Merge pull request #248900 from MicrosoftGuyJFlo/DevicesGeneralUpdates0823

[Microsoft Entra ID] Devices standardization

Author: v-dirichards

articles/active-directory/devices/assign-local-admin.md

@@ -44,9 +44,9 @@ To view and update the membership of the [Global Administrator](/azure/active-di
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-In the Azure portal, you can manage the [Azure AD Joined Device Local Administrator](/azure/active-directory/roles/permissions-reference#azure-ad-joined-device-local-administrator) role from **Device settings**. 
+You can manage the [Azure AD Joined Device Local Administrator](/azure/active-directory/roles/permissions-reference#azure-ad-joined-device-local-administrator) role from **Device settings**. 
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator).
 1. Browse to **Azure Active Directory** > **Devices** > **Device settings**.
 1. Select **Manage Additional local administrators on all Azure AD joined devices**.
 1. Select **Add assignments** then choose the other administrators you want to add and select **Add**.
@@ -111,5 +111,5 @@ Additionally, you can also add users using the command prompt:
 
 ## Next steps
 
-- To get an overview of how to manage device in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md).
+- To get an overview of how to manage devices, see [managing devices using the Azure portal](manage-device-identities.md).
 - To learn more about device-based Conditional Access, see [Conditional Access: Require compliant or hybrid Azure AD joined device](../conditional-access/howto-conditional-access-policy-compliant-device.md).

articles/active-directory/devices/device-join-out-of-box.md

@@ -43,7 +43,7 @@ Your device may restart several times as part of the setup process. Your device
    :::image type="content" source="media/device-join-out-of-box/windows-11-first-run-experience-device-sign-in-info.png" alt-text="Screenshot of Windows 11 out-of-box experience showing the sign-in experience.":::
 1. Continue to follow the prompts to set up your device.
 1. Azure AD checks if an enrollment in mobile device management is required and starts the process.
-   1. Windows registers the device in the organization’s directory in Azure AD and enrolls it in mobile device management, if applicable.
+   1. Windows registers the device in the organization’s directory and enrolls it in mobile device management, if applicable.
 1. If you sign in with a managed user account, Windows takes you to the desktop through the automatic sign-in process. Federated users are directed to the Windows sign-in screen to enter your credentials.
    :::image type="content" source="media/device-join-out-of-box/windows-11-first-run-experience-complete-automatic-sign-in-desktop.png" alt-text="Screenshot of Windows 11 at the desktop after first run experience Azure AD joined.":::
 
@@ -57,7 +57,7 @@ To verify whether a device is joined to your Azure AD, review the **Access work
 
 ## Next steps
 
-- For more information about managing devices in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md).
+- For more information about managing devices, see [managing devices using the Azure portal](manage-device-identities.md).
 - [What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)
 - [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot)
 - [Passwordless authentication options for Azure Active Directory](../authentication/concept-authentication-passwordless.md)

articles/active-directory/devices/enterprise-state-roaming-enable.md

@@ -26,7 +26,7 @@ Enterprise State Roaming provides users with a unified experience across their W
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
 1. Browse to **Azure Active Directory** > **Devices** > **Enterprise State Roaming**.
 1. Select **Users may sync settings and app data across devices**. For more information, see [how to configure device settings](./manage-device-identities.md).
 
@@ -49,7 +49,7 @@ The country/region value is set as part of the Azure AD directory creation proce
 
 Follow these steps to view a per-user device sync status report.
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
 1. Browse to **Azure Active Directory** > **Users** > **All users**.
 1. Select the user, and then select **Devices**.
 1. Select **View devices syncing settings and app data** to show sync status.

articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md

@@ -70,7 +70,7 @@ Enterprise State Roaming requires the device to be registered with Azure AD. Alt
 
 **Potential issue**: **WamDefaultSet** and **AzureAdJoined** both have “NO” in the field value, the device was domain-joined and registered with Azure AD, and the device doesn't sync. If it's showing this, the device may need to wait for policy to be applied or the authentication for the device failed when connecting to Azure AD. The user may have to wait a few hours for the policy to be applied. Other troubleshooting steps may include retrying autoregistration by signing out and back in, or launching the task in Task Scheduler. In some cases, running “*dsregcmd.exe /leave*” in an elevated command prompt window, rebooting, and trying registration again may help with this issue.
 
-**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled in the Azure portal. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running “*dsregcmd.exe /leave*” in an elevated command prompt window, rebooting, and trying registration again may help with this issue.
+**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running “*dsregcmd.exe /leave*” in an elevated command prompt window, rebooting, and trying registration again may help with this issue.
 
 ## Enterprise State Roaming and multifactor authentication 
 

articles/active-directory/devices/faq.yml

@@ -20,10 +20,10 @@ summary: |
 sections:
   - name: General FAQ
     questions:
-      - question: I registered the device recently. Why can't I see the device under my user info in the Azure portal? Or why is the device owner marked as N/A for hybrid Azure Active Directory (Azure AD) joined devices?
+      - question: I registered the device recently. Why can't I see the device under my user info? Or why is the device owner marked as N/A for hybrid Azure Active Directory (Azure AD) joined devices?
         answer: |
           Windows 10 or newer devices that are hybrid Azure AD joined don't show up under **USER devices**.
-          Use the **All devices** view in the Azure portal. You can also use a PowerShell [Get-MsolDevice](/powershell/module/msonline/get-msoldevice) cmdlet.
+          Use the **All devices** view. You can also use a PowerShell [Get-MsolDevice](/powershell/module/msonline/get-msoldevice) cmdlet.
           
           Only the following devices are listed under **USER devices**:
           
@@ -35,7 +35,7 @@ sections:
           
       - question: How do I know what the device registration state of the client is?
         answer: |
-          In the Azure portal, go to **All devices**. Search for the device by using the device ID. Check the value under the join type column. Sometimes, the device might be reset or reimaged. So it's essential to also check the device registration state on the device:
+          Go to **All devices**. Search for the device by using the device ID. Check the value under the join type column. Sometimes, the device might be reset or reimaged. So it's essential to also check the device registration state on the device:
           
           - For Windows 10 or newer and Windows Server 2016 or later devices, run `dsregcmd.exe /status`.
           - For down-level OS versions, run `%programFiles%\Microsoft Workplace Join\autoworkplace.exe`.
@@ -47,7 +47,7 @@ sections:
           
           
           
-      - question: I see the device record under the USER info in the Azure portal. And I see the state as registered on the device. Am I set up correctly to use Conditional Access?
+      - question: I see the device record under the USER info and I see the state as registered. Am I set up correctly to use Conditional Access?
         answer: |
           The device join state, shown by **deviceID**, must match the state on Azure AD and meet any evaluation criteria for Conditional Access. 
           For more information, see [Require managed devices for cloud app access with Conditional Access](../conditional-access/concept-conditional-access-grant.md).
@@ -59,15 +59,15 @@ sections:
           On Windows 10/11 devices joined or registered with Azure AD, users are issued a [Primary refresh token (PRT)](concept-primary-refresh-token.md) which enables single sign-on. The validity of the PRT is based on the validity of the device itself. Users see this message if the device is either deleted or disabled in Azure AD without initiating the action from the device itself. A device can be deleted or disabled in Azure AD one of the following scenarios: 
           
           - User disables the device from the My Apps portal. 
-          - An administrator (or user) deletes or disables the device in the Azure portal or by using PowerShell
-          - Hybrid Azure AD joined only: An administrator removes the devices OU out of sync scope resulting in the devices being deleted from Azure AD
-          - Hybrid Azure AD joined only: An administrator disables the computer account on premises, resulting in the device being disabled in Azure AD
+          - An administrator (or user) deletes or disables the device.
+          - Hybrid Azure AD joined only: An administrator removes the devices OU out of sync scope resulting in the devices being deleted from Azure AD.
+          - Hybrid Azure AD joined only: An administrator disables the computer account on premises, resulting in the device being disabled in Azure AD.
           - Upgrading Azure AD connect to the version 1.4.xx.x. [Understanding Azure AD Connect 1.4.xx.x and device disappearance](/troubleshoot/azure/active-directory/reference-connect-device-disappearance).
 
           
           
           
-      - question: I disabled or deleted my device in the Azure portal or by using Windows PowerShell. But the local state on the device says it's still registered. What should I do?
+      - question: I disabled or deleted my device, but the local state on the device says it's still registered. What should I do?
         answer: |
           This operation is by design. In this case, the device doesn't have access to resources in the cloud. Administrators can perform this action for stale, lost, or stolen devices to prevent unauthorized access. If this action was performed unintentionally, you need to re-enable or re-register the device using the steps that follow:
           
@@ -104,7 +104,7 @@ sections:
           
           
           
-      - question: Why do I see duplicate device entries in the Azure portal?
+      - question: Why do I see duplicate device entries?
         answer: |
           - For Windows 10 or newer and Windows Server 2016 or later, repeated tries to unjoin and rejoin the same device might cause duplicate entries. 
           - Each Windows user who uses **Add Work or School Account** creates a new device record with the same device name.
@@ -116,7 +116,7 @@ sections:
       - question: Does Windows 10/11 device registration in Azure AD support TPMs in FIPS mode?
         answer: Windows 10/11 device registration is only supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Azure AD join or Hybrid Azure AD join. Microsoft doesn't provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Contact your hardware OEM for support. 
 
-      - question: Why can a user still access resources from a device I disabled in the Azure portal?
+      - question: Why can a user still access resources from a device I disabled?
         answer: |
           It takes up to an hour for a revoke to be applied from the time the Azure AD device is marked as disabled.
           
@@ -161,7 +161,7 @@ sections:
           
       - question: Can a guest user sign in to an Azure AD joined device?
         answer: |
-          No, currently, guest users can not sign in to an Azure AD joined device.
+          No, currently, guest users can't sign in to an Azure AD joined device.
         
           
           

articles/active-directory/devices/how-to-hybrid-join-verify.md

@@ -31,10 +31,10 @@ For downlevel devices, see the article [Troubleshooting hybrid Azure Active Dire
 
 ## Using the Azure portal
 
-1. Go to the devices page using a [direct link](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices).
-2. Information on how to locate a device can be found in [How to manage device identities using the Azure portal](./manage-device-identities.md).
-3. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle.
-4. If the **Registered** column contains a **date/time**, then hybrid Azure AD join has completed.
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator).
+1. Browse to **Azure Active Directory** > **Devices** > **All devices**.
+1. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle.
+1. If the **Registered** column contains a **date/time**, then hybrid Azure AD join has completed.
 
 ## Using PowerShell
 

articles/active-directory/devices/howto-manage-local-admin-passwords.md

@@ -85,7 +85,7 @@ Other than the built-in Azure AD roles of Cloud Device Administrator, Intune Adm
 
 To enable Windows LAPS with Azure AD, you must take actions in Azure AD and the devices you wish to manage. We recommend organizations [manage Windows LAPS using Microsoft Intune](/mem/intune/protect/windows-laps-policy). However, if your devices are Azure AD joined but you're not using Microsoft Intune or Microsoft Intune isn't supported (like for Windows Server 2019/2022), you can still deploy Windows LAPS for Azure AD manually. For more information, see the article [Configure Windows LAPS policy settings](/windows-server/identity/laps/laps-management-policy-settings).
 
-1. Sign in to the **Azure portal** as a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator).
+1. Sign in to the **Azure portal** as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator).
 1. Browse to **Azure Active Directory** > **Devices** > **Device settings**
 1. Select **Yes** for the Enable Local Administrator Password Solution (LAPS) setting and select **Save**. You may also use the Microsoft Graph API [Update deviceRegistrationPolicy](/graph/api/deviceregistrationpolicy-update?view=graph-rest-beta&preserve-view=true).
 1. Configure a client-side policy and set the **BackUpDirectory** to be Azure AD.

articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md

@@ -209,7 +209,7 @@ To configure role assignments for your Azure AD-enabled Linux VMs:
     | Role | **Virtual Machine Administrator Login** or **Virtual Machine User Login** |
     | Assign access to | User, group, service principal, or managed identity |
 
-    ![Screenshot that shows the page for adding a role assignment in the Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+    ![Screenshot that shows the page for adding a role assignment.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
 
 After a few moments, the security principal is assigned the role at the selected scope.
 
@@ -267,7 +267,7 @@ The application that appears in the Conditional Access policy is called *Azure L
 
 If the Azure Linux VM Sign-In application is missing from Conditional Access, make sure the application isn't in the tenant:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 1. Browse to **Azure Active Directory** > **Enterprise applications**.
 1. Remove the filters to see all applications, and search for **Virtual Machine**. If you don't see Microsoft Azure Linux Virtual Machine Sign-In as a result, the service principal is missing from the tenant.
 

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -203,7 +203,7 @@ To configure role assignments for your Azure AD-enabled Windows Server 2019 Data
     | Role | **Virtual Machine Administrator Login** or **Virtual Machine User Login** |
     | Assign access to | User, group, service principal, or managed identity |
 
-    ![Screenshot that shows the page for adding a role assignment in the Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+    ![Screenshot that shows the page for adding a role assignment.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
 
 ### Azure Cloud Shell
 
@@ -369,7 +369,7 @@ Exit code -2145648607 translates to `DSREG_AUTOJOIN_DISC_FAILED`. The extension
    - `curl https://pas.windows.net/ -D -`
 
    > [!NOTE]
-   > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID** in the Azure portal.
+   > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID**.
    >
    > Attempts to connect to `enterpriseregistration.windows.net` might return 404 Not Found, which is expected behavior. Attempts to connect to `pas.windows.net` might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable.
 
@@ -469,7 +469,7 @@ Share your feedback about this feature or report problems with using it on the [
 
 If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application is in the tenant:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 1. Browse to **Azure Active Directory** > **Enterprise applications**.
 1. Remove the filters to see all applications, and search for **VM**. If you don't see **Azure Windows VM Sign-In** as a result, the service principal is missing from the tenant.