MicrosoftDocs
diff --git a/‎articles/active-directory/fundamentals/whats-new-archive.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/fundamentals/whats-new-archive.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md
Lines changed: 15 additions & 7 deletions b/‎articles/active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md
Lines changed: 15 additions & 7 deletions
diff --git a/‎articles/role-based-access-control/TOC.yml
Lines changed: 2 additions & 2 deletions b/‎articles/role-based-access-control/TOC.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/role-based-access-control/conditions-custom-security-attributes-example.md
Lines changed: 1 addition & 1 deletion b/‎articles/role-based-access-control/conditions-custom-security-attributes-example.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/role-based-access-control/conditions-custom-security-attributes.md
Lines changed: 2 additions & 2 deletions b/‎articles/role-based-access-control/conditions-custom-security-attributes.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/role-based-access-control/conditions-faq.md
Lines changed: 8 additions & 13 deletions b/‎articles/role-based-access-control/conditions-faq.md
Lines changed: 8 additions & 13 deletions
diff --git a/‎articles/role-based-access-control/conditions-format.md
Lines changed: 16 additions & 17 deletions b/‎articles/role-based-access-control/conditions-format.md
Lines changed: 16 additions & 17 deletions
@@ -1717,7 +1717,7 @@ To access these details, go to the Azure AD sign-in logs, select a sign-in, and
 **Service category:** Privileged Identity Management  
 **Product capability:** Privileged Identity Management
 
-Along with the public preview of attributed based access control for specific Azure RBAC role, you can also add ABAC conditions inside Privileged Identity Management for your eligible assignments. [Learn more](../../role-based-access-control/conditions-overview.md#conditions-and-privileged-identity-management-pim).
+Along with the public preview of attributed-based access control (ABAC) for specific Azure roles, you can also add ABAC conditions inside Privileged Identity Management for your eligible assignments. [Learn more](../../role-based-access-control/conditions-overview.md#conditions-and-azure-ad-pim).
 
 ---
 
 
@@ -18,7 +18,7 @@ ms.collection: M365-identity-device-management
 
 # Assign Azure resource roles in Privileged Identity Management
 
-With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, can manage the built-in Azure resource roles, and custom roles, including (but not limited to):
+With Azure AD Privileged Identity Management (Azure AD PIM), part of Microsoft Entra, can manage the built-in Azure resource roles, and custom roles, including (but not limited to):
 
 - Owner
 - User Access Administrator
@@ -33,13 +33,21 @@ Privileged Identity Management support both built-in and custom Azure roles. For
 
 ## Role assignment conditions
 
-You can use the Azure attribute-based access control (Azure ABAC) preview to place resource conditions on eligible role assignments using Privileged Identity Management (PIM). With PIM, your end users must activate an eligible role assignment to get permission to perform certain actions. Using Azure attribute-based access control conditions in PIM enables you not only to limit a user’s role permissions to a resource using fine-grained conditions, but also to use PIM to secure the role assignment with a time-bound setting, approval workflow, audit trail, and so on. For more information, see [Azure attribute-based access control public preview](../../role-based-access-control/conditions-overview.md).
+You can use the Azure attribute-based access control (Azure ABAC) to add conditions on eligible role assignments using Azure AD PIM for Azure resources. With Azure AD PIM, your end users must activate an eligible role assignment to get permission to perform certain actions. Using conditions in Azure AD PIM enables you not only to limit a user's role permissions to a resource using fine-grained conditions, but also to use Azure AD PIM to secure the role assignment with a time-bound setting, approval workflow, audit trail, and so on.
 
 >[!Note]
 >When a role is assigned, the assignment:
->- Can't be assign for a duration of less than five minutes
+>- Can't be assigned for a duration of less than five minutes
 >- Can't be removed within five minutes of it being assigned
 
+Currently, the following built-in roles can have conditions added:
+
+- [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor)
+- [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner)
+- [Storage Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader)
+
+For more information, see [What is Azure attribute-based access control (Azure ABAC)](../../role-based-access-control/conditions-overview.md).
+
 ## Assign a role
 
 Follow these steps to make a user eligible for an Azure resource role.
@@ -73,11 +81,11 @@ Follow these steps to make a user eligible for an Azure resource role.
 
     ![Screenshot of add assignments settings pane.](./media/pim-resource-roles-assign-roles/resources-membership-settings-type.png)
 
-    Privileged Identity Management for Azure resources provides two distinct assignment types:
+    Azure AD PIM for Azure resources provides two distinct assignment types:
 
-    - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
+    - **Eligible** assignments require the member to activate the role before using it. Administrator may require role member to perform certain actions before role activation which might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
 
-    - **Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned ready to use.
+    - **Active** assignments don't require the member to activate the role before usage. Members assigned as active have the privileges assigned ready to use. This type of assignment is also available to customers that don't use Azure AD PIM.
 
 1. To specify a specific assignment duration, change the start and end dates and times.
 
@@ -207,7 +215,7 @@ Follow these steps to update or remove an existing role assignment.
 
     :::image type="content" source="./media/pim-resource-roles-assign-roles/resources-update-remove.png" alt-text="Screenshot demonstrates how to update or remove role assignment." lightbox="./media/pim-resource-roles-assign-roles/resources-update-remove.png":::
 
-1. To add or update a condition to refine Azure resource access, select **Add** or **View/Edit** in the **Condition** column for the role assignment. Currently, the Storage Blob Data Owner, Storage Blob Data Reader, and the Blob Storage Blob Data Contributor roles in Privileged Identity Management are the only two roles supported as part of the [Azure attribute-based access control public preview](../../role-based-access-control/conditions-overview.md).
+1. To add or update a condition to refine Azure resource access, select **Add** or **View/Edit** in the **Condition** column for the role assignment. Currently, the Storage Blob Data Owner, Storage Blob Data Reader, and Storage Blob Data Contributor roles in Azure AD PIM are the only roles that can have conditions added.
 
 1. Select **Add expression** or **Delete** to update the expression. You can also select **Add condition** to add a new condition to your role.
 
 
@@ -41,7 +41,7 @@
     href: scope-overview.md
   - name: Best practices
     href: best-practices.md
-  - name: Conditions
+  - name: ABAC conditions
     items:
     - name: Condition format
       href: conditions-format.md
@@ -95,7 +95,7 @@
     - name: ARM template
       displayName: Resource Manager
       href: role-assignments-template.md
-  - name: Add or edit conditions
+  - name: Add or edit ABAC conditions
     items:
     - name: Portal
       href: conditions-role-assignments-portal.md
 
@@ -140,4 +140,4 @@ Create one or more role assignments that use a condition at a higher scope to ma
 
 - [What is Azure attribute-based access control (Azure ABAC)?](conditions-overview.md)
 - [What are custom security attributes in Azure AD?](../active-directory/fundamentals/custom-security-attributes-overview.md)
-- [Allow read access to blobs based on tags and custom security attributes](conditions-custom-security-attributes.md)
+- [Allow read access to blobs based on tags and custom security attributes (Preview)](conditions-custom-security-attributes.md)
@@ -214,7 +214,7 @@ You can also use Azure PowerShell to add role assignment conditions. The followi
 1. Set the `Condition` property of the role assignment object. Be sure to use your attribute set name.
 
     ```powershell
-    $groupRoleAssignment.Condition="((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List' })) OR (@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project] StringEquals @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>]))"
+    $groupRoleAssignment.Condition="((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project] StringEquals @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>]))"
     ```
 
 1. Set the `ConditionVersion` property of the role assignment object.
@@ -312,7 +312,7 @@ You can also use Azure CLI to add role assignments conditions. The following com
 1. Update the `condition` property. Be sure to use your attribute set name.
 
     ```azurecli
-    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List' })) OR (@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project] StringEquals @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>]))",
+    "condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project] StringEquals @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>]))",
     ```
 
 1. Update the `conditionVersion` property.
 
@@ -1,25 +1,20 @@
 ---
-title: FAQ for Azure role assignment conditions (preview)
-description: Frequently asked questions for Azure role assignment conditions (preview)
+title: FAQ for Azure role assignment conditions - Azure ABAC
+description: Frequently asked questions for Azure role assignment conditions
 services: active-directory
 author: rolyon
 manager: amycolannino
 ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/16/2021
+ms.date: 10/24/2022
 ms.author: rolyon
 
 #Customer intent: 
 ---
 
-# FAQ for Azure role assignment conditions (preview)
-
-> [!IMPORTANT]
-> Azure ABAC and Azure role assignment conditions are currently in preview.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+# FAQ for Azure role assignment conditions
 
 ## Frequently asked questions
 
@@ -31,9 +26,9 @@ You must write the storage container name, blob path, tag name, or values in the
 
 If you add three or more expressions for a targeted action, you must define the logical grouping of those expressions in the code editor, Azure PowerShell, or Azure CLI. A logical grouping of `a AND b OR c` can be either `(a AND b) OR c` or `a AND (b OR c )`.
 
-**Are conditions supported via Privileged Identity Management (PIM) for Azure resources in preview?**
+**Are conditions supported via Azure AD Privileged Identity Management (Azure AD PIM) for Azure resources?**
 
-Yes. For more information, see [Assign Azure resource roles in Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
+Yes, for specific roles. For more information, see [Assign Azure resource roles in Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
 
 **Are conditions supported for classic administrators?**
 
@@ -80,5 +75,5 @@ No, conditions in role assignments do not have an explicit deny effect. Conditio
 
 ## Next steps
 
-- [Azure role assignment condition format and syntax (preview)](conditions-format.md)
-- [Troubleshoot Azure role assignment conditions (preview)](conditions-troubleshoot.md)
+- [Azure role assignment condition format and syntax](conditions-format.md)
+- [Troubleshoot Azure role assignment conditions](conditions-troubleshoot.md)
@@ -1,5 +1,5 @@
 ---
-title: Azure role assignment condition format and syntax (preview) - Azure RBAC
+title: Azure role assignment condition format and syntax - Azure ABAC
 description: Get an overview of the format and syntax of Azure role assignment conditions for Azure attribute-based access control (Azure ABAC).
 services: active-directory
 author: rolyon
@@ -8,18 +8,13 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/28/2022
+ms.date: 10/24/2022
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to learn about the conditions so that I write more complex conditions.
 ---
 
-# Azure role assignment condition format and syntax (preview)
-
-> [!IMPORTANT]
-> Azure ABAC and Azure role assignment conditions are currently in preview.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+# Azure role assignment condition format and syntax
 
 A condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object. This article describes the format and syntax of role assignment conditions.
 
@@ -243,7 +238,7 @@ Currently, conditions can be added to built-in or custom role assignments that h
 - [Storage Queue Data Message Sender](built-in-roles.md#storage-queue-data-message-sender)
 - [Storage Queue Data Reader](built-in-roles.md#storage-queue-data-reader)
 
-For a list of the storage actions you can use in conditions, see [Actions and attributes for Azure role assignment conditions for Azure Blob Storage (preview)](../storage/blobs/storage-auth-abac-attributes.md) and [Actions and attributes for Azure role assignment conditions for Azure queues (preview)](../storage/queues/queues-auth-abac-attributes.md).
+For a list of the storage actions you can use in conditions, see [Actions and attributes for Azure role assignment conditions for Azure Blob Storage](../storage/blobs/storage-auth-abac-attributes.md) and [Actions and attributes for Azure role assignment conditions for Azure queues](../storage/queues/queues-auth-abac-attributes.md).
 
 ## Attributes
 
@@ -254,17 +249,21 @@ Depending on the selected actions, the attribute might be found in different pla
 > | --- | --- | --- |
 > | Resource | Indicates that the attribute is on the resource, such as a container name. | `@Resource` |
 > | Request | Indicates that the attribute is part of the action request, such as setting the blob index tag. | `@Request` |
-> | Principal | Indicates that the attribute is an Azure AD custom security attribute on the principal, such as a user, enterprise application (service principal), or managed identity. | `@Principal` |
+> | Principal | Indicates that the attribute is an Azure AD custom security attribute on the principal, such as a user, enterprise application (service principal), or managed identity. Principal attributes are currently in preview. | `@Principal` |
 
 #### Resource and request attributes
 
 For a list of the blob storage or queue storage attributes you can use in conditions, see:
 
-- [Actions and attributes for Azure role assignment conditions for Azure Blob Storage (preview)](../storage/blobs/storage-auth-abac-attributes.md)
-- [Actions and attributes for Azure role assignment conditions for Azure queues (preview)](../storage/queues/queues-auth-abac-attributes.md)
+- [Actions and attributes for Azure role assignment conditions for Azure Blob Storage](../storage/blobs/storage-auth-abac-attributes.md)
+- [Actions and attributes for Azure role assignment conditions for Azure queues](../storage/queues/queues-auth-abac-attributes.md)
 
 #### Principal attributes
 
+> [!IMPORTANT]
+> Principal attributes are currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
 To use principal attributes, you must have **all** of the following:
 
 - Azure AD Premium P1 or P2 license
@@ -273,9 +272,9 @@ To use principal attributes, you must have **all** of the following:
 
 For more information about custom security attributes, see:
 
-- [Allow read access to blobs based on tags and custom security attributes](conditions-custom-security-attributes.md)
-- [Principal does not appear in Attribute source](conditions-troubleshoot.md#symptom---principal-does-not-appear-in-attribute-source)
-- [Add or deactivate custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-add.md)
+- [Allow read access to blobs based on tags and custom security attributes (Preview)](conditions-custom-security-attributes.md)
+- [Principal does not appear in Attribute source (Preview)](conditions-troubleshoot.md#symptom---principal-does-not-appear-in-attribute-source)
+- [Add or deactivate custom security attributes in Azure AD (Preview)](../active-directory/fundamentals/custom-security-attributes-add.md)
 
 ## Function operators
 
@@ -494,5 +493,5 @@ a AND (b OR c)
 
 ## Next steps
 
-- [Example Azure role assignment conditions for Blob Storage (preview)](../storage/blobs/storage-auth-abac-examples.md)
-- [Add or edit Azure role assignment conditions using the Azure portal (preview)](conditions-role-assignments-portal.md)
+- [Example Azure role assignment conditions for Blob Storage](../storage/blobs/storage-auth-abac-examples.md)
+- [Add or edit Azure role assignment conditions using the Azure portal](conditions-role-assignments-portal.md)