7 @@ PATCH /users/{id | userPrincipalName}
 | Property       | Type    |Description|
 |:---------------|:--------|:----------|
 |aboutMe|String|A freeform text entry field for the user to describe themselves.|
-|accountEnabled|Boolean| `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. Apart from a global administrator, a privileged authentication administrator assigned the _Directory.AccessAsUser.All_ delegated permission can update the **accountEnabled** status of all administrators in the tenant.|
+|accountEnabled|Boolean| `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. A Privileged Authentication Administrator assigned the _Directory.AccessAsUser.All_ delegated permission is the least privileged role that's allowed to update the **accountEnabled** status of all administrators in the tenant.|
 | ageGroup | [ageGroup](../resources/user.md#agegroup-values) | Sets the age group of the user. Allowed values: `null`, `Minor`, `NotAdult` and `Adult`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
 |assignedLicenses|[assignedLicense](../resources/assignedlicense.md) collection|The licenses that are assigned to the user. Not nullable.            |
 |birthday|DateTimeOffset|The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`|
diff --git a/api-reference/beta/resources/accessreviews-root.md b/api-reference/beta/resources/accessreviews-root.md
@@ -25,7 +25,7 @@ Typical customer scenarios for access reviews of group memberships and applicati
 
 - Customers can collect access review controls into programs that are relevant for your organization to track reviews for compliance or risk-sensitive applications.
 
-There's also a related capability for customers to review and certify the role assignments of administrative users who are assigned to Microsoft Entra roles such as Global Administrator or Azure subscription roles.  This capability is included in [Microsoft Entra Privileged Identity Management](privilegedidentitymanagement-root.md).
+There's also a related capability for customers to review and certify the role assignments of administrative users who are assigned to [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or [Azure subscription](/azure/role-based-access-control/built-in-roles) roles. This capability is included in [Microsoft Entra Privileged Identity Management](privilegedidentitymanagementv3-overview.md).
 
 The tenant where an access review is being created or managed via the API must have sufficient purchased or trial licenses. For more information about the license requirements, see [Access reviews license requirements](/azure/active-directory/governance/access-reviews-overview#license-requirements).
 
diff --git a/api-reference/beta/resources/businessflowtemplate.md b/api-reference/beta/resources/businessflowtemplate.md
@@ -17,8 +17,12 @@ Namespace: microsoft.graph
 
 In the Microsoft Entra [access reviews](accessreviews-root.md) feature, the **businesFlowTemplate** represents a Microsoft Entra business flow template. The identifier of a template, such as to review guest members of a group, is supplied by the caller when creating an access review.
 
-The business flow template objects are automatically generated when the global administrator onboards the tenant to use the access reviews feature.  The business flow templates include access reviews of assignments to an application, memberships of a group, memberships of a Microsoft Entra role, guest user memberships of a group, and guest user assignments to an application. No additional business flow templates can be created.
-
+The business flow template objects are predefined and automatically generated when an authorized administrator onboards the tenant to use the access reviews feature. They include the following access reviews workflows and scopes:
+- Assignments to an application
+- Memberships of a group
+- Memberships of a Microsoft Entra role
+- Memberships of guests to a group
+- Assignments of guests to an application.
 
 ## Methods
 
diff --git a/api-reference/beta/resources/program.md b/api-reference/beta/resources/program.md
@@ -15,9 +15,9 @@ Namespace: microsoft.graph
 
 [!INCLUDE [accessreviews-disclaimer](../../includes/accessreviews-disclaimer.md)]
 
-In the Microsoft Entra [access reviews](accessreviews-root.md) feature, a program is a container, holding program controls. A tenant can have one or more programs.  Each control links an access review to a program, to make it easier to locate related access reviews.  
+In the Microsoft Entra [access reviews](accessreviews-root.md) feature, a program is a container, holding program controls. A tenant can have one or more programs. Each control links an access review to a program, to make it easier to locate related access reviews.  
 
-Each tenant that has on-boarded Microsoft Entra access reviews has one program, `Default program`.  A global administrator can create additional programs, for example to represent compliance initiatives. 
+A tenant that has onboarded Microsoft Entra access reviews has one program, the `Default program`. An authorized administrator can create more programs, for example, to represent compliance initiatives. 
 
 
 ## Methods
diff --git a/api-reference/beta/resources/programcontroltype.md b/api-reference/beta/resources/programcontroltype.md
@@ -17,7 +17,7 @@ Namespace: microsoft.graph
 
 In the Microsoft Entra [access reviews](accessreviews-root.md) feature, the program control type is used when associating a control to a program, to indicate the type of access review the control is for.  
 
-The program control type objects are automatically generated when the global administrator onboards the tenant to use the access reviews feature.  No additional program control types can be created.
+The program control type objects are automatically generated when an authorized administrator onboards the tenant to use the access reviews feature.  No additional program control types can be created.
 
 
 ## Methods
diff --git a/api-reference/v1.0/api/user-update.md b/api-reference/v1.0/api/user-update.md
@@ -51,7 +51,7 @@ PATCH /users/{id | userPrincipalName}
 | Property       | Type    |Description|
 |:---------------|:--------|:----------|
 |aboutMe|String|A freeform text entry field for the user to describe themselves.|
-|accountEnabled|Boolean| `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. Apart from a global administrator, a privileged authentication administrator assigned the _Directory.AccessAsUser.All_ delegated permission can update the **accountEnabled** status of all administrators in the tenant.|
+|accountEnabled|Boolean| `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. A Privileged Authentication Administrator assigned the _Directory.AccessAsUser.All_ delegated permission is the least privileged role that's allowed to update the **accountEnabled** status of all administrators in the tenant.|
 | ageGroup | [ageGroup](../resources/user.md#agegroup-values) | Sets the age group of the user. Allowed values: `null`, `Minor`, `NotAdult`, and `Adult`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
 |birthday|DateTimeOffset|The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`|
 |businessPhones| String collection | The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property.|
diff --git a/concepts/images/aadgraph-to-msgraph-migration/tenantTechnicalContact.png b/concepts/images/aadgraph-to-msgraph-migration/tenantTechnicalContact.png
diff --git a/concepts/microsoft-graph-activity-logs-overview.md b/concepts/microsoft-graph-activity-logs-overview.md
@@ -27,9 +27,7 @@ This service is available in the following [national cloud deployments](/graph/d
 To access the Microsoft Graph activity logs, you need the following privileges.
 
 - A Microsoft Entra ID P1 or P2 tenant license in your tenant.
-- An administrator with one of the following [Microsoft Entra administrator roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) listed in the order of least to most privileged role.
-  - Security Administrator – To configure diagnostic settings
-  - Global Administrator – To configure diagnostic settings
+- An administrator with a supported [Microsoft Entra administrator role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json). *Security Administrator* is the only least privileged admin role supported for configuring diagnostic settings.
 - An Azure subscription with one of the following log destinations are configured, and permissions to access data in the corresponding log destinations.
   - An Azure Log Analytics workspace to send logs to Azure Monitor
   - An Azure Storage Account for which you have List Keys permissions
