You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've added a [UserJourney](userjourneys.md). The user journey specifies the business logic the end user goes through as Azure AD B2C processes a request. This user journey has only one step that issues a JTW token with the claims that you'll define in the next step.
Copy file name to clipboardExpand all lines: articles/active-directory/roles/permissions-reference.md
+10-12Lines changed: 10 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ ms.service: active-directory
9
9
ms.workload: identity
10
10
ms.subservice: roles
11
11
ms.topic: reference
12
-
ms.date: 06/08/2023
12
+
ms.date: 07/05/2023
13
13
ms.author: rolyon
14
14
ms.reviewer: abhijeetsinha
15
15
ms.custom: generated, it-pro, fasttrack-edit
@@ -90,7 +90,7 @@ This article lists the Azure AD built-in roles you can assign to allow managemen
90
90
> |[Partner Tier2 Support](#partner-tier2-support)| Do not use - not intended for general use. | e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 |
91
91
> |[Password Administrator](#password-administrator)| Can reset passwords for non-administrators and Password Administrators. | 966707d0-3269-4727-9be2-8c3a10f19b9d |
92
92
> |[Permissions Management Administrator](#permissions-management-administrator)| Manage all aspects of Entra Permissions Management. | af78dc32-cf4d-46f9-ba4e-4428526346b5 |
93
-
> |[Power BI Administrator](#power-bi-administrator)| Can manage all aspects of the Power BI product. | a9ea8996-122f-4c74-9520-8edcd192826c |
93
+
> |[Fabric Administrator](#fabric-administrator)| Can manage all aspects of the Fabric and Power BI products. | a9ea8996-122f-4c74-9520-8edcd192826c |
94
94
> |[Power Platform Administrator](#power-platform-administrator)| Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. | 11648597-926c-4cf3-9c36-bcebb0ba8dcc |
95
95
> |[Printer Administrator](#printer-administrator)| Can manage all aspects of printers and printer connectors. | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f |
96
96
> |[Printer Technician](#printer-technician)| Can register and unregister printers and update printer status. | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 |
@@ -1100,7 +1100,7 @@ Users with this role have access to all administrative features in Azure Active
1100
1100
> | microsoft.office365.yammer/allEntities/allProperties/allTasks | Manage all aspects of Yammer |
1101
1101
> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Entra Permissions Management |
1102
1102
> | microsoft.powerApps/allEntities/allTasks | Manage all aspects of Power Apps |
1103
-
> | microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Power BI |
1103
+
> | microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Fabric and Power BI |
1104
1104
> | microsoft.teams/allEntities/allProperties/allTasks | Manage all resources in Teams |
1105
1105
> | microsoft.virtualVisits/allEntities/allProperties/allTasks | Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app |
1106
1106
> | microsoft.windows.defenderAdvancedThreatProtection/allEntities/allTasks | Manage all aspects of Microsoft Defender for Endpoint |
@@ -1630,7 +1630,7 @@ Users with the Modern Commerce User role typically have administrative permissio
1630
1630
1631
1631
**When is the Modern Commerce User role assigned?**
1632
1632
1633
-
***Self-service purchase in Microsoft 365 admin center** – Self-service purchase gives users a chance to try out new products by buying or signing up for them on their own. These products are managed in the admin center. Users who make a self-service purchase are assigned a role in the commerce system, and the Modern Commerce User role so they can manage their purchases in admin center. Admins can block self-service purchases (for Power BI, Power Apps, Power automate) through [PowerShell](/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell). For more information, see [Self-service purchase FAQ](/microsoft-365/commerce/subscriptions/self-service-purchase-faq).
1633
+
***Self-service purchase in Microsoft 365 admin center** – Self-service purchase gives users a chance to try out new products by buying or signing up for them on their own. These products are managed in the admin center. Users who make a self-service purchase are assigned a role in the commerce system, and the Modern Commerce User role so they can manage their purchases in admin center. Admins can block self-service purchases (for Fabric, Power BI, Power Apps, Power automate) through [PowerShell](/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell). For more information, see [Self-service purchase FAQ](/microsoft-365/commerce/subscriptions/self-service-purchase-faq).
1634
1634
***Purchases from Microsoft commercial marketplace** – Similar to self-service purchase, when a user buys a product or service from Microsoft AppSource or Azure Marketplace, the Modern Commerce User role is assigned if they don’t have the Global Administrator or Billing Administrator role. In some cases, users might be blocked from making these purchases. For more information, see [Microsoft commercial marketplace](../../marketplace/marketplace-faq-publisher-guide.yml#what-could-block-a-customer-from-completing-a-purchase-).
1635
1635
***Proposals from Microsoft** – A proposal is a formal offer from Microsoft for your organization to buy Microsoft products and services. When the person who is accepting the proposal doesn’t have a Global Administrator or Billing Administrator role in Azure AD, they are assigned both a commerce-specific role to complete the proposal and the Modern Commerce User role to access admin center. When they access the admin center they can only use features that are authorized by their commerce-specific role.
1636
1636
***Commerce-specific roles** – Some users are assigned commerce-specific roles. If a user isn't a Global Administrator or Billing Administrator, they get the Modern Commerce User role so they can access the admin center.
@@ -1820,12 +1820,10 @@ Learn more about Permissions Management roles and polices at [View information a
1820
1820
> | --- | --- |
1821
1821
> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Entra Permissions Management |
1822
1822
1823
-
## Power BI Administrator
1823
+
## Fabric Administrator
1824
1824
1825
-
Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. For more information, see [Understanding Power BI administrator roles](/power-bi/admin/service-admin-role).
1825
+
Users with this role have global permissions within Microsoft Fabric and Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. For more information, see [Understanding Fabric administrator roles](/power-bi/admin/service-admin-role).
1826
1826
1827
-
> [!NOTE]
1828
-
> In the Microsoft Graph API and Azure AD PowerShell, this role is named Power BI Service Administrator. In the [Azure portal](../../azure-portal/azure-portal-overview.md), it is named Power BI Administrator.
1829
1827
1830
1828
> [!div class="mx-tableFixed"]
1831
1829
> | Actions | Description |
@@ -1835,7 +1833,7 @@ Users with this role have global permissions within Microsoft Power BI, when the
1835
1833
> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
1836
1834
> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
1837
1835
> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
1838
-
> | microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Power BI |
1836
+
> | microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Fabric and Power BI |
1839
1837
1840
1838
## Power Platform Administrator
1841
1839
@@ -1959,7 +1957,7 @@ Users with this role can manage role assignments in Azure Active Directory, as w
1959
1957
1960
1958
## Reports Reader
1961
1959
1962
-
Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. Additionally, the role provides access to all sign-in logs, audit logs, and activity reports in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or manage support tickets.
1960
+
Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Fabric and Power BI. Additionally, the role provides access to all sign-in logs, audit logs, and activity reports in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or manage support tickets.
1963
1961
1964
1962
> [!div class="mx-tableFixed"]
1965
1963
> | Actions | Description |
@@ -2435,7 +2433,7 @@ Users with this role **cannot** do the following:
2435
2433
Users with this role can do the following tasks:
2436
2434
2437
2435
- Manage and configure all aspects of Virtual Visits in Bookings in the Microsoft 365 admin center, and in the Teams EHR connector
2438
-
- View usage reports for Virtual Visits in the Teams admin center, Microsoft 365 admin center, and Power BI
2436
+
- View usage reports for Virtual Visits in the Teams admin center, Microsoft 365 admin center, Fabric, and Power BI
2439
2437
- View features and settings in the Microsoft 365 admin center, but can't edit any settings
2440
2438
2441
2439
Virtual Visits are a simple way to schedule and manage online and video appointments for staff and attendees. For example, usage reporting can show how sending SMS text messages before appointments can reduce the number of people who don't show up for appointments.
Copy file name to clipboardExpand all lines: articles/aks/azure-cni-overlay.md
+8-3Lines changed: 8 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -121,6 +121,14 @@ az aks create -n $clusterName -g $resourceGroup --location $location --network-p
121
121
> - Doesn't use the dynamic pod IP allocation feature.
122
122
> - Doesn't have network policies enabled.
123
123
> - Doesn't use any Windows node pools with docker as the container runtime.
124
+
125
+
> [!WARNING]
126
+
> Prior to Windows OS Build 20348.1668, there was a limitation around Windows Overlay pods incorrectly SNATing packets from host network pods, which had a more detrimental effect for clusters upgrading to Overlay. To avoid this issue, **use Windows OS Build greater than or equal to 20348.1668**.
127
+
128
+
> [!WARNING]
129
+
> If using a custom azure-ip-masq-agent config to include additional IP ranges that should not SNAT packets from pods, upgrading to Azure CNI Overlay may break connectivity to these ranges. Pod IPs from the overlay space will not be reachable by anything outside the cluster nodes.
130
+
> Additionally, for sufficiently old clusters there may be a ConfigMap left over from a previous version of azure-ip-masq-agent. If this ConfigMap, named `azure-ip-masq-agent-config`, exists and is not intetionally in-place it should be deleted before running the update command.
131
+
> If not using a custom ip-masq-agent config, only the `azure-ip-masq-agent-config-reconciled` ConfigMap should exist with respect to Azure ip-masq-agent ConfigMaps and this will be updated automatically during the upgrade process.
124
132
125
133
The upgrade process triggers each node pool to be re-imaged simultaneously. Upgrading each node pool separately to Overlay isn't supported. Any disruptions to cluster networking are similar to a node image upgrade or Kubernetes version upgrade where each node in a node pool is re-imaged.
126
134
@@ -139,9 +147,6 @@ az aks update --name $clusterName \
139
147
140
148
The `--pod-cidr` parameter is required when upgrading from legacy CNI because the pods need to get IPs from a new overlay space, which doesn't overlap with the existing node subnet. The pod CIDR also can't overlap with any VNet address of the node pools. For example, if your VNet address is *10.0.0.0/8*, and your nodes are in the subnet *10.240.0.0/16*, the `--pod-cidr` can't overlap with *10.0.0.0/8* or the existing service CIDR on the cluster.
141
149
142
-
> [!WARNING]
143
-
> Prior to Windows OS Build 20348.1668, there was a limitation around Windows Overlay pods incorrectly SNATing packets from host network pods, which had a more detrimental effect for clusters upgrading to Overlay. To avoid this issue, **use Windows OS Build 20348.1668**.
144
-
145
150
## Install the aks-preview Azure CLI extension - Windows only
146
151
147
152
[!INCLUDE [preview features callout](includes/preview/preview-callout.md)]
0 commit comments