Merge pull request #264444 from rolyon/rolyon-constrained-delegation-ga-release

[Azure RBAC] Constrained delegation GA

Author: Court72

articles/role-based-access-control/TOC.yml

@@ -47,14 +47,10 @@
       href: delegate-role-assignments-overview.md
     - name: Authorization actions and attributes
       href: conditions-authorization-actions-attributes.md
-    - name: Example conditions
-      href: delegate-role-assignments-examples.md
   - name: ABAC conditions
     items:
     - name: Condition format
       href: conditions-format.md
-    - name: Example conditions for Blob Storage
-      href: ../storage/blobs/storage-auth-abac-examples.md?toc=/azure/role-based-access-control/toc.json
     - name: Conditions prerequisites
       href: conditions-prerequisites.md
     - name: Conditions FAQ
@@ -103,10 +99,12 @@
       href: role-assignments-template.md
   - name: Delegate
     items:
-    - name: Subscription administrator
+    - name: Subscription administrator with conditions
       href: role-assignments-portal-subscription-admin.md
     - name: Delegate role assignment management with conditions
       href: delegate-role-assignments-portal.md
+    - name: Example conditions
+      href: delegate-role-assignments-examples.md
   - name: Add or edit ABAC conditions
     items:
     - name: Portal
@@ -119,6 +117,8 @@
       href: conditions-role-assignments-rest.md
     - name: ARM template
       href: conditions-role-assignments-template.md
+    - name: Example conditions for Blob Storage
+      href: ../storage/blobs/storage-auth-abac-examples.md?toc=/azure/role-based-access-control/toc.json
     - name: Conditions and custom security attributes
       href: conditions-custom-security-attributes.md
   - name: Remove role assignments

articles/role-based-access-control/best-practices.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/29/2023
+ms.date: 01/30/2024
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to learn how to best use Azure RBAC.
@@ -40,7 +40,7 @@ Some roles are identified as [privileged administrator roles](./role-assignments
 - Remove unnecessary privileged role assignments.
 - Avoid assigning a privileged administrator role when a [job function role](./role-assignments-steps.md#job-function-roles) can be used instead.
 - If you must assign a privileged administrator role, use a narrow scope, such as resource group or resource, instead of a broader scope, such as management group or subscription.
-- If you are assigning a role with permission to create role assignments, consider adding a condition to constrain the role assignment. For more information, see [Delegate Azure role assignment management to others with conditions (preview)](delegate-role-assignments-portal.md).
+- If you are assigning a role with permission to create role assignments, consider adding a condition to constrain the role assignment. For more information, see [Delegate Azure role assignment management to others with conditions](delegate-role-assignments-portal.md).
 
 For more information, see [List or manage privileged administrator role assignments](./role-assignments-list-portal.md#list-or-manage-privileged-administrator-role-assignments).
 

articles/role-based-access-control/conditions-authorization-actions-attributes.md

@@ -1,5 +1,5 @@
 ---
-title: Authorization actions and attributes (preview)
+title: Authorization actions and attributes
 description: Supported actions and attributes for Azure role assignment conditions and Azure attribute-based access control (Azure ABAC) in authorization
 services: active-directory
 author: rolyon
@@ -8,17 +8,13 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/29/2023
+ms.date: 01/30/2024
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to 
 ---
 
-# Authorization actions and attributes (preview)
-
-> [!IMPORTANT]
-> Delegating Azure role assignment management with conditions is currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+# Authorization actions and attributes
 
 ## Authorization actions
 
@@ -94,5 +90,5 @@ This section lists the authorization attributes you can use in your condition ex
 
 ## Next steps
 
-- [Examples to delegate Azure role assignment management with conditions (preview)](delegate-role-assignments-examples.md)
-- [Delegate Azure role assignment management to others with conditions (preview)](delegate-role-assignments-portal.md)
+- [Examples to delegate Azure role assignment management with conditions](delegate-role-assignments-examples.md)
+- [Delegate Azure role assignment management to others with conditions](delegate-role-assignments-portal.md)

articles/role-based-access-control/delegate-role-assignments-examples.md

@@ -1,5 +1,5 @@
 ---
-title: Examples to delegate Azure role assignment management with conditions (preview) - Azure ABAC
+title: Examples to delegate Azure role assignment management with conditions - Azure ABAC
 description: Examples to delegate Azure role assignment management to other users by using Azure attribute-based access control (Azure ABAC).
 services: active-directory
 author: rolyon
@@ -9,16 +9,12 @@ ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
 ms.custom: devx-track-azurepowershell
-ms.date: 12/01/2023
+ms.date: 01/30/2024
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to learn about the conditions so that I write more complex conditions.
 ---
 
-# Examples to delegate Azure role assignment management with conditions (preview)
-
-> [!IMPORTANT]
-> Delegating Azure role assignment management with conditions is currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+# Examples to delegate Azure role assignment management with conditions
 
 This article lists examples of how to delegate Azure role assignment management to other users with conditions.
 
@@ -767,6 +763,6 @@ New-AzRoleAssignment -ObjectId $principalId -Scope $scope -RoleDefinitionId $rol
 
 ## Next steps
 
-- [Authorization actions and attributes (preview)](conditions-authorization-actions-attributes.md)
-- [Azure role assignment condition format and syntax (preview)](conditions-format.md)
-- [Troubleshoot Azure role assignment conditions (preview)](conditions-troubleshoot.md)
+- [Authorization actions and attributes](conditions-authorization-actions-attributes.md)
+- [Azure role assignment condition format and syntax](conditions-format.md)
+- [Troubleshoot Azure role assignment conditions](conditions-troubleshoot.md)

articles/role-based-access-control/delegate-role-assignments-overview.md

@@ -8,7 +8,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 12/01/2023
+ms.date: 01/30/2024
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to delegate Azure role assignment management to other users who are closer to the decision, but want to limit the scope of the role assignments.
@@ -52,11 +52,7 @@ Here are the primary issues with the current method of delegating role assignmen
 
 Instead of assigning the Owner or User Access Administrator roles, a more secure method is to constrain a delegate's ability to create role assignments.
 
-## A more secure method: Delegate role assignment management with conditions (preview)
-
-> [!IMPORTANT]
-> Delegating Azure role assignment management with conditions is currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+## A more secure method: Delegate role assignment management with conditions
 
 Delegating role assignment management with conditions is a way to restrict the role assignments a user can create. In the preceding example, Alice can allow Dara to create some role assignments on her behalf, but not all role assignments. For example, Alice can constrain the roles that Dara can assign and constrain the principals that Dara can assign roles to. This delegation with conditions is sometimes referred to as *constrained delegation* and is implemented using [Azure attribute-based access control (Azure ABAC) conditions](conditions-overview.md).
 
@@ -141,15 +137,15 @@ To delegate role assignment management with conditions, you assign roles as you
 
     Choose from a list of condition templates. Select **Configure** to specify the roles, principal types, or principals.
 
-    For more information, see [Delegate Azure role assignment management to others with conditions (preview)](delegate-role-assignments-portal.md).
+    For more information, see [Delegate Azure role assignment management to others with conditions](delegate-role-assignments-portal.md).
 
     :::image type="content" source="./media/shared/condition-templates.png" alt-text="Screenshot of Add role assignment condition with a list of condition templates." lightbox="./media/shared/condition-templates.png":::
 
     # [Condition editor](#tab/condition-editor)
 
     If the condition templates don't work for your scenario or if you want more control, you can use the condition editor.
 
-    For examples, see [Examples to delegate Azure role assignment management with conditions (preview)](delegate-role-assignments-examples.md).
+    For examples, see [Examples to delegate Azure role assignment management with conditions](delegate-role-assignments-examples.md).
 
     :::image type="content" source="./media/shared/delegate-role-assignments-expression.png" alt-text="Screenshot of condition editor in Azure portal showing a role assignment condition to delegate role assignment management." lightbox="./media/shared/delegate-role-assignments-expression.png":::
 
@@ -248,7 +244,9 @@ To delegate role assignment management with conditions, you assign roles as you
 
 ## Built-in roles with conditions
 
-The [Key Vault Data Access Administrator](built-in-roles.md#key-vault-data-access-administrator) role already has a built-in condition to constrain role assignments. This role enables you to manage access to Key Vault secrets, certificates, and keys. It's exclusively focused on access control without the ability to assign privileged roles such as Owner or User Access Administrator roles. It allows better separation of duties for scenarios like managing encryption at rest across data services to further comply with least privilege principle. The condition constrains role assignments to the following Azure Key Vault roles:
+The [Key Vault Data Access Administrator](built-in-roles.md#key-vault-data-access-administrator) and [Virtual Machine Data Access Administrator (preview)](built-in-roles.md#virtual-machine-data-access-administrator-preview) roles already have a built-in condition to constrain role assignments.
+
+The Key Vault Data Access Administrator role enables you to manage access to Key Vault secrets, certificates, and keys. It's exclusively focused on access control without the ability to assign privileged roles such as Owner or User Access Administrator roles. It allows better separation of duties for scenarios like managing encryption at rest across data services to further comply with least privilege principle. The condition constrains role assignments to the following Azure Key Vault roles:
 
 - [Key Vault Administrator](built-in-roles.md#key-vault-administrator)
 - [Key Vault Certificates Officer](built-in-roles.md#key-vault-certificates-officer)
@@ -267,18 +265,17 @@ If you want to further constrain the Key Vault Data Access Administrator role as
 
 ## Known issues
 
-Here are the known issues related to delegating role assignment management with conditions (preview):
+Here are the known issues related to delegating role assignment management with conditions:
 
 - You can't delegate role assignment management with conditions using [Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
 - You can't have a role assignment with a Microsoft.Storage data action and an ABAC condition that uses a GUID comparison operator. For more information, see [Troubleshoot Azure RBAC](troubleshooting.md#symptom---authorization-failed).
-- This preview isn't available in Azure Government or Microsoft Azure operated by 21Vianet.
 
 ## License requirements
 
 [!INCLUDE [Azure AD free license](../../includes/active-directory-free-license.md)]
 
 ## Next steps
 
-- [Delegate Azure role assignment management to others with conditions (preview)](delegate-role-assignments-portal.md)
+- [Delegate Azure role assignment management to others with conditions](delegate-role-assignments-portal.md)
 - [What is Azure attribute-based access control (Azure ABAC)?](conditions-overview.md)
-- [Examples to delegate Azure role assignment management with conditions (preview)](delegate-role-assignments-examples.md)
+- [Examples to delegate Azure role assignment management with conditions](delegate-role-assignments-examples.md)

articles/role-based-access-control/delegate-role-assignments-portal.md

@@ -1,5 +1,5 @@
 ---
-title: Delegate Azure role assignment management to others with conditions (preview) - Azure ABAC
+title: Delegate Azure role assignment management to others with conditions - Azure ABAC
 description: How to delegate Azure role assignment management to other users by using Azure attribute-based access control (Azure ABAC).
 services: active-directory
 author: rolyon
@@ -8,17 +8,13 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: how-to
 ms.workload: identity
-ms.date: 12/01/2023
+ms.date: 01/30/2024
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to delegate Azure role assignment management to other users who are closer to the decision, but want to limit the scope of the role assignments.
 ---
 
-# Delegate Azure role assignment management to others with conditions (preview)
-
-> [!IMPORTANT]
-> Delegating Azure role assignment management with conditions is currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+# Delegate Azure role assignment management to others with conditions
 
 As an administrator, you might get several requests to grant access to Azure resources that you want to delegate to someone else. You could assign a user the [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator) roles, but these are highly privileged roles. This article describes a more secure way to [delegate role assignment management](delegate-role-assignments-overview.md) to other users in your organization, but add restrictions for those role assignments. For example, you can constrain the roles that can be assigned or constrain the principals the roles can be assigned to.
 
@@ -39,7 +35,7 @@ To help determine the permissions the delegate needs, answer the following quest
 - Which principals can the delegate assign roles to?
 - Can delegate remove any role assignments?
 
-Once you know the permissions that delegate needs, you use the following steps to add a condition to the delegate's role assignment. For example conditions, see [Examples to delegate Azure role assignment management with conditions (preview)](delegate-role-assignments-examples.md).
+Once you know the permissions that delegate needs, you use the following steps to add a condition to the delegate's role assignment. For example conditions, see [Examples to delegate Azure role assignment management with conditions](delegate-role-assignments-examples.md).
 
 ## Step 2: Start a new role assignment
 
@@ -63,16 +59,11 @@ There are two ways that you can add a condition. You can use a condition templat
 
 # [Template](#tab/template)
 
-1. On the **Conditions** tab under **Delegation type**, select the **Constrained (recommended)** option.
-
-    | Option | Select this option to |
-    | --- | --- |
-    | **Constrained (recommended)** | Pick the roles or principals the user can use in role assignments |
-    | **Not constrained** | Allow the user to assign any role to any principal |
+1. On the **Conditions** tab under **What user can do**, select the **Allow user to only assign selected roles to selected principals (fewer privileges)** option.
 
-    :::image type="content" source="./media/shared/condition-constrained.png" alt-text="Screenshot of Add role assignment with the Constrained option selected." lightbox="./media/shared/condition-constrained.png":::
+    :::image type="content" source="./media/shared/condition-constrained.png" alt-text="Screenshot of Add role assignment with the constrained option selected." lightbox="./media/shared/condition-constrained.png":::
 
-1. Select **Add condition**.
+1. Select **Select roles and principals**.
 
     The Add role assignment condition page appears with a list of condition templates.
 
@@ -82,13 +73,13 @@ There are two ways that you can add a condition. You can use a condition templat
 
     | Condition template | Select this template to |
     | --- | --- |
-    | Constrain roles | Constrain the roles a user can assign |
-    | Constrain roles and principal types | Constrain the roles a user can assign and the types of principals the user can assign roles to |
-    | Constrain roles and principals | Constrain the roles a user can assign and the principals the user can assign roles to |
+    | Constrain roles | Allow user to only assign roles you select |
+    | Constrain roles and principal types | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principal types you select (users, groups, or service principals) |
+    | Constrain roles and principals | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principals you select |
 
 1. In the configure pane, add the required configurations.
 
-    :::image type="content" source="./media/delegate-role-assignments-portal/condition-template-configure-pane.png" alt-text="Screenshot of configure pane for a condition with selection added." lightbox="./media/delegate-role-assignments-portal/condition-template-configure-pane.png":::
+    :::image type="content" source="./media/shared/condition-template-configure-pane.png" alt-text="Screenshot of configure pane for a condition with selection added." lightbox="./media/shared/condition-template-configure-pane.png":::
 
 1. Select **Save** to add the condition to the role assignment.
 
@@ -98,16 +89,11 @@ If the condition templates don't work for your scenario or if you want more cont
 
 ### Open condition editor
 
-1. On the **Conditions** tab under **Delegation type**, select the **Constrained (recommended)** option.
-
-    | Option | Select this option to |
-    | --- | --- |
-    | **Constrained (recommended)** | Pick the roles or principals the user can use in role assignments |
-    | **Not constrained** | Allow the user to assign any role to any principal |
+1. On the **Conditions** tab under **What user can do**, select the **Allow user to only assign selected roles to selected principals (fewer privileges)** option.
 
     :::image type="content" source="./media/shared/condition-constrained.png" alt-text="Screenshot of Add role assignment with the Constrained option selected." lightbox="./media/shared/condition-constrained.png":::
 
-1. Select **Add condition**.
+1. Select **Select roles and principals**.
 
     The Add role assignment condition page appears with a list of condition templates.