AVD SFI global admin references

Author: dknappettmsft

articles/virtual-desktop/virtual-desktop-fall-2019/manage-resources-using-ui-powershell.md

@@ -143,11 +143,11 @@ To verify the Microsoft Entra application configuration and provide consent:
 3. Select **All applications** and search the unique app name you provided for the PowerShell script in [Create a Microsoft Entra app registration](#create-an-azure-active-directory-app-registration).
 4. In the panel on the left side of the browser, select **Authentication** and make sure the redirect URI is the same as the web app URL for the management tool, as shown in the following image.
 
-    :::image type="content" source="../media/management-ui-redirect-uri-inline.png" alt-text="Screenshot of the Configure Web page on the Authentication tab for an app registration."
+    :::image type="content" source="../media/management-ui-redirect-uri-inline.png" alt-text="Screenshot of the Configure Web page on the Authentication tab for an app registration.":::
 
-5. In the left panel, select **API permissions** to confirm that permissions were added. If you're a global admin, select the **Grant admin consent for `tenantname`**  button and follow the dialog prompts to provide admin consent for your organization.
+5. In the left panel, select **API permissions** to confirm that permissions were added. If you're providing admin consent for all users, select the **Grant admin consent for `tenantname`**  button and follow the dialog prompts.
 
-    :::image type="content" source="../media/management-ui-permissions-inline.png" alt-text="Screenshot of the API permissions page for an app registration that highlights the option to grant admin consent for Contoso." lightbox="../media/management-ui-permissions-expanded.png"
+    :::image type="content" source="../media/management-ui-permissions-inline.png" alt-text="Screenshot of the API permissions page for an app registration that highlights the option to grant admin consent for Contoso." lightbox="../media/management-ui-permissions-expanded.png":::
 
 You can now start using the management tool.
 

articles/virtual-desktop/virtual-desktop-fall-2019/manage-resources-using-ui.md

@@ -72,14 +72,13 @@ To determine which user you can use to sign in to the tool, go to your [Microsof
 :::image type="content" source="../media/management-ui-user-consent-allowed-inline.png" alt-text="A screenshot showing if users can grant consent to applications for just their user." lightbox="../media/management-ui-user-consent-allowed-expanded.png":::
 
 - If the value is set to **Yes**, you can sign in with any user account in the Microsoft Entra ID and provide consent for that user only. However, if you sign in to the management tool with a different user later, you must perform the same consent again.
-- If the value is set to **No**, you must sign in as a Global Administrator in the Microsoft Entra ID and provide admin consent for all users in the directory. No other users will face a consent prompt.
-
+- If the value is set to **No**, you must sign in using an account with the required permissions to provide consent for all users in the tenant. No other users will face a consent prompt. For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent).
 
 Once you decide which user you'll use to provide consent, follow these instructions to provide consent to the tool:
 
 1. Go to your Azure resources, select the Azure App Services resource with the name you provided in the template (for example, Apr3UX) and navigate to the URL associated with it; for example,  `https://rdmimgmtweb-210520190304.azurewebsites.net`.
 2. Sign in using the appropriate Microsoft Entra user account.
-3. If you authenticated with a Global Administrator, you can now select the checkbox to **Consent on behalf of your organization**. Select **Accept** to provide consent. This will now take you to the management tool.
+3. If you providing consent for all users, you can now select the checkbox to **Consent on behalf of your organization**. Select **Accept** to provide consent. This will now take you to the management tool.
 
 ## Use the management tool
 

articles/virtual-desktop/virtual-desktop-fall-2019/manual-delete.md

@@ -19,7 +19,7 @@ This article describes how to delete Azure Virtual Desktop (classic).
 
 Before you begin, make sure you have the following things ready:
 
-- A global administrator account within the Microsoft Entra tenant
+- A user administrator account within the Microsoft Entra tenant with permissions to manage your Azure Virtual Desktop (classic) resources.
 
 - [Download and import the Azure Virtual Desktop module](/powershell/windows-virtual-desktop/overview/) to use in your PowerShell session if you haven't already
 

articles/virtual-desktop/virtual-desktop-fall-2019/tenant-setup-azure-active-directory.md

@@ -12,7 +12,7 @@ ms.custom: docs_inherited
 > [!IMPORTANT]
 > - This content applies to Azure Virtual Desktop (classic), which doesn't support Azure Resource Manager Azure Virtual Desktop objects.
 >
-> - Beginning **September 30 2023**, you will no longer be able to create new Azure Virtual Desktop (classic) tenants. Azure Virtual Desktop (classic) will retire on **September 30, 2026**. You should transition to [Azure Virtual Desktop](../index.yml) before that date. For more information, see [Azure Virtual Desktop (classic) retirement](classic-retirement.md).
+> - You can no longer be able to create new Azure Virtual Desktop (classic) tenants. Azure Virtual Desktop (classic) will retire on **September 30, 2026**. You should transition to [Azure Virtual Desktop](../index.yml) before that date. For more information, see [Azure Virtual Desktop (classic) retirement](classic-retirement.md).
 
 Creating a tenant in Azure Virtual Desktop is the first step toward building your desktop virtualization solution. A tenant is a group of one or more host pools. Each host pool consists of multiple session hosts, running as virtual machines in Azure and registered to the Azure Virtual Desktop service. Each host pool also consists of one or more application groups that are used to publish desktop and application resources to users. With a tenant, you can build host pools, create application groups, assign users, and make connections through the service.
 
@@ -28,14 +28,12 @@ In this tutorial, learn how to:
 Before you start setting up your Azure Virtual Desktop tenant, make sure you have these things:
 
 * The [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) tenant ID for Azure Virtual Desktop users.
-* A global administrator account within the Microsoft Entra tenant.
-   * This also applies to Cloud Solution Provider (CSP) organizations that are creating an Azure Virtual Desktop tenant for their customers. If you're in a CSP organization, you must be able to sign in as global administrator of the customer's Microsoft Entra instance.
+* A account within the Microsoft Entra tenant with the required permissions to provide admin consent for for an application in the tenant. For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent).
+   * This also applies to Cloud Solution Provider (CSP) organizations that are creating an Azure Virtual Desktop tenant for their customers. If you're in a CSP organization, you must be able to sign in with an appropriate account in the customer's Microsoft Entra instance.
    * The administrator account must be sourced from the Microsoft Entra tenant in which you're trying to create the Azure Virtual Desktop tenant. This process doesn't support Microsoft Entra B2B (guest) accounts.
    * The administrator account must be a work or school account.
 * An Azure subscription.
 
-You must have the tenant ID, global administrator account, and Azure subscription ready so that the process described in this tutorial can work properly.
-
 ## Grant permissions to Azure Virtual Desktop
 
 If you have already granted permissions to Azure Virtual Desktop for this Microsoft Entra instance, skip this section.
@@ -51,7 +49,7 @@ To grant the service permissions:
    >https://login.microsoftonline.com/{tenant}/adminconsent?client_id=5a0aa725-4958-4b0c-80a9-34562e23f3b7&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback
    >```
 
-2. Sign in to the Azure Virtual Desktop consent page with a global administrator account. For example, if you were with the Contoso organization, your account might be [email protected] or [email protected].
+2. Sign in to the Azure Virtual Desktop consent page with the appropriate account.
 3. Select **Accept**.
 4. Wait for one minute so Microsoft Entra ID can record consent.
 5. Open a browser and begin the admin consent flow to the [Azure Virtual Desktop client app](https://login.microsoftonline.com/common/adminconsent?client_id=fa4345a4-a730-4230-84a8-7d9651b86739&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback).
@@ -61,12 +59,12 @@ To grant the service permissions:
    > https://login.microsoftonline.com/{tenant}/adminconsent?client_id=fa4345a4-a730-4230-84a8-7d9651b86739&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback
    >```
 
-6. Sign in to the Azure Virtual Desktop consent page as global administrator, as you did in step 2.
+6. Sign in to the Azure Virtual Desktop consent page, as you did in step 2.
 7. Select **Accept**.
 
 ## Assign the TenantCreator application role
 
-Assigning a Microsoft Entra user the TenantCreator application role allows that user to create an Azure Virtual Desktop tenant associated with the Microsoft Entra instance. You'll need to use your global administrator account to assign the TenantCreator role.
+Assigning a Microsoft Entra user the `TenantCreator` application role allows that user to create an Azure Virtual Desktop tenant associated with the Microsoft Entra instance.
 
 To assign the TenantCreator application role:
 
@@ -80,8 +78,8 @@ To assign the TenantCreator application role:
 3. Select **Users and groups**. You might see that the administrator who granted consent to the application is already listed with the **Default Access** role assigned. This is not enough to create an Azure Virtual Desktop tenant. Continue following these instructions to add the **TenantCreator** role to a user.
 
 4. Select **Add user**, and then select **Users and groups** in the **Add Assignment** tab.
-5. Search for a user account that will create your Azure Virtual Desktop tenant. For simplicity, this can be the global administrator account.
-   - If you're using a Microsoft Identity Provider like [email protected] or [email protected], you might not be able to sign in to Azure Virtual Desktop. We recommend using a domain-specific account like [email protected] or [email protected] instead.
+5. Search for a user account that will create your Azure Virtual Desktop tenant.
+   - If you're using a Microsoft Identity Provider like [email protected] or [email protected], you might not be able to sign in to Azure Virtual Desktop.
 
    > [!NOTE]
    > You must select a user (or a group that contains a user) that's sourced from this Microsoft Entra instance. You can't choose a guest (B2B) user or a service principal.

articles/virtual-desktop/virtual-desktop-fall-2019/troubleshoot-management-tool.md

@@ -24,7 +24,7 @@ When you successfully set up services for the management tool but automated setu
 
 This usually means one of the following two things:
 
-- The user has owner permissions on their subscription and global admin at tenant level, but they can't sign in to Azure.
+- The user has the relevant permissions on their subscription and at the tenant level, but they can't sign in to Azure.
 - The user's account settings have multi-factor authentication enabled.
 
 To fix this: