SFI - Global Admin remediation for Azure AD B2C docs

kengaderdus · kengaderdus · commit 0f99143d380f · 2024-09-10T07:38:48.000+03:00
diff --git a/articles/active-directory-b2c/tenant-management-check-tenant-creation-permission.md b/articles/active-directory-b2c/tenant-management-check-tenant-creation-permission.md
@@ -10,7 +10,7 @@ ms.service: active-directory
 
 ms.topic: tutorial
 ms.custom: b2c-docs-improvements
-ms.date: 06/21/2024
+ms.date: 09/11/2024
 ms.author: kengaderdus
 ms.reviewer: yoelh
 ms.subservice: B2C
@@ -22,7 +22,7 @@ ms.subservice: B2C
 
 # Review tenant creation permission in Azure Active Directory B2C
 
-Anyone who creates an Azure Active Directory B2C (Azure AD B2C) becomes the *Global Administrator* of the tenant. It's a security risk if a non-admin user is allowed to create a tenant. 
+It's a security risk if a non-admin user in a tenant is allowed to create a tenant. As a [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) in an Azure AD B2C tenant, you can restrict non-admin users from creating tenants.
 
 In this article, you learn how, as an admin, you can restrict tenant creation for non-admins. Also, you learn how, as a non-admin user, you can check if you've permission to create a tenant.
 
@@ -32,9 +32,7 @@ In this article, you learn how, as an admin, you can restrict tenant creation fo
 
 ## Restrict non-admin users from creating Azure AD B2C tenants
 
-As a *Global Administrator* in an Azure AD B2C tenant, you can restrict non-admin users from creating tenants. To do so, use the following steps:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator).
 
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 
@@ -58,10 +56,10 @@ Before you create an Azure AD B2C tenant, make sure that you've the permission t
 
 1. Under **Manage**, select **User Settings**.
 
-1.  Under **Default user role permissions**, review your **Restrict non-admin users from creating tenants** setting. If the setting is set to **No**, then contact your administrator to assign the tenant creator role to you. The setting is greyed out if you're not an administrator in the tenant.
+1.  Under **Default user role permissions**, review your **Restrict non-admin users from creating tenants** setting. If the setting is set to **No**, then contact your administrator to assign you [Tenant Creator](/entra/identity/role-based-access-control/permissions-reference#tenant-creator) role. The setting is greyed out if you're not an administrator in the tenant.
 
 
-## Next steps 
+## Related content
 
 - [Read tenant name and ID](tenant-management-read-tenant-name.md)
 - [Clean up resources and delete tenant](tutorial-delete-tenant.md)
diff --git a/articles/active-directory-b2c/tenant-management-emergency-access-account.md b/articles/active-directory-b2c/tenant-management-emergency-access-account.md
@@ -5,11 +5,9 @@ description: Learn how to manage emergency access accounts in Azure AD B2C tenan
 
 author: kengaderdus
 manager: CelesteDG
-
 ms.service: active-directory
-
 ms.topic: tutorial
-ms.date: 06/21/2024
+ms.date: 09/11/2024
 ms.custom: b2c-docs-improvements
 ms.reviewer: yoelh
 ms.author: kengaderdus
@@ -47,7 +45,7 @@ Create two or more emergency access accounts. These accounts should be cloud-onl
 
 Use the following steps to create an emergency access account:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as an existing Global Administrator. If you use your Microsoft Entra account, make sure you're using the directory that contains your Azure AD B2C tenant:
+1. Sign in to the [Azure portal](https://portal.azure.com) as an existing [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator). If you use your Microsoft Entra account, make sure you're using the directory that contains your Azure AD B2C tenant:
 
     1. Select the **Directories + subscriptions** icon in the portal toolbar.
     
diff --git a/articles/active-directory-b2c/tenant-management-manage-administrator.md b/articles/active-directory-b2c/tenant-management-manage-administrator.md
@@ -1,23 +1,19 @@
 ---
 title: Manage administrator accounts in Azure Active Directory B2C
 titleSuffix: Azure Active Directory B2C
-description: Learn how to add an administrator account to your Azure Active Directory B2C tenant. Learn how to invite a guest account as an administrator into your Azure AD B2C tenant. 
-
+description: Learn how to add an administrator account to your Azure Active Directory B2C tenant. Learn how to invite a guest account as an administrator into your Azure AD B2C tenant
 author: kengaderdus
 manager: CelesteDG
-
 ms.service: active-directory
-
 ms.topic: tutorial
 ms.custom: b2c-docs-improvements
-ms.date: 06/21/2024
+ms.date: 09/11/2024
 ms.reviewer: yoelh
 ms.author: kengaderdus
 ms.subservice: B2C
 
 
 #Customer intent: As an Azure AD B2C administrator, I want to manage administrator accounts, add new administrators (work and guest accounts), assign roles to user accounts, remove role assignments, delete administrator accounts, and protect administrative accounts with multifactor authentication, so that I can control access and ensure security in my Azure AD B2C tenant.
-
 ---
 
 # Manage administrator accounts in Azure Active Directory B2C
@@ -43,7 +39,7 @@ In this article, you learn how to:
 
 To create a new administrative account, follow these steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least Privileged Role Administrator permissions.
+1. Sign in to the [Azure portal](https://portal.azure.com/) as at least [Privileged Role Administrator](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator) permissions.
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
 1. Under **Manage**, select **Users**.
@@ -70,7 +66,7 @@ You can also invite a new guest user to manage your tenant. The guest account is
 
 To invite a user, follow these steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least Privileged Role Administrator permissions.
+1. Sign in to the [Azure portal](https://portal.azure.com/) as at least [Privileged Role Administrator](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator) permissions.
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
 1. Under **Manage**, select **Users**.
@@ -109,7 +105,7 @@ If the guest didn't receive the invitation email, or the invitation expired, you
 
 You can assign a role when you [create a user](#add-an-administrator-work-account) or [invite a guest user](#invite-an-administrator-guest-account). You can add a role, change the role, or remove a role for a user:
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least Privileged Role Administrator permissions.
+1. Sign in to the [Azure portal](https://portal.azure.com/) as at least [Privileged Role Administrator](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator) permissions.
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
 1. Under **Manage**, select **Users**.
@@ -127,15 +123,15 @@ If you need to remove a role assignment from a user, follow these steps:
 
 As part of an auditing process, you typically review which users are assigned to specific roles in the Azure AD B2C directory. Use the following steps to audit which users are currently assigned privileged roles.
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) as Privileged Role Administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com/) as [Privileged Role Administrator](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator).
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
 1. Under **Manage**, select **Roles and administrators**.
 1. Select a role, such as **Global administrator**. The **Role | Assignments** page lists the users with that role.
 
 ## Delete an administrator account
 
-To delete an existing user, you must have a *Global administrator* role assignment. Global admins can delete any user, including other admins. *User administrators* can delete any non-admin user.
+To delete an existing user, you must have a [Global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) role assignment. Global administrators can delete any user, including other admins. *User administrators* can delete any non-admin user.
 
 1. In your Azure AD B2C directory, select **Users**, and then select the user you want to delete.
 1. Select **Delete**, and then **Yes** to confirm the deletion.
diff --git a/articles/active-directory-b2c/tutorial-create-tenant.md b/articles/active-directory-b2c/tutorial-create-tenant.md
@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: tutorial
-ms.date: 01/11/2024
+ms.date: 09/11/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -48,11 +48,10 @@ Before you create your Azure AD B2C tenant, you need to take the following consi
 
 ## Create an Azure AD B2C tenant
 >[!NOTE]
->If you're unable to create Azure AD B2C tenant, [review your user settings page](tenant-management-check-tenant-creation-permission.md) to ensure that tenant creation isn't switched off. If tenant creation is switched on, ask your *Global Administrator* to assign you a **Tenant Creator** role.
+>If you're unable to create Azure AD B2C tenant, [review your user settings page](tenant-management-check-tenant-creation-permission.md) to ensure that tenant creation isn't switched off. If tenant creation is switched on, ask your [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to assign you a [Tenant Creator](/entra/identity/role-based-access-control/permissions-reference#tenant-creator) role.
 
 1. Sign in to the [Azure portal](https://portal.azure.com). 
 
-
 1. Make sure you're using the Microsoft Entra tenant that contains your subscription: 
 
     1. In the Azure portal toolbar, select the **Directories + subscriptions** icon.
@@ -150,4 +149,4 @@ In this article, you learned how to:
 Next, learn how to register a web application in your new tenant.
 
 > [!div class="nextstepaction"]
-> [Register your applications >](tutorial-register-applications.md)
+> [Register your applications >](tutorial-register-applications.md)
diff --git a/articles/active-directory-b2c/tutorial-delete-tenant.md b/articles/active-directory-b2c/tutorial-delete-tenant.md
@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: tutorial
-ms.date: 01/11/2024
+ms.date: 09/11/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 
@@ -28,7 +28,7 @@ When you've finished the Azure Active Directory B2C (Azure AD B2C) tutorials, yo
 
 ## Identify cleanup tasks
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) with a global administrator or subscription administrator role. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
+1. Sign in to the [Azure portal](https://portal.azure.com/) with a [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) role. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 1. In the Azure portal, search for and select the **Microsoft Entra ID** service.
 1. In the left menu, under **Manage**, select **Properties**.
@@ -45,7 +45,7 @@ When you've finished the Azure Active Directory B2C (Azure AD B2C) tutorials, yo
 
 If you've the confirmation page open from the previous section, you can use the links in the **Required action** column to open the Azure portal pages where you can remove these resources. Or, you can remove tenant resources from within the Azure AD B2C service using the following steps.
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) with a global administrator or subscription administrator role. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
+1. Sign in to the [Azure portal](https://portal.azure.com/) with a [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator). Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 1. In the Azure portal, select the **Azure AD B2C** service, or search for and select **Azure AD B2C**.
 1. Delete all users *except* the admin account you're currently signed in as: 
@@ -86,7 +86,7 @@ If you've the confirmation page open from the previous section, you can use the
 
 Once you delete all the tenant resources, you can now delete the tenant itself: 
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) with a global administrator or subscription administrator role. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
+1. Sign in to the [Azure portal](https://portal.azure.com/) with a [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator). Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 1. In the Azure portal, search for and select the **Microsoft Entra ID** service.
 1. If you haven't already granted yourself access management permissions, do the following:
@@ -110,4 +110,4 @@ In this article, you learned how to:
 > * Delete your tenant resources
 > * Delete the tenant
 
-Next, learn more about getting started with Azure AD B2C [user flows and custom policies](user-flow-overview.md).
+Next, learn more about getting started with Azure AD B2C [user flows and custom policies](user-flow-overview.md).
diff --git a/articles/active-directory-b2c/user-flow-custom-attributes.md b/articles/active-directory-b2c/user-flow-custom-attributes.md
@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: how-to
-ms.date: 01/11/2024
+ms.date: 09/11/2024
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
@@ -40,7 +40,7 @@ Azure AD B2C allows you to extend the set of attributes stored on each user acco
 
 ## Create a custom attribute
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.
+1. Sign in to the [Azure portal](https://portal.azure.com/) as at least [External ID User Flow Attribute Administrator](/entra/identity/role-based-access-control/permissions-reference#external-id-user-flow-attribute-administrator) of your Azure AD B2C tenant.
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
 1. Select **User attributes**, and then select **Add**.
@@ -199,7 +199,7 @@ Unlike built-in attributes, custom attributes can be removed. The extension attr
 
 Use the following steps to remove a custom attribute from a user flow in your tenant:
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.
+1. Sign in to the [Azure portal](https://portal.azure.com/) as at least [External ID User Flow Attribute Administrator](/entra/identity/role-based-access-control/permissions-reference#external-id-user-flow-attribute-administrator) of your Azure AD B2C tenant.
 2. Make sure you're using the directory that contains your Azure AD B2C tenant:
     1. Select the **Directories + subscriptions** icon in the portal toolbar.
     1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the Directory name list, and then select **Switch**
@@ -215,8 +215,6 @@ Use the [Microsoft Graph API](microsoft-graph-operations.md#application-extensio
 
 ::: zone-end
 
- 
-
 
 ## Next steps
 
