Merge pull request #238820 from jago2136/jaredgorthy/crossTenantScopes

prmerger-automator[bot] · web-flow · commit 7354e5887a3a · 2023-05-23T18:49:30.000Z
Update cross-tenant connection status documentation
diff --git a/articles/virtual-network-manager/concept-cross-tenant.md b/articles/virtual-network-manager/concept-cross-tenant.md
@@ -45,6 +45,17 @@ A cross-tenant connection can only be established and maintained when both objec
 
 > [!NOTE] 
 > Once a connection is removed from either side, the network manager will no longer be able to view or manage the tenant's resources under that former connection's scope.
+
+## Connection states
+The resources required to create the cross-tenant connection contain a state, which represents whether the associated scope has been added to the Network Manager scope. Possible state values include:
+
+* Connected: Both the Scope Connection and Network Manager Connection resources exist. The scope has been added to the Network Manager's scope.
+* Pending: One of the two approval resources has not been created. The scope has not yet been added to the Network Manager's scope.
+* Conflict: There is already a network manager with this subscription or management group defined within its scope. Two network managers with the same scope access cannot directly manage the same scope, therefore this subscription/management group cannot be added to the Network Manager scope. To resolve the conflict, remove the scope from the conflicting network manager's scope and recreate the connection resource.
+* Revoked: The scope was at one time added to the Network Nanager scope, but the removal of an approval resource has caused it to be revoked.
+
+The only state that represents the scope has been added to the Network Manager scope is 'Connected'.
+
 ## Required permissions 
 
 To use cross-tenant connection in Azure Virtual Network Manager, users need the following permissions: 
diff --git a/articles/virtual-network-manager/concept-network-manager-scope.md b/articles/virtual-network-manager/concept-network-manager-scope.md
@@ -43,6 +43,11 @@ A *scope* within Azure Virtual Network Manager represents the delegated access g
 When you deploy configurations, Network Manager only applies features to resources within its scope. If you attempt to add a resource to a network group that is out of scope, it's added to the group to represent your intent. But the network manager doesn't apply the changes to the configurations.
 
 The Network Manager's scope can be updated to add or remove scopes from its list. Updates trigger an automatic, scope wide, reevaluation and potentially add features with a scope addition, or remove them with a scope removal.
+
+### Cross-tenant Scope
+
+The Network Manager's scope can span across tenants, however a separate approval flow is required to establish this scope. First, intent for the desired scope must be added from within the Network Manager via the 'Scope Connection' resource. Second, the intent for the management of the Network Manager must be added from the scope (subscription/management group) via the 'Network Manager Connection' resource. These resources contain a state to represent whether the associated scope has been added to the Network Manager scope.
+
 ## Features
 
 Features are scope access that you allow the Azure Virtual Network Manager to manage. Azure Virtual Network Manager currently has two feature scopes, which are *Connectivity* and *SecurityAdmin*. You can enable both feature scopes on the same Virtual Network Manager instance. For more information about each feature, see [Connectivity](concept-connectivity-configuration.md) and [SecurityAdmin](concept-security-admins.md).
