Merge pull request #266575 from rolyon/rolyon-rbac-elevate-access-list-role-assignments-root-scope

[Azure RBAC] Perform steps at root scope and add tabs

Author: American-Dipper

articles/lighthouse/how-to/monitor-delegation-changes.md

@@ -61,7 +61,7 @@ az role assignment create --assignee 00000000-0000-0000-0000-000000000000 --role
 
 ### Remove elevated access for the Global Administrator account
 
-After you've assigned the Monitoring Reader role at root scope to the desired account, be sure to [remove the elevated access](../../role-based-access-control/elevate-access-global-admin.md#remove-elevated-access) for the Global Administrator account, as this level of access will no longer be needed.
+After you've assigned the Monitoring Reader role at root scope to the desired account, be sure to [remove the elevated access](../../role-based-access-control/elevate-access-global-admin.md) for the Global Administrator account, as this level of access will no longer be needed.
 
 ## View delegation changes in the Azure portal
 

articles/role-based-access-control/elevate-access-global-admin.md

@@ -6,7 +6,7 @@ author: rolyon
 manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
-ms.date: 02/09/2024
+ms.date: 02/16/2024
 ms.author: rolyon
 ms.custom: devx-track-azurepowershell, devx-track-azurecli
 ---
@@ -35,9 +35,11 @@ You should remove this elevated access once you have made the changes you need t
 
 ![Elevate access](./media/elevate-access-global-admin/elevate-access.png)
 
-## Azure portal
+## Perform steps at root scope
 
-### Elevate access for a Global Administrator
+# [Azure portal](#tab/azure-portal)
+
+### Step 1: Elevate access for a Global Administrator
 
 Follow these steps to elevate access for a Global Administrator using the Azure portal.
 
@@ -78,7 +80,7 @@ Follow these steps to elevate access for a Global Administrator using the Azure
 
 1. Perform the steps in the following section to remove your elevated access.
 
-### Remove elevated access
+### Step 2: Remove elevated access
 
 To remove the User Access Administrator role assignment at root scope (`/`), follow these steps.
 
@@ -99,13 +101,15 @@ To remove the User Access Administrator role assignment at root scope (`/`), fol
     > [!NOTE]
     > If you're using [Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md), deactivating your role assignment does not change the **Access management for Azure resources** toggle to **No**. To maintain least privileged access, we recommend that you set this toggle to **No** before you deactivate your role assignment.
 
-## Azure PowerShell
+# [PowerShell](#tab/powershell)
+
+### Step 1: Elevate access for a Global Administrator
 
-[!INCLUDE [az-powershell-update](../../includes/updated-for-az.md)]
+Use the Azure portal or REST API to elevate access for a Global Administrator.
 
-### List role assignment at root scope (/)
+### Step 2: List role assignment at root scope (/)
 
-To list the User Access Administrator role assignment for a user at root scope (`/`), use the [Get-AzRoleAssignment](/powershell/module/az.resources/get-azroleassignment) command.
+Once you have elevated access, to list the User Access Administrator role assignment for a user at root scope (`/`), use the [Get-AzRoleAssignment](/powershell/module/az.resources/get-azroleassignment) command.
 
 ```azurepowershell
 Get-AzRoleAssignment | where {$_.RoleDefinitionName -eq "User Access Administrator" `
@@ -124,7 +128,7 @@ ObjectType         : User
 CanDelegate        : False
 ```
 
-### Remove elevated access
+### Step 3: Remove elevated access
 
 To remove the User Access Administrator role assignment for yourself or another user at root scope (`/`), follow these steps.
 
@@ -137,9 +141,9 @@ To remove the User Access Administrator role assignment for yourself or another
       -RoleDefinitionName "User Access Administrator" -Scope "/"
     ```
 
-## Azure CLI
+# [Azure CLI](#tab/azure-cli)
 
-### Elevate access for a Global Administrator
+### Step 1: Elevate access for a Global Administrator
 
 Use the following basic steps to elevate access for a Global Administrator using the Azure CLI.
 
@@ -155,9 +159,9 @@ Use the following basic steps to elevate access for a Global Administrator using
 
 1. Perform the steps in a later section to remove your elevated access.
 
-### List role assignment at root scope (/)
+### Step 2: List role assignment at root scope (/)
 
-To list the User Access Administrator role assignment for a user at root scope (`/`), use the [az role assignment list](/cli/azure/role/assignment#az-role-assignment-list) command.
+Once you have elevated access, to list the User Access Administrator role assignment for a user at root scope (`/`), use the [az role assignment list](/cli/azure/role/assignment#az-role-assignment-list) command.
 
 ```azurecli
 az role assignment list --role "User Access Administrator" --scope "/"
@@ -181,7 +185,7 @@ az role assignment list --role "User Access Administrator" --scope "/"
 
 ```
 
-### Remove elevated access
+### Step 3: Remove elevated access
 
 To remove the User Access Administrator role assignment for yourself or another user at root scope (`/`), follow these steps.
 
@@ -193,7 +197,7 @@ To remove the User Access Administrator role assignment for yourself or another
     az role assignment delete --assignee [email protected] --role "User Access Administrator" --scope "/"
     ```
 
-## REST API
+# [REST API](#tab/rest-api)
 
 ### Prerequisites
 
@@ -205,7 +209,7 @@ You must use the following versions:
 
 For more information, see [API versions of Azure RBAC REST APIs](/rest/api/authorization/versions).
 
-### Elevate access for a Global Administrator
+### Step 1: Elevate access for a Global Administrator
 
 Use the following basic steps to elevate access for a Global Administrator using the REST API.
 
@@ -221,27 +225,27 @@ Use the following basic steps to elevate access for a Global Administrator using
 
 1. Perform the steps in a later section to remove your elevated access.
 
-### List role assignments at root scope (/)
+### Step 2: List role assignments at root scope (/)
 
-You can list all of the role assignments for a user at root scope (`/`).
+Once you have elevated access, you can list all of the role assignments for a user at root scope (`/`).
 
 - Call [Role Assignments - List For Scope](/rest/api/authorization/role-assignments/list-for-scope) where `{objectIdOfUser}` is the object ID of the user whose role assignments you want to retrieve.
 
    ```http
    GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId+eq+'{objectIdOfUser}'
    ```
 
-### List deny assignments at root scope (/)
+### Step 3: List deny assignments at root scope (/)
 
-You can list all of the deny assignments for a user at root scope (`/`).
+Once you have elevated access, you can list all of the deny assignments for a user at root scope (`/`).
 
-- Call GET denyAssignments where `{objectIdOfUser}` is the object ID of the user whose deny assignments you want to retrieve.
+- Call [Deny Assignments - List For Scope](/rest/api/authorization/deny-assignments/list-for-scope) where `{objectIdOfUser}` is the object ID of the user whose deny assignments you want to retrieve.
 
    ```http
    GET https://management.azure.com/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01&$filter=gdprExportPrincipalId+eq+'{objectIdOfUser}'
    ```
 
-### Remove elevated access
+### Step 4: Remove elevated access
 
 When you call `elevateAccess`, you create a role assignment for yourself, so to revoke those privileges you need to remove the User Access Administrator role assignment for yourself at root scope (`/`).
 
@@ -332,6 +336,8 @@ When you call `elevateAccess`, you create a role assignment for yourself, so to
     DELETE https://management.azure.com/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111?api-version=2022-04-01
     ```
 
+---
+
 ## View elevate access log entries in the Directory Activity logs
 
 When access is elevated, an entry is added to the logs. As a Global Administrator in Microsoft Entra ID, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the Directory Activity logs. This section describes different ways that you can view the elevate access log entries.