directory to tenant, refresh links

Author: rolyon

articles/role-based-access-control/elevate-access-global-admin.md

@@ -5,13 +5,13 @@ author: rolyon
 manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
-ms.date: 02/16/2024
+ms.date: 12/06/2024
 ms.author: rolyon
 ms.custom: devx-track-azurecli
 ---
 # Elevate access to manage all Azure subscriptions and management groups
 
-As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory. This article describes the ways that you can elevate your access to all subscriptions and management groups.
+As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your tenant. This article describes the ways that you can elevate your access to all subscriptions and management groups.
 
 [!INCLUDE [gdpr-dsr-and-stp-note](~/reusable-content/ce-skilling/azure/includes/gdpr-dsr-and-stp-note.md)]
 
@@ -26,9 +26,9 @@ If you are a Global Administrator, there might be times when you want to do the
 
 ## How does elevated access work?
 
-Microsoft Entra ID and Azure resources are secured independently from one another. That is, Microsoft Entra role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Microsoft Entra ID. However, if you are a [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) in Microsoft Entra ID, you can assign yourself access to all Azure subscriptions and management groups in your directory. Use this capability if you don't have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources.
+Microsoft Entra ID and Azure resources are secured independently from one another. That is, Microsoft Entra role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Microsoft Entra ID. However, if you are a [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) in Microsoft Entra ID, you can assign yourself access to all Azure subscriptions and management groups in your tenant. Use this capability if you don't have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources.
 
-When you elevate your access, you will be assigned the [User Access Administrator](built-in-roles.md#user-access-administrator) role in Azure at root scope (`/`). This allows you to view all resources and assign access in any subscription or management group in the directory. User Access Administrator role assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.
+When you elevate your access, you will be assigned the [User Access Administrator](built-in-roles.md#user-access-administrator) role in Azure at root scope (`/`). This allows you to view all resources and assign access in any subscription or management group in the tenant. User Access Administrator role assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.
 
 You should remove this elevated access once you have made the changes you need to make at root scope.
 
@@ -44,7 +44,7 @@ Follow these steps to elevate access for a Global Administrator using the Azure
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
 
-    If you are using Microsoft Entra Privileged Identity Management, [activate your Global Administrator role assignment](../active-directory/privileged-identity-management/pim-how-to-activate-role.md).
+    If you are using Microsoft Entra Privileged Identity Management, [activate your Global Administrator role assignment](/entra/id-governance/privileged-identity-management/pim-how-to-activate-role).
 
 1. Open **Microsoft Entra ID**.
 
@@ -56,26 +56,26 @@ Follow these steps to elevate access for a Global Administrator using the Azure
 
    ![Access management for Azure resources - screenshot](./media/elevate-access-global-admin/aad-properties-global-admin-setting.png)
 
-   When you set the toggle to **Yes**, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Microsoft Entra directory. This toggle is only available to users who are assigned the Global Administrator role in Microsoft Entra ID.
+   When you set the toggle to **Yes**, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Microsoft Entra tenant. This toggle is only available to users who are assigned the Global Administrator role in Microsoft Entra ID.
 
-   When you set the toggle to **No**, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Microsoft Entra directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.
+   When you set the toggle to **No**, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Microsoft Entra tenant. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.
 
     > [!NOTE]
-    > If you're using [Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md), deactivating your role assignment does not change the **Access management for Azure resources** toggle to **No**. To maintain least privileged access, we recommend that you set this toggle to **No** before you deactivate your role assignment.
+    > If you're using [Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-configure), deactivating your role assignment does not change the **Access management for Azure resources** toggle to **No**. To maintain least privileged access, we recommend that you set this toggle to **No** before you deactivate your role assignment.
 
 1. Click **Save** to save your setting.
 
    This setting is not a global property and applies only to the currently signed in user. You can't elevate access for all members of the Global Administrator role.
 
 1. Sign out and sign back in to refresh your access.
 
-    You should now have access to all subscriptions and management groups in your directory. When you view the Access control (IAM) pane, you'll notice that you have been assigned the User Access Administrator role at root scope.
+    You should now have access to all subscriptions and management groups in your tenant. When you view the Access control (IAM) pane, you'll notice that you have been assigned the User Access Administrator role at root scope.
 
    ![Subscription role assignments with root scope - screenshot](./media/elevate-access-global-admin/iam-root.png)
 
 1. Make the changes you need to make at elevated access.
 
-    For information about assigning roles, see [Assign Azure roles using the Azure portal](role-assignments-portal.yml). If you are using Privileged Identity Management, see [Discover Azure resources to manage](../active-directory/privileged-identity-management/pim-resource-roles-discover-resources.md) or [Assign Azure resource roles](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
+    For information about assigning roles, see [Assign Azure roles using the Azure portal](role-assignments-portal.yml). If you are using Privileged Identity Management, see [Discover Azure resources to manage](/entra/id-governance/privileged-identity-management/pim-resource-roles-discover-resources) or [Assign Azure resource roles](/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles).
 
 1. Perform the steps in the following section to remove your elevated access.
 
@@ -98,7 +98,7 @@ To remove the User Access Administrator role assignment at root scope (`/`), fol
     If you are using Privileged Identity Management, deactivate your Global Administrator role assignment.
 
     > [!NOTE]
-    > If you're using [Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md), deactivating your role assignment does not change the **Access management for Azure resources** toggle to **No**. To maintain least privileged access, we recommend that you set this toggle to **No** before you deactivate your role assignment.
+    > If you're using [Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-configure), deactivating your role assignment does not change the **Access management for Azure resources** toggle to **No**. To maintain least privileged access, we recommend that you set this toggle to **No** before you deactivate your role assignment.
 
 # [PowerShell](#tab/powershell)
 
@@ -291,17 +291,17 @@ When you call `elevateAccess`, you create a role assignment for yourself, so to
 
     Save the ID from the `name` parameter, in this case `18d7d88d-d35e-4fb5-a5c3-7773c20a72d9`.
 
-1. You also need to list the role assignment for the directory administrator at directory scope. List all assignments at directory scope for the `principalId` of the directory administrator who made the elevate access call. This will list all assignments in the directory for the objectid.
+1. You also need to list the role assignment for the tenant administrator at tenant scope. List all assignments at tenant scope for the `principalId` of the tenant administrator who made the elevate access call. This will list all assignments in the tenant for the objectid.
 
     ```http
     GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId+eq+'{objectid}'
     ```
 
-    >[!NOTE]
-    >A directory administrator should not have many assignments, if the previous query returns too many assignments, you can also query for all assignments just at directory scope level, then filter the results:
+    > [!NOTE]
+    > A tenant administrator should not have many assignments. If the previous query returns too many assignments, you can also query for all assignments just at tenant scope, then filter the results:
     > `GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=atScope()`
 
-1. The previous calls return a list of role assignments. Find the role assignment where the scope is `"/"` and the `roleDefinitionId` ends with the role name ID you found in step 1 and `principalId` matches the objectId of the directory administrator.
+1. The previous calls return a list of role assignments. Find the role assignment where the scope is `"/"` and the `roleDefinitionId` ends with the role name ID you found in step 1 and `principalId` matches the objectId of the tenant administrator.
 
     Sample role assignment:
 
@@ -339,7 +339,7 @@ When you call `elevateAccess`, you create a role assignment for yourself, so to
 
 ## Remove elevated access for users
 
-If you have users with unnecessary elevated access, you should take immediate action and remove that access. To remove these role assignments, you must also have elevated access. This section describes how you can view users that have elevated access and remove that access using the Azure portal.
+If you have users with unnecessary elevated access, you should take immediate action and remove that access. To remove these role assignments, you must also have elevated access. This section describes how you can view users that have elevated access in your tenant and remove that access using the Azure portal.
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
 
@@ -351,15 +351,15 @@ If you have users with unnecessary elevated access, you should take immediate ac
 
     `You have X users with elevated access. Microsoft Security recommends deleting access for users who have unnecessary elevated access. Manage elevated access users`
 
-    If you don't see this banner, you currently don't have any users with elevated access.
-
     :::image type="content" source="./media/elevate-access-global-admin/elevated-access-users-banner.png" alt-text="Screenshot of banner that indicates there are users with elevated acccess." lightbox="./media/elevate-access-global-admin/elevated-access-users-banner.png":::
 
+    If you don't see this banner, you currently don't have any users in your tenant with elevated access.
+
 1. If you want to remove elevated access, set the toggle to **Yes** as described earlier in [Step 1: Elevate access for a Global Administrator](#step-1-elevate-access-for-a-global-administrator).
 
 1. Select the **Manage elevated access users** link.
 
-    The **Users with elevated access appears** pane appears with a list of users with elevated access.
+    The **Users with elevated access appears** pane appears with a list of users with elevated access in your tenant.
 
     :::image type="content" source="./media/elevate-access-global-admin/elevated-access-users-pane.png" alt-text="Screenshot of Users with elevated access pane that lists users with elevated acccess." lightbox="./media/elevate-access-global-admin/elevated-access-users-pane.png":::
 
@@ -426,7 +426,7 @@ If you want to be able to periodically get the elevate access log entries, you c
 
 1. Use the [az login](/cli/azure/reference-index#az-login) command to sign in as Global Administrator.
 
-1. Use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to assign the [Reader](built-in-roles.md#reader) role to the group who can only read logs at the directory level, which are found at `Microsoft/Insights`.
+1. Use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to assign the [Reader](built-in-roles.md#reader) role to the group who can only read logs at the tenant level, which are found at `Microsoft/Insights`.
 
     ```azurecli
     az role assignment create --assignee "{groupId}" --role "Reader" --scope "/providers/Microsoft.Insights"