Entra admin roles - conditional access APIs

FaithOmbongi · FaithOmbongi · commit fed349dcfb23 · 2024-10-16T20:37:32.000+03:00
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md b/api-reference/beta/includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md
@@ -5,5 +5,8 @@ ms.topic: include
 
 > [!IMPORTANT]
 > In delegated scenarios with work or school accounts where the signed-in user is acting on another user, they must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Global Secure Access Administrator - read standard properties
+> - Security Reader - read standard properties
 > - Security Administrator - read standard properties
-> - Conditional Access Administrator
+> - Global Reader
+> - Conditional Access Administrator
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md b/api-reference/beta/includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md
@@ -5,8 +5,5 @@ ms.topic: include
 
 > [!IMPORTANT]
 > In delegated scenarios with work or school accounts where the signed-in user is acting on another user, they must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
-> - Global Secure Access Administrator - read standard properties
-> - Security Reader - read standard properties
-> - Security Administrator - read standard properties
-> - Global Reader
+> - Security Administrator
 > - Conditional Access Administrator
diff --git a/api-reference/v1.0/api/authenticationcontextclassreference-delete.md b/api-reference/v1.0/api/authenticationcontextclassreference-delete.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "authenticationcontextclassreference_delete" } -->
 [!INCLUDE [permissions-table](../includes/permissions/authenticationcontextclassreference-delete-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/authenticationcontextclassreference-get.md b/api-reference/v1.0/api/authenticationcontextclassreference-get.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "authenticationcontextclassreference_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/authenticationcontextclassreference-get-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/authenticationcontextclassreference-update.md b/api-reference/v1.0/api/authenticationcontextclassreference-update.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "authenticationcontextclassreference_update" } -->
 [!INCLUDE [permissions-table](../includes/permissions/authenticationcontextclassreference-update-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 > [!NOTE]
 > This method has a [known permissions issue](https://developer.microsoft.com/en-us/graph/known-issues/?search=13671) and may require consent to multiple permissions.
 
diff --git a/api-reference/v1.0/api/conditionalaccesspolicy-delete.md b/api-reference/v1.0/api/conditionalaccesspolicy-delete.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccesspolicy-delete-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/conditionalaccesspolicy-get.md b/api-reference/v1.0/api/conditionalaccesspolicy-get.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "conditionalaccesspolicy_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccesspolicy-get-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/conditionalaccesspolicy-update.md b/api-reference/v1.0/api/conditionalaccesspolicy-update.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccesspolicy-update-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 > [!NOTE]
 > This method has a [known permissions issue](https://developer.microsoft.com/en-us/graph/known-issues/?search=13671) and may require consent to multiple permissions.
 
diff --git a/api-reference/v1.0/api/conditionalaccessroot-list-authenticationcontextclassreferences.md b/api-reference/v1.0/api/conditionalaccessroot-list-authenticationcontextclassreferences.md
@@ -25,6 +25,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "conditionalaccessroot_list_authenticationcontextclassreferences" } -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccessroot-list-authenticationcontextclassreferences-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/conditionalaccessroot-list-namedlocations.md b/api-reference/v1.0/api/conditionalaccessroot-list-namedlocations.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "conditionalaccessroot_list_namedlocations" } -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccessroot-list-namedlocations-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/conditionalaccessroot-list-policies.md b/api-reference/v1.0/api/conditionalaccessroot-list-policies.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "conditionalaccessroot_list_policies" } -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccessroot-list-policies-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/conditionalaccessroot-list-templates.md b/api-reference/v1.0/api/conditionalaccessroot-list-templates.md
@@ -21,6 +21,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "conditionalaccessroot_list_templates" } -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccessroot-list-templates-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- {
diff --git a/api-reference/v1.0/api/conditionalaccessroot-post-namedlocations.md b/api-reference/v1.0/api/conditionalaccessroot-post-namedlocations.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccessroot-post-namedlocations-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/conditionalaccessroot-post-policies.md b/api-reference/v1.0/api/conditionalaccessroot-post-policies.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccessroot-post-policies-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 > [!NOTE]
 > This method has a [known permissions issue](https://developer.microsoft.com/en-us/graph/known-issues/?search=13671) and may require consent to multiple permissions.
 
diff --git a/api-reference/v1.0/api/conditionalaccesstemplate-get.md b/api-reference/v1.0/api/conditionalaccesstemplate-get.md
@@ -21,6 +21,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "conditionalaccesstemplate_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/conditionalaccesstemplate-get-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- {
diff --git a/api-reference/v1.0/api/countrynamedlocation-delete.md b/api-reference/v1.0/api/countrynamedlocation-delete.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/countrynamedlocation-delete-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/countrynamedlocation-get.md b/api-reference/v1.0/api/countrynamedlocation-get.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "countrynamedlocation_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/countrynamedlocation-get-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/countrynamedlocation-update.md b/api-reference/v1.0/api/countrynamedlocation-update.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/countrynamedlocation-update-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/ipnamedlocation-delete.md b/api-reference/v1.0/api/ipnamedlocation-delete.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/ipnamedlocation-delete-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/ipnamedlocation-get.md b/api-reference/v1.0/api/ipnamedlocation-get.md
@@ -1,4 +1,6 @@
----
+
+
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]---
 title: "Get ipNamedLocation"
 description: "Retrieve the properties and relationships of an ipnamedlocation object."
 ms.localizationpriority: medium
@@ -23,6 +25,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "ipnamedlocation_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/ipnamedlocation-get-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/ipnamedlocation-update.md b/api-reference/v1.0/api/ipnamedlocation-update.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/ipnamedlocation-update-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/namedlocation-delete.md b/api-reference/v1.0/api/namedlocation-delete.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
 [!INCLUDE [permissions-table](../includes/permissions/namedlocation-delete-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-write](../includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/api/namedlocation-get.md b/api-reference/v1.0/api/namedlocation-get.md
@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "namedlocation_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/namedlocation-get-permissions.md)]
 
+[!INCLUDE [rbac-conditionalaccess-apis-read](../includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-conditionalaccess-apis-read.md
@@ -0,0 +1,12 @@
+---
+author: lisaychuang
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts where the signed-in user is acting on another user, they must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Global Secure Access Administrator - read standard properties
+> - Security Reader - read standard properties
+> - Security Administrator - read standard properties
+> - Global Reader
+> - Conditional Access Administrator
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-conditionalaccess-apis-write.md
@@ -0,0 +1,9 @@
+---
+author: lisaychuang
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> In delegated scenarios with work or school accounts where the signed-in user is acting on another user, they must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
+> - Security Administrator
+> - Conditional Access Administrator
