Merge pull request #284686 from cherylmc/s2s-active

prmerger-automator[bot] · web-flow · commit 769b073078a0 · 2024-08-14T20:17:44.000Z
Update role access
diff --git a/articles/vpn-gateway/openvpn-azure-ad-tenant.md b/articles/vpn-gateway/openvpn-azure-ad-tenant.md
@@ -5,7 +5,7 @@ description: Learn how to set up a Microsoft Entra tenant and P2S gateway for P2
 author: cherylmc
 ms.service: azure-vpn-gateway
 ms.topic: how-to
-ms.date: 05/15/2024
+ms.date: 08/14/2024
 ms.author: cherylmc
 
 ---
@@ -31,11 +31,11 @@ If you already have an existing P2S gateway, the steps in this article help you
 
 1. Create two accounts in the newly created Microsoft Entra tenant. For steps, see [Add or delete a new user](../active-directory/fundamentals/add-users-azure-active-directory.md).
 
-   * Global administrator account
+   * [Cloud Application Administrator role](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator)
    * User account
 
-   The global administrator account is used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.
-1. Assign one of the accounts the **Global administrator** role. For steps, see  [Assign administrator and non-administrator roles to users with Microsoft Entra ID](/azure/active-directory-b2c/tenant-management-read-tenant-name).
+   The Cloud Application Administrator role is used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.
+1. Assign one of the accounts the **Cloud Application Administrator** role. For steps, see  [Assign administrator and non-administrator roles to users with Microsoft Entra ID](/azure/active-directory-b2c/tenant-management-read-tenant-name).
 
 ## Authorize the Azure VPN application
 
diff --git a/articles/vpn-gateway/point-to-site-entra-register-custom-app.md b/articles/vpn-gateway/point-to-site-entra-register-custom-app.md
@@ -5,7 +5,7 @@ description: Learn how to create or modify a custom audience App ID or upgrade a
 author: cherylmc
 ms.service: azure-vpn-gateway
 ms.topic: concept-article
-ms.date: 08/09/2024
+ms.date: 08/14/2024
 ms.author: cherylmc
 ---
 
@@ -19,22 +19,22 @@ This article provides high-level steps. The screenshots to register an applicati
 
 ## Prerequisites
 
-* This article assumes that you already have a Microsoft Entra tenant and the permissions to create an Enterprise Application, typically the Cloud Application administrator role or higher. For more information, see [Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant) and [Assign user roles with Microsoft Entra ID](/entra/fundamentals/users-assign-role-azure-portal).
+* This article assumes that you already have a Microsoft Entra tenant and the permissions to create an Enterprise Application, typically the [Cloud Application Administrator role](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator) or higher. For more information, see [Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant) and [Assign user roles with Microsoft Entra ID](/entra/fundamentals/users-assign-role-azure-portal).
 
 * This article assumes that you're using the **Microsoft-registered App ID Azure Public** audience value `c632b3df-fb67-4d84-bdcf-b95ad541b5c8` to configure your custom app. This value has global consent, which means you don't need to manually register it to provide consent for your organization. We recommend that you use this value.
 
   * At this time, there's only one supported audience value for the Microsoft-registered app. See the [supported audience value table](point-to-site-about.md#entra-id) for additional supported values.
 
   * If the Microsoft-registered audience value isn't compatible with your configuration, you can still use the older manually registered ID values.
 
-* If you need to use a manually registered app ID value instead, you must give consent to allow the app to sign in and read user profiles before proceeding with this configuration.
+* If you need to use a manually registered app ID value instead, you must give consent to allow the app to sign in and read user profiles before proceeding with this configuration. You must sign in with an account that's assigned the [Cloud Application Administrator role](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator).
 
   1. To grant admin consent for your organization, modify the following command to contain the desired `client_id` value. In the example, the client_id value is for Azure Public. See the [table](point-to-site-about.md#entra-id) for additional supported values.
 
      ```https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent```
 
   1. Copy and paste the URL that pertains to your deployment location in the address bar of your browser.
-  1. Select the account that has the **Global administrator** role if prompted.
+  1. Select the account that has the [Cloud Application Administrator role](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator) if prompted.
   1. On the **Permissions** requested page, select **Accept**.
 
 [!INCLUDE [Configure custom audience](../../includes/vpn-gateway-custom-audience.md)]
