Merge pull request #219202 from MicrosoftGuyJFlo/ConditionalAccessRoles

[Azure AD] Conditional Access - Role definitions

Author: prmerger-automator[bot]

articles/active-directory/conditional-access/plan-conditional-access.md

@@ -30,10 +30,23 @@ Microsoft provides [security defaults](../fundamentals/concept-fundamentals-secu
 ### Prerequisites
 
 * A working Azure AD tenant with Azure AD Premium or trial license enabled. If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-* An account with Conditional Access Administrator privileges.
+* An account with privileges to create Conditional Access policies.
 * A test user (non-administrator) that allows you to verify policies work as expected before you impact real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
 * A group that the non-administrator user is a member of. If you need to create a group, see [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).
 
+#### Permissions
+
+Conditional Access policies can be created or modified by anyone assigned the following roles:
+
+- Conditional Access Administrator 
+- Security Administrator
+- Global Administrator
+
+Conditional Access policies can be read by anyone assigned the following roles:
+
+- Security Reader
+- Global Reader
+
 ## Understand Conditional Access policy components
 
 Policies answer questions about who should access your resources, what resources they should access, and under what conditions. Policies can be designed to grant access, limit access with session controls, or to block access. You [build a Conditional Access policy](concept-conditional-access-policies.md)  by defining the if-then statements: **If an assignment is met, then apply the access controls**.