Merge pull request #302663 from MicrosoftDocs/main

Auto Publish – main to live - 2025-07-13 05:00 UTC

Author: learn-build-service-prod[bot]

articles/virtual-network-manager/concept-connectivity-configuration.md

@@ -5,69 +5,70 @@ author: mbender-ms
 ms.author: mbender
 ms.service: azure-virtual-network-manager
 ms.topic: concept-article
-ms.date: 05/06/2025
+ms.date: 07/11/2025
 ---
 
 
 # Cross-Tenant Support in Azure Virtual Network Manager
 
-Cross-tenant support in Azure Virtual Network Manager enables organizations to centrally manage virtual networks across multiple tenants and subscriptions. This article describes scenarios, benefits, and how to establish cross-tenant connections.
+Cross-tenant support in Azure Virtual Network Manager lets organizations centrally manage virtual networks across multiple tenants and their subscriptions. This article describes scenarios, benefits, and how to establish cross-tenant connections.
 
 ## Overview of cross-tenant support
 
-Cross-tenant support in Azure Virtual Network Manager allows you to add subscriptions or management groups from other tenants to your network manager. This is done by establishing a two-way connection between the network manager and target tenants. Once connected, the central manager can deploy connectivity and/or security admin rules to virtual networks across those connected subscriptions or management groups. 
+Cross-tenant support in Azure Virtual Network Manager allows you to add subscriptions and management groups from other tenants to your Azure Virtual Network Manager instance, or network manager. You can establish cross-tenant support in your network manager by establishing a two-way connection between the network manager and target tenants. Once connected, the network manager can deploy configurations to virtual networks across those connected cross-tenant subscriptions and management groups.
 
-This support assists organizations that fit the following scenarios: 
+Cross-tenant support assists organizations that fit the following scenarios:
 
-- Acquisitions – In instances where organizations merge through acquisition and have multiple tenants, cross tenant support allows a central network manager to manage virtual networks across the tenants. 
+- **Acquisitions**: In instances where organizations merge through acquisition and have multiple tenants, cross-tenant support lets a central network manager manage virtual networks across the tenants.
 
-- Managed service provider – In managed service provider scenarios, an organization can manage the resources of other organizations. Cross-tenant support allows central management of virtual networks by a central service provider for multiple clients. 
+- **Managed service provider**: In managed service provider scenarios, an organization can manage the resources of other organizations. Cross-tenant support allows central management of virtual networks by a central service provider for multiple clients.
 
 ## Establish cross-tenant connection 
 
-Establishing cross-tenant support begins with creating a cross tenant connection between two tenants. Cross-tenant support requires two-way consent--one from the network manager, the other from the target tenant's virtual network manager hub. The connections are as follows:
+Establishing cross-tenant support begins with creating a cross-tenant connection between two tenants. Cross-tenant support requires two-way consent -- one from the network manager and the other from the target tenant's virtual network manager hub. The connections are:
 
 | Connection Type | Description |
 |----------------|-------------|
-| Network manager connection | You create a cross-tenant connection from your network manager. The connection includes the exact scope of the tenant's subscriptions or management groups to manage in your network manager. |
-| Virtual network manager hub connection | The tenant creates a cross-tenant connection from their virtual network manager hub. This connection includes the scope of subscriptions or management groups managed the central network manager. |
+| Network manager connection | You create a cross-tenant connection from your network manager. The connection includes the exact scope of the tenant's subscriptions and management groups to manage in your network manager. |
+| Virtual network manager hub connection | The tenant creates a cross-tenant connection from their virtual network manager hub. This connection includes the exact same scope of subscriptions and management groups managed by the central network manager. |
 
-Once both cross-tenant connections exist and the scopes are exactly the same, a true connection is established. Administrators can use their network manager to add cross-tenant resources to their [network groups](concept-network-groups.md) and to manage virtual networks included in the connection scope. Existing connectivity and/or security admin rules are applied to the resources based on existing configurations.
+Once both cross-tenant connections exist and the scopes are exactly the same, a true connection is established. Administrators can use their network manager to add cross-tenant resources to their [network groups](concept-network-groups.md) and to manage virtual networks included in the connection scope. Configurations can then be deployed onto those cross-tenant virtual networks.
 
-A cross-tenant connection can only be established and maintained when both objects from each party exist. When one of the connections is removed, the cross-tenant connection is broken. If you need to delete a cross-tenant connection, you perform the following steps:
+You can establish and maintain a cross-tenant connection only when both connections from each party exist. When one of the connections is removed, the cross-tenant connection is broken. If you need to delete a cross-tenant connection, follow these steps:
 
-- Remove cross-tenant connection from the network manager side via Cross-tenant connections settings in the Azure portal.
-- Remove cross-tenant connection from the tenant side via Virtual network manager hub's Cross-tenant connections settings in the Azure portal.
+- Remove the cross-tenant connection from the network manager side through the **Cross-tenant connections** settings in the Azure portal.
+- Remove the cross-tenant connection from the tenant side through the *Virtual network manager hub*'s **Cross-tenant connections** settings in the Azure portal.
 
 > [!NOTE] 
-> Once a connection is removed from either side, the network manager can't view or manage the tenant's resources under that former connection's scope.
+> Once a cross-tenant connection is removed from either side, the network manager can't view or manage the tenant's resources under that former connection's scope.
 
 ## Connection states
-The resources required to create the cross-tenant connection contain a state, which represents whether the associated scope is added to the Network Manager scope. Possible state values include:
+The resources required to create the cross-tenant connection have a state that represents whether the associated scope is added to the network manager scope. Possible state values include:
 
 | State | Description |
 |-------|-------------|
-| Connected | Both the Scope Connection and Network Manager Connection resources exist. The scope is added to the Network Manager's scope. |
-| Pending | One of the two approval resources isn't created. The scope isn't added to the Network Manager's scope yet. |
-| Conflict | There's already a network manager with this subscription or management group defined within its scope. Two network managers with the same scope access can't directly manage the same scope, therefore this subscription/management group can't be added to the Network Manager scope. To resolve the conflict, remove the scope from the conflicting network manager's scope and recreate the connection resource. |
-| Revoked | The scope was at one time added to the Network Manager scope, but the removal of an approval resource caused revocation. |
+| Connected | Both the network manager connection and the tenant-side virtual network manager hub connection exist with matching scopes. The cross-tenant scope is added to the network manager's scope. |
+| Pending | One of the two connection resources isn't created. The cross-tenant scope isn't yet added to the network manager's scope. |
+| Conflict | A network manager with this subscription or management group defined with the cross-tenant scope already exists. Two network managers with the same scope access can't directly manage the same scope, so this subscription or management group can't be added to the network manager scope. To fix the conflict, remove the cross-tenant scope from the conflicting network manager's scope and recreate the appropriate connection resource. |
+| Revoked | The cross-tenant scope was at one time added to the network manager's scope, but the removal of a connection resource caused the cross-tenant connection to be revoked. |
 
-The only state that represents the scope is added to the Network Manager scope is 'Connected'.
+*Connected* is the only state that represents that the cross-tenant scope is added to the network manager scope.
 
 ## Required permissions 
 
-To use cross-tenant connection in Azure Virtual Network Manager, users need the following permissions: 
+To use cross-tenant connections in Azure Virtual Network Manager, users need the following permissions: 
 
-- Administrator of central management tenant has guest account in target managed tenant. 
+- The administrator of the central management tenant has a guest account in the target managed tenant. 
 
-- Administrator guest account has *Network Contributor* permissions applied at appropriate scope level(Management group, subscription, or virtual network). 
+- The administrator guest account has *Network Contributor* permissions applied at the appropriate scope level (management group, subscription, or virtual network).
 
-Need help with setting up permissions? Check out how to [add guest users in the Azure portal](../active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md), and how to [assign user roles to resources in Azure portal](../role-based-access-control/role-assignments-portal.yml) 
+Need help setting up permissions? Check out how to [add guest users in the Azure portal](../active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md) and how to [assign user roles to resources in Azure portal](../role-based-access-control/role-assignments-portal.yml) 
 
 ## Known limitations 
 
-Currently, cross-tenant virtual networks can only be [added to network groups manually](concept-network-groups.md#group-membership). Adding cross-tenant virtual networks to network groups dynamically through Azure Policy is a future capability. 
+Currently, cross-tenant virtual networks can only be [added to network groups manually](concept-network-groups.md#static-membership). Adding cross-tenant virtual networks to network groups conditionally through Azure Policy is a future capability.
 
 ## Next steps 
-- Learn how to [configure a cross-tenant connection with Azure Virtual Network Manager using the Azure portal](how-to-configure-cross-tenant-portal.md)
-- Check out the [Azure Virtual Network Manager FAQ](faq.md)
+- Learn how to [configure a cross-tenant connection with Azure Virtual Network Manager using the Azure portal](how-to-configure-cross-tenant-portal.md).
+- Learn how to [create an Azure Virtual Network Manager](./create-virtual-network-manager-portal.md) instance.
+- Check out the [Azure Virtual Network Manager FAQ](faq.md).

articles/virtual-network-manager/concept-cross-tenant.md

@@ -20,7 +20,7 @@ You can use a connectivity configuration to create various network topologies ba
 
 ### Mesh topology
 
-When you deploy a [mesh topology](concept-connectivity-configuration.md#mesh-network-topology), all virtual networks have direct connectivity with each other. They don't need to go through other hops on the network to communicate. A mesh topology is useful when all the virtual networks need to communicate directly with each other.
+When you deploy a [mesh topology](concept-connectivity-configuration.md#mesh-topology), all virtual networks have direct connectivity with each other. They don't need to go through other hops on the network to communicate. A mesh topology is useful when all the virtual networks need to communicate directly with each other.
 
 One common scenario is to mesh specific spoke virtual networks to boost latency and throughput. You don't have to mesh all the spoke virtual networks. You can also mesh spoke VNets connected to VWAN hubs, which allow for direct communication and better latency while still using the hubs to communicate with other virtual networks.