Merge pull request #25640 from microsoftgraph/rbac-directoryAudits

Entra admin roles - directory audit/audit logs

Author: Lauragra

api-reference/beta/api/directoryaudit-get.md

@@ -24,7 +24,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryaudit-get-permissions.md)]
 
-In addition, apps must be [properly registered](/azure/active-directory/active-directory-reporting-api-prerequisites-azure-portal) to Microsoft Entra ID.
+[!INCLUDE [rbac-directoryaudit-apis](../includes/rbac-for-apis/rbac-directoryaudit-apis.md)]
 
 ## HTTP request
 

api-reference/beta/api/directoryaudit-list.md

@@ -24,7 +24,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryaudit-list-permissions.md)]
 
-In addition, apps must be [properly registered](/azure/active-directory/active-directory-reporting-api-prerequisites-azure-portal) to Microsoft Entra ID.
+[!INCLUDE [rbac-directoryaudit-apis](../includes/rbac-for-apis/rbac-directoryaudit-apis.md)]
 
 ## HTTP request
 

api-reference/beta/includes/rbac-for-apis/rbac-directoryaudit-apis.md

@@ -0,0 +1,10 @@
+---
+author: egreenberg14
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation:
+> - Reports Reader
+> - Security Administrator
+> - Security Reader

api-reference/v1.0/api/directoryaudit-get.md

@@ -22,6 +22,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryaudit-get-permissions.md)]
 
+[!INCLUDE [rbac-directoryaudit-apis](../includes/rbac-for-apis/rbac-directoryaudit-apis.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/v1.0/api/directoryaudit-list.md

@@ -22,6 +22,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/directoryaudit-list-permissions.md)]
 
+[!INCLUDE [rbac-directoryaudit-apis](../includes/rbac-for-apis/rbac-directoryaudit-apis.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/v1.0/includes/rbac-for-apis/rbac-directoryaudit-apis.md

@@ -0,0 +1,10 @@
+---
+author: egreenberg14
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation:
+> - Reports Reader
+> - Security Administrator
+> - Security Reader