Merge pull request #224575 from msmimart/mm-idp-perms

prmerger-automator[bot] · web-flow · commit 128889427f46 · 2023-01-20T20:36:30.000Z
[EIXD] Add roles required for configuring SAML/Ws-Fed, Google, and Facebook IdPs
diff --git a/articles/active-directory/external-identities/direct-federation.md b/articles/active-directory/external-identities/direct-federation.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 10/24/2022
+ms.date: 01/20/2023
 
 ms.author: mimart
 author: msmimart
@@ -96,6 +96,10 @@ Setting up SAML/WS-Fed IdP federation doesn’t change the authentication method
 
 Currently, the Azure AD SAML/WS-Fed federation feature doesn't support sending a signed authentication token to the SAML identity provider.
 
+**What permissions are required to configure a SAML/Ws-Fed identity provider?**
+
+You need to be an [External Identity Provider Administrator](../roles/permissions-reference.md#external-identity-provider-administrator) or a [Global Administrator](../roles/permissions-reference.md#global-administrator) in your Azure AD tenant to configure a SAML/Ws-Fed identity provider.
+
 ## Step 1: Determine if the partner needs to update their DNS text records
 
 Depending on the partner's IdP, the partner might need to update their DNS records to enable federation with you. Use the following steps to determine if DNS updates are needed.
@@ -187,9 +191,10 @@ Next, you'll configure federation with the IdP configured in step 1 in Azure AD.
 
 ### To configure federation in the Azure AD portal
 
-1. Go to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**.
-2. Select **External Identities** > **All identity providers**.
-3. Select **New SAML/WS-Fed IdP**.
+1. Sign in to the [Azure portal](https://portal.azure.com/) as an External Identity Provider Administrator or a Global Administrator. 
+2. In the left pane, select **Azure Active Directory**.
+3. Select **External Identities** > **All identity providers**.
+4. Select **New SAML/WS-Fed IdP**.
 
     ![Screenshot showing button for adding a new SAML or WS-Fed IdP.](media/direct-federation/new-saml-wsfed-idp.png)
 
@@ -238,11 +243,12 @@ On the **All identity providers** page, you can view the list of SAML/WS-Fed ide
 
 ![Screenshot showing an identity provider in the SAML WS-Fed list](media/direct-federation/new-saml-wsfed-idp-list-multi.png)
 
-1. Go to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**.
-1. Select **External Identities**.
-1. Select **All identity providers**.
-1. Under **SAML/WS-Fed identity providers**, scroll to an identity provider in the list or use the search box.
-1. To update the certificate or modify configuration details:
+1. Sign in to the [Azure portal](https://portal.azure.com) as an External Identity Provider Administrator or a Global Administrator.
+2. In the left pane, select **Azure Active Directory**.
+3. Select **External Identities**.
+4. Select **All identity providers**.
+5. Under **SAML/WS-Fed identity providers**, scroll to an identity provider in the list or use the search box.
+6. To update the certificate or modify configuration details:
    - In the **Configuration** column for the identity provider, select the **Edit** link.
    - On the configuration page, modify any of the following details:
      - **Display name** - Display name for the partner's organization.
diff --git a/articles/active-directory/external-identities/facebook-federation.md b/articles/active-directory/external-identities/facebook-federation.md
@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 01/06/2023
+ms.date: 01/20/2023
 
 ms.author: mimart
 author: msmimart
@@ -63,7 +63,7 @@ To use a Facebook account as an [identity provider](identity-providers.md), you
 Now you'll set the Facebook client ID and client secret, either by entering it in the Azure AD portal or by using PowerShell. You can test your Facebook configuration by signing up via a user flow on an app enabled for self-service sign-up.
 
 ### To configure Facebook federation in the Azure AD portal
-1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of your Azure AD tenant.
+1. Sign in to the [Azure portal](https://portal.azure.com) as an External Identity Provider Administrator or a Global Administrator.
 2. Under **Azure services**, select **Azure Active Directory**.
 3. In the left menu, select **External Identities**.
 4. Select **All identity providers**, then select **Facebook**.
diff --git a/articles/active-directory/external-identities/google-federation.md b/articles/active-directory/external-identities/google-federation.md
@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 07/12/2022
+ms.date: 01/20/2023
 
 ms.author: mimart
 author: msmimart
@@ -191,10 +191,11 @@ First, create a new project in the Google Developers Console to obtain a client
 You'll now set the Google client ID and client secret. You can use the Azure portal or PowerShell to do so. Be sure to test your Google federation configuration by inviting yourself. Use a Gmail address and try to redeem the invitation with your invited Google account. 
 
 **To configure Google federation in the Azure portal** 
-1. Go to the [Azure portal](https://portal.azure.com). On the left pane, select **Azure Active Directory**. 
-2. Select **External Identities**.
-3. Select **All identity providers**, and then select the **Google** button.
-4. Enter the client ID and client secret you obtained earlier. Select **Save**:
+1. Sign in to the [Azure portal](https://portal.azure.com) as an External Identity Provider Administrator or a Global Administrator.
+2. In the left pane, select **Azure Active Directory**.
+3. Select **External Identities**.
+4. Select **All identity providers**, and then select the **Google** button.
+5. Enter the client ID and client secret you obtained earlier. Select **Save**:
 
    ![Screenshot that shows the Add Google identity provider page.](media/google-federation/google-identity-provider.png)
 
diff --git a/articles/active-directory/external-identities/identity-providers.md b/articles/active-directory/external-identities/identity-providers.md
@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 09/14/2022
+ms.date: 01/20/2023
 
 ms.author: mimart
 author: msmimart
@@ -39,6 +39,8 @@ External Identities offers a variety of identity providers.
    > [!NOTE]
    > Federated SAML/WS-Fed IdPs can't be used in your self-service sign-up user flows.
 
+To configure federation with Google, Facebook, or a SAML/Ws-Fed identity provider, you'll need to be an [External Identity Provider Administrator](../roles/permissions-reference.md#external-identity-provider-administrator) or a [Global Administrator](../roles/permissions-reference.md#global-administrator) in your Azure AD tenant.
+
 ## Adding social identity providers
 
 Azure AD is enabled by default for self-service sign-up, so users always have the option of signing up using an Azure AD account. However, you can enable other identity providers, including social identity providers like Google or Facebook. To set up social identity providers in your Azure AD tenant, you'll create an application at the identity provider and configure credentials. You'll obtain a client or app ID and a client or app secret, which you can then add to your Azure AD tenant.
