Merge pull request #260059 from rolyon/rolyon-rbac-roles-rbac-admin-update

[Azure RBAC] Role Based Access Control Administrator role update

Author: v-dirichards

articles/role-based-access-control/built-in-roles.md

@@ -29,7 +29,7 @@ The following table provides a brief description of each built-in role. Click th
 > | [Contributor](#contributor) | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | b24988ac-6180-42a0-ab88-20f7382dd24c |
 > | [Owner](#owner) | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 |
 > | [Reader](#reader) | View all resources, but does not allow you to make any changes. | acdd72a7-3385-48ef-bd42-f606fba81ae7 |
-> | [Role Based Access Control Administrator (Preview)](#role-based-access-control-administrator-preview) | Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. | f58310d9-a9f6-439a-9e8d-f62e7b41a168 |
+> | [Role Based Access Control Administrator](#role-based-access-control-administrator) | Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. | f58310d9-a9f6-439a-9e8d-f62e7b41a168 |
 > | [User Access Administrator](#user-access-administrator) | Lets you manage user access to Azure resources. | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 |
 > | **Compute** |  |  |
 > | [Classic Virtual Machine Contributor](#classic-virtual-machine-contributor) | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | d73bb868-a0df-4d4d-bd69-98a00b01fccb |
@@ -473,7 +473,7 @@ View all resources, but does not allow you to make any changes. [Learn more](rba
 }
 ```
 
-### Role Based Access Control Administrator (Preview)
+### Role Based Access Control Administrator
 
 Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.
 
@@ -512,7 +512,7 @@ Manage access to Azure resources by assigning roles using Azure RBAC. This role
       "notDataActions": []
     }
   ],
-  "roleName": "Role Based Access Control Administrator (Preview)",
+  "roleName": "Role Based Access Control Administrator",
   "roleType": "BuiltInRole",
   "type": "Microsoft.Authorization/roleDefinitions"
 }

articles/role-based-access-control/conditions-custom-security-attributes.md

@@ -9,7 +9,7 @@ ms.subservice: conditions
 ms.topic: how-to
 ms.workload: identity
 ms.custom: devx-track-azurecli, devx-track-azurepowershell
-ms.date: 11/15/2023
+ms.date: 12/01/2023
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to
 ---
@@ -23,7 +23,7 @@ In this article, you learn how to allow read access to blobs based on blob index
 To assign custom security attributes and add role assignments conditions in your Microsoft Entra tenant, you need:
 
 - [Attribute Definition Administrator](../active-directory/roles/permissions-reference.md#attribute-definition-administrator) and [Attribute Assignment Administrator](../active-directory/roles/permissions-reference.md#attribute-assignment-administrator)
-- [User Access Administrator](built-in-roles.md#user-access-administrator) or [Owner](built-in-roles.md#owner)
+- [Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator)
 
 > [!IMPORTANT]
 > By default, [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) and other administrator roles do not have permissions to read, define, or assign custom security attributes. If you do not meet these prerequisites, you won't see the principal/user attributes in the condition editor.
@@ -194,7 +194,7 @@ You can also use Azure PowerShell to add role assignment conditions. The followi
 
 ### Add a condition
 
-1. Use the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command and follow the instructions that appear to sign in to your directory as User Access Administrator or Owner.
+1. Use the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command and follow the instructions that appear to sign in to your directory as Role Based Access Control Administrator.
 
     ```powershell
     Connect-AzAccount
@@ -271,7 +271,7 @@ You can also use Azure CLI to add role assignments conditions. The following com
 
 ### Add a condition
 
-1. Use the [az login](/cli/azure/reference-index#az-login) command and follow the instructions that appear to sign in to your directory as User Access Administrator or Owner.
+1. Use the [az login](/cli/azure/reference-index#az-login) command and follow the instructions that appear to sign in to your directory as Role Based Access Control Administrator.
 
     ```azurecli
     az login

articles/role-based-access-control/conditions-prerequisites.md

@@ -9,7 +9,7 @@ ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
 ms.custom: devx-track-azurecli, devx-track-azurepowershell
-ms.date: 11/15/2023
+ms.date: 12/01/2023
 ms.author: rolyon
 ---
 
@@ -48,7 +48,7 @@ For more information, see [API versions of Azure RBAC REST APIs](/rest/api/autho
 
 ## Permissions
 
-Just like role assignments, to add or update conditions, you must be signed in to Azure with a user that has the `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/roleAssignments/delete` permissions, such as [User Access Administrator](built-in-roles.md#user-access-administrator) or [Owner](built-in-roles.md#owner).
+Just like role assignments, to add or update conditions, you must be signed in to Azure with a user that has the `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/roleAssignments/delete` permissions, such as [Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator).
 
 ## Principal attributes
 

articles/role-based-access-control/custom-roles-bicep.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 07/01/2022
+ms.date: 12/01/2023
 ms.author: rolyon 
 ms.custom: devx-track-azurepowershell, devx-track-azurecli, devx-track-bicep
 #Customer intent: As an IT admin, I want to create custom and/or roles using Bicep so that I can start automating custom role processes.
@@ -23,7 +23,7 @@ To create a custom role, you specify a role name, role permissions, and where th
 
 ## Prerequisites
 
-To create a custom role, you must have permissions to create custom roles, such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator).
+To create a custom role, you must have permissions to create custom roles, such as [User Access Administrator](built-in-roles.md#user-access-administrator).
 
 You also must have an active Azure subscription. If you don't have one, you can create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 

articles/role-based-access-control/custom-roles-cli.md

@@ -12,7 +12,7 @@ ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.custom: devx-track-azurecli
 ms.workload: identity
-ms.date: 04/05/2023
+ms.date: 12/01/2023
 ms.author: rolyon
 ms.reviewer: bagovind
 ---
@@ -26,7 +26,7 @@ For a step-by-step tutorial on how to create a custom role, see [Tutorial: Creat
 
 To create custom roles, you need:
 
-- Permissions to create custom roles, such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator)
+- Permissions to create custom roles, such as [User Access Administrator](built-in-roles.md#user-access-administrator)
 - [Azure Cloud Shell](../cloud-shell/overview.md) or [Azure CLI](/cli/azure/install-azure-cli)
 
 ## List custom roles

articles/role-based-access-control/custom-roles-powershell.md

@@ -11,7 +11,7 @@ ms.service: role-based-access-control
 ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 04/05/2023
+ms.date: 12/01/2023
 ms.author: rolyon
 ms.reviewer: bagovind 
 ms.custom: devx-track-azurepowershell
@@ -28,7 +28,7 @@ For a step-by-step tutorial on how to create a custom role, see [Tutorial: Creat
 
 To create custom roles, you need:
 
-- Permissions to create custom roles, such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator)
+- Permissions to create custom roles, such as [User Access Administrator](built-in-roles.md#user-access-administrator)
 - [Azure Cloud Shell](../cloud-shell/overview.md) or [Azure PowerShell](/powershell/azure/install-azure-powershell)
 
 ## List custom roles

articles/role-based-access-control/custom-roles-rest.md

@@ -12,7 +12,7 @@ ms.service: role-based-access-control
 ms.workload: multiple
 ms.tgt_pltfrm: rest-api
 ms.topic: how-to
-ms.date: 04/05/2023
+ms.date: 12/01/2023
 ms.author: rolyon
 ms.reviewer: bagovind
 
@@ -420,7 +420,7 @@ To create a custom role, use the [Role Definitions - Create Or Update](/rest/api
 
 ## Update a custom role
 
-To update a custom role, use the [Role Definitions - Create Or Update](/rest/api/authorization/role-definitions/create-or-update) REST API. To call this API, you must be signed in with a user that is assigned a role that has the `Microsoft.Authorization/roleDefinitions/write` permission on all the `assignableScopes`. Of the built-in roles, only [Owner](built-in-roles.md#owner) and [User Access Administrator](built-in-roles.md#user-access-administrator) include this permission.
+To update a custom role, use the [Role Definitions - Create Or Update](/rest/api/authorization/role-definitions/create-or-update) REST API. To call this API, you must be signed in with a user that is assigned a role that has the `Microsoft.Authorization/roleDefinitions/write` permission on all the `assignableScopes`, such as [User Access Administrator](built-in-roles.md#user-access-administrator).
 
 1. Use the [Role Definitions - List](/rest/api/authorization/role-definitions/list) or [Role Definitions - Get](/rest/api/authorization/role-definitions/get) REST API to get information about the custom role. For more information, see the earlier [List all custom role definitions](#list-all-custom-role-definitions) section.
 

articles/role-based-access-control/custom-roles-template.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 10/19/2022
+ms.date: 12/01/2023
 ms.author: rolyon 
 ms.custom: devx-track-azurepowershell, devx-track-arm-template
 #Customer intent: As an IT admin, I want to create custom roles by using an Azure Resource Manager template so that I can start automating custom role processes.
@@ -29,7 +29,7 @@ If your environment meets the prerequisites and you're familiar with using ARM t
 
 To create a custom role, you must have:
 
-- Permissions to create custom roles, such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator).
+- Permissions to create custom roles, such as [User Access Administrator](built-in-roles.md#user-access-administrator).
 
 You must use the following version:
 

articles/role-based-access-control/delegate-role-assignments-examples.md

@@ -9,7 +9,7 @@ ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
 ms.custom: devx-track-azurepowershell
-ms.date: 11/29/2023
+ms.date: 12/01/2023
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to learn about the conditions so that I write more complex conditions.
 ---
@@ -684,7 +684,7 @@ New-AzRoleAssignment -ObjectId $principalId -Scope $scope -RoleDefinitionId $rol
 
 ## Example: Allow most roles, but don't allow others to assign roles
 
-This condition allows a delegate to add or remove role assignments for all roles except the [Owner](built-in-roles.md#owner), [Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator-preview), and [User Access Administrator](built-in-roles.md#user-access-administrator) roles.
+This condition allows a delegate to add or remove role assignments for all roles except the [Owner](built-in-roles.md#owner), [Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator), and [User Access Administrator](built-in-roles.md#user-access-administrator) roles.
 
 This condition is useful when you want to allow a delegate to assign most roles, but not allow the delegate to allow others to assign roles.
 
@@ -716,7 +716,7 @@ To target both the add and remove role assignment actions, notice that you must
 > | Attribute | [Role definition ID](conditions-authorization-actions-attributes.md#role-definition-id) |
 > | Operator | [ForAnyOfAnyValues:GuidNotEquals](conditions-format.md#foranyofanyvalues) |
 > | Comparison | Value |
-> | Roles | [Owner](built-in-roles.md#owner)<br/>[Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator-preview)<br/>[User Access Administrator](built-in-roles.md#user-access-administrator) |
+> | Roles | [Owner](built-in-roles.md#owner)<br/>[Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator)<br/>[User Access Administrator](built-in-roles.md#user-access-administrator) |
 
 > [!div class="mx-tableFixed"]
 > | Condition #2 | Setting |
@@ -726,7 +726,7 @@ To target both the add and remove role assignment actions, notice that you must
 > | Attribute | [Role definition ID](conditions-authorization-actions-attributes.md#role-definition-id) |
 > | Operator | [ForAnyOfAnyValues:GuidNotEquals](conditions-format.md#foranyofanyvalues) |
 > | Comparison | Value |
-> | Roles | [Owner](built-in-roles.md#owner)<br/>[Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator-preview)<br/>[User Access Administrator](built-in-roles.md#user-access-administrator) |
+> | Roles | [Owner](built-in-roles.md#owner)<br/>[Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator)<br/>[User Access Administrator](built-in-roles.md#user-access-administrator) |
 
 ```
 (

articles/role-based-access-control/delegate-role-assignments-overview.md

@@ -8,7 +8,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/29/2023
+ms.date: 12/01/2023
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to delegate Azure role assignment management to other users who are closer to the decision, but want to limit the scope of the role assignments.
@@ -77,15 +77,15 @@ Here are some reasons why delegating role assignment management to others with c
 
 Consider an example where Alice is an administrator with the User Access Administrator role for a subscription. Alice wants to grant Dara the ability to assign specific roles for specific groups. Alice doesn't want Dara to have any other role assignment permissions. The following diagram shows how Alice can delegate role assignment responsibilities to Dara with conditions.
 
-1. Alice assigns the Role Based Access Control Administrator (Preview) role to Dara. Alice adds conditions so that Dara can only assign the Backup Contributor or Backup Reader roles to the Marketing and Sales groups.
+1. Alice assigns the Role Based Access Control Administrator role to Dara. Alice adds conditions so that Dara can only assign the Backup Contributor or Backup Reader roles to the Marketing and Sales groups.
 1. Dara can now assign the Backup Contributor or Backup Reader roles to the Marketing and Sales groups.
 1. If Dara attempts to assign other roles or assign any roles to different principals (such as a user or managed identity), the role assignment fails.
 
 :::image type="content" source="./media/delegate-role-assignments-overview/delegate-role-assignments-conditions-steps.png" alt-text="Diagram that shows an example where Dara can only assign the Backup Contributor or Backup Reader roles to Marketing or Sales groups." lightbox="./media/delegate-role-assignments-overview/delegate-role-assignments-conditions-steps.png":::
 
 ## Role Based Access Control Administrator role
 
-The [Role Based Access Control Administrator (Preview)](built-in-roles.md#role-based-access-control-administrator-preview) role is a built-in role that has been designed for delegating role assignment management to others. It has fewer permissions than [User Access Administrator](built-in-roles.md#user-access-administrator), which follows least privilege best practices. The Role Based Access Control Administrator role has following permissions:
+The [Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator) role is a built-in role that has been designed for delegating role assignment management to others. It has fewer permissions than [User Access Administrator](built-in-roles.md#user-access-administrator), which follows least privilege best practices. The Role Based Access Control Administrator role has following permissions:
 
 - Create a role assignment at the specified scope
 - Delete a role assignment at the specified scope
@@ -125,9 +125,9 @@ To delegate role assignment management with conditions, you assign roles as you
 
 1. Start a new role assignment
 
-1. Select the [Role Based Access Control Administrator (Preview)](built-in-roles.md#role-based-access-control-administrator-preview) role
+1. Select the [Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator) role
 
-    You can select any role that includes the `Microsoft.Authorization/roleAssignments/write` action, but Role Based Access Control Administrator (Preview) has fewer permissions.
+    You can select any role that includes the `Microsoft.Authorization/roleAssignments/write` action, but Role Based Access Control Administrator has fewer permissions.
 
 1. Select the delegate