Entra admin roles - group/directory settings

Author: FaithOmbongi

api-reference/beta/api/directorysettingtemplate-get.md

@@ -26,6 +26,12 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directorysettingtemplate_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directorysettingtemplate-get-permissions.md)]
 
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Microsoft Entra Joined Device Local Administrator - basic properties only
+> - Directory Readers
+> - Global Reader
+
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http

api-reference/beta/api/directorysettingtemplate-list.md

@@ -26,6 +26,12 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "directorysettingtemplate_list" } -->
 [!INCLUDE [permissions-table](../includes/permissions/directorysettingtemplate-list-permissions.md)]
 
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Microsoft Entra Joined Device Local Administrator - basic properties only
+> - Directory Readers
+> - Global Reader
+
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http

api-reference/beta/includes/rbac-for-apis/rbac-group-directorysettings-all.md

@@ -3,12 +3,12 @@ author: yuhko-msft
 ms.topic: include
 ---
 
-In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
-
-| Microsoft Entra role                                                                          | Allowed privileges                                                            |
-|-----------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
-| Microsoft Entra Joined Device Local Administrator <br/> Directory Readers <br/> Global Reader | Read basic properties on setting templates and settings                       |
-| Groups Administrator <br/> Directory Writers                                                  | Manage all group settings                                                     |
-| Authentication Policy Administrator                                                           | Update `Password Rule Settings`                                               |
-| User Administrator                                                                            | Read basic properties on setting templates and settings <br/> Update settings |
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> 
+> - Read basic properties on setting templates and settings - Microsoft Entra Joined Device Local Administrator, Directory Readers, Global Reader
+> - Manage all group/directory settings - Directory Writers
+> - Manage global and local settings for groups; manage `Group.Unified.Guest` and `Group.Unified` settings - Groups Administrator
+> - Update `Password Rule Settings` - Authentication Policy Administrator
+> - Update settings, Read basic properties on setting templates and settings - User Administrator
 

api-reference/v1.0/api/groupsettingtemplate-get.md

@@ -23,6 +23,12 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "groupsettingtemplate_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/groupsettingtemplate-get-permissions.md)]
 
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Microsoft Entra Joined Device Local Administrator - basic properties only
+> - Directory Readers
+> - Global Reader
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/v1.0/api/groupsettingtemplate-list.md

@@ -23,6 +23,12 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "groupsettingtemplate_list" } -->
 [!INCLUDE [permissions-table](../includes/permissions/groupsettingtemplate-list-permissions.md)]
 
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Microsoft Entra Joined Device Local Administrator - basic properties only
+> - Directory Readers
+> - Global Reader
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/v1.0/includes/rbac-for-apis/rbac-group-directorysettings-all.md

@@ -3,12 +3,11 @@ author: yuhko-msft
 ms.topic: include
 ---
 
-In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
-
-| Microsoft Entra role                                                                          | Allowed privileges                                                            |
-|-----------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
-| Microsoft Entra Joined Device Local Administrator <br/> Directory Readers <br/> Global Reader | Read basic properties on setting templates and settings                       |
-| Groups Administrator <br/> Directory Writers                                                  | Manage all group settings                                                     |
-| Authentication Policy Administrator                                                           | Update `Password Rule Settings`                                               |
-| User Administrator                                                                            | Read basic properties on setting templates and settings <br/> Update settings |
-
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> 
+> - Read basic properties on setting templates and settings - Microsoft Entra Joined Device Local Administrator, Directory Readers, Global Reader
+> - Manage all group/directory settings - Directory Writers
+> - Manage global and local settings for groups; manage `Group.Unified.Guest` and `Group.Unified` settings - Groups Administrator
+> - Update `Password Rule Settings` - Authentication Policy Administrator
+> - Update settings, Read basic properties on setting templates and settings - User Administrator