Merge pull request #111855 from itechedit/roles-admin-units

ShawnJackson · web-flow · commit 9275125cd93e · 2020-04-20T13:39:51.000-05:00
edit pass: Two roles-admin-units articles
diff --git a/articles/active-directory/users-groups-roles/roles-admin-units-add-manage-groups.md b/articles/active-directory/users-groups-roles/roles-admin-units-add-manage-groups.md
@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 
 In Azure Active Directory (Azure AD), you can add groups to an administrative unit (AU) for more granular administrative scope of control.
 
-For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see [Getting started](roles-admin-units-manage.md#getting-started).
+For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see [Get started](roles-admin-units-manage.md#get-started).
 
 ## Add groups to an AU
 
diff --git a/articles/active-directory/users-groups-roles/roles-admin-units-add-manage-users.md b/articles/active-directory/users-groups-roles/roles-admin-units-add-manage-users.md
@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 
 In Azure Active Directory (Azure AD), you can add users to an administrative unit (AU) for more granular administrative scope of control.
 
-For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see [Getting started](roles-admin-units-manage.md#getting-started).
+For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see [Get started](roles-admin-units-manage.md#get-started).
 
 ## Add users to an AU
 
diff --git a/articles/active-directory/users-groups-roles/roles-admin-units-assign-roles.md b/articles/active-directory/users-groups-roles/roles-admin-units-assign-roles.md
@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 
 In Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope limited to one or more administrative units (AUs) for more granular administrative control.
 
-For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see [Getting started](roles-admin-units-manage.md#getting-started).
+For steps to prepare to use PowerShell and Microsoft Graph for administrative unit management, see [Get started](roles-admin-units-manage.md#get-started).
 
 ## Roles available
 
diff --git a/articles/active-directory/users-groups-roles/roles-admin-units-faq-troubleshoot.md b/articles/active-directory/users-groups-roles/roles-admin-units-faq-troubleshoot.md
@@ -1,6 +1,6 @@
 ---
-title: Troubleshooting administrative units and FAQ - Azure Active Directory | Microsoft Docs
-description: Investigate administrative units to delegation of permissions with restricted scope in Azure Active Directory
+title: Administrative units troubleshooting and FAQ - Azure Active Directory | Microsoft Docs
+description: Investigate administrative units to grant permissions with restricted scope in Azure Active Directory.
 services: active-directory
 documentationcenter: ''
 author: curtand
@@ -17,53 +17,57 @@ ms.collection: M365-identity-device-management
 ---
 
 
-# Troubleshooting and FAQ for administrative units in Azure Active Directory
+# Azure AD administrative units: Troubleshooting and FAQ
 
-For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope limited to one or more administrative units (AUs). You can find sample PowerShell scripts for common tasks at https://docs.microsoft.com/powershell/azure/active-directory/working-with-administrative-units?view=azureadps-2.0.
+For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope that's limited to one or more administrative units (AUs). For sample PowerShell scripts for common tasks, see [Work with administrative units](https://docs.microsoft.com/powershell/azure/active-directory/working-with-administrative-units?view=azureadps-2.0).
 
 ## Frequently asked questions
 
-**Q: I am not able to create an administrative unit**
+**Q: Why am I unable to create an administrative unit?**
 
-**A:** Only a Global Administrator or Privileged Role Administrator can create an administrative unit in Azure AD. Check that the user trying to create the administrative unit is assigned either the Global Administrator or Privileged Role Administrator role.
+**A:** Only a *Global Administrator* or *Privileged Role Administrator* can create an administrative unit in Azure AD. Check to ensure that the user who's trying to create the administrative unit is assigned either the *Global Administrator* or *Privileged Role Administrator* role.
 
-**Q: I added a group to the administrative unit, but the members of the group are still not showing up in the administrative unit**
+**Q: I added a group to the administrative unit. Why are the group members still not showing up there?**
 
-**A:** When you add a group to the administrative unit, that does not result in adding all the members of the group to the administrative unit. Users must be directly assigned to administrative unit.
+**A:** When you add a group to the administrative unit, that does not result in all the group's members being added to it. Users must be directly assigned to the administrative unit.
 
-**Q: I just added / removed a member of the administrative unit and it is still showing up in the UI**
+**Q: I just added (or removed) a member of the administrative unit. Why is the member not showing up (or still showing up) in the user interface?**
 
-**A:** Sometimes processing of the addition or removal of one or more members of the administrative unit might take a few minutes to reflect under the **Administrative units** page. You may choose to wait for a few minutes for it to reflect under the administrative units. Alternatively, you can go directly to the associated resource's properties and see if the action has been completed. For more information about users and groups in AUs, see [List administrative units for a user](roles-admin-units-add-manage-users.md) and [List administrative units for a group](roles-admin-units-add-manage-groups.md).
+**A:** Sometimes, processing of the addition or removal of one or more members of the administrative unit might take a few minutes to be reflected on the **Administrative units** page. Alternatively, you can go directly to the associated resource's properties and see whether the action has been completed. For more information about users and groups in AUs, see [List administrative units for a user](roles-admin-units-add-manage-users.md) and [List administrative units for a group](roles-admin-units-add-manage-groups.md).
 
-**Q: As a delegated password administrator on an administrative unit, I am unable to reset a specific user's password**
+**Q: I am a delegated password administrator on an administrative unit. Why am I unable to reset a specific user's password?**
 
-**A:** An administrator assigned over an administrative unit you can reset password only for users assigned to your administrative unit. Make sure that the user for which the password reset is failing belongs to the administrative units over which you have been assigned the role. If the user belongs to the same administrative unit and you still can't reset the password of the user, check the roles that are assigned to the user. To prevent an elevation of privilege, an administrative unit scoped administrator cannot reset the password of a user that is assigned to a role with an organization-wide scope.
+**A:** As an administrator of an administrative unit, you can reset passwords only for users who are assigned to your administrative unit. Make sure that the user whose password reset is failing belongs to the administrative unit to which you've been assigned. If the user belongs to the same administrative unit but you still can't reset their password, check the roles that are assigned to the user. 
+
+To prevent an elevation of privilege, an administrative unit-scoped administrator can't reset the password of a user who's assigned to a role with an organization-wide scope.
 
 **Q: Why are administrative units necessary? Couldn't we have used security groups as the way to define a scope?**
 
-**A:** Security groups have an existing purpose and authorization model. A User administrator, for example, can manage membership of all security groups in the Azure AD organization, such as to use groups to manage access to applications like Salesforce. A User administrator should not have the ability to manage the delegation model itself, which would be the result if security groups were extended to support "resource grouping" scenarios. Administrative units, like Organizational Units in Windows Server Active Directory, are intended to provide a way to scope administration of a wide range of directory objects. Security groups themselves can be members of resource scopes. Using security groups to define the set of security groups an administrator can manage could become confusing.
+**A:** Security groups have an existing purpose and authorization model. A *User Administrator*, for example, can manage membership of all security groups in the Azure AD organization. The role might use groups to manage access to applications such as Salesforce. A *User Administrator* should not be able to manage the delegation model itself, which would be the result if security groups were extended to support "resource grouping" scenarios. Administrative units, such as organizational units in Windows Server Active Directory, are intended to provide a way to scope administration of a wide range of directory objects. Security groups themselves can be members of resource scopes. Using security groups to define the set of security groups that an administrator can manage could become confusing.
 
 **Q: What does it mean to add a group to an administrative unit?**
 
-**A:** Adding a group to an administrative unit brings the group itself into the management scope of any User administrator who is also scoped to that admin unit. User admins for the administrative unit can manage the name and membership of the group itself. It does not grant the User admin for the administrative unit any permission to manage the users of the group (for example, reset their passwords). To grant the User Administrator the ability to manage users, the users have to be direct members of the administrative unit.
+**A:** Adding a group to an administrative unit brings the group itself into the management scope of any *User Administrator* who is also scoped to that administrative unit. User administrators for the administrative unit can manage the name and membership of the group itself. It does not grant the *User Administrator* for the administrative unit permissions to manage the users of the group (for example, to reset their passwords). To grant the *User Administrator* the ability to manage users, the users have to be direct members of the administrative unit.
 
 **Q: Can a resource (user or group) be a member of more than one administrative unit?**
 
-**A:** Yes, a resource can be a member of more than one administrative unit. The resource can be managed by all organization-wide and administrative unit-scoped admins who have permissions over the resource.
+**A:** Yes, a resource can be a member of more than one administrative unit. The resource can be managed by all organization-wide and administrative unit-scoped administrators who have permissions over the resource.
 
 **Q: Are administrative units available in B2C organizations?**
 
 **A:** No, administrative units are not available for B2C organizations.
 
 **Q: Are nested administrative units supported?**
 
-**A:** Nested administrative units are not supported.
+**A:** No, nested administrative units are not supported.
+
+**Q: Are administrative units supported in PowerShell and the Graph API?**
 
-**Q: Are administrative units supported in PowerShell and Graph API?**
+**A:** Yes. You'll find support for administrative units in [PowerShell cmdlet documentation](https://docs.microsoft.com/powershell/module/Azuread/?view=azureadps-2.0-preview) and [sample scripts](https://docs.microsoft.com/powershell/azure/active-directory/working-with-administrative-units?view=azureadps-2.0-preview). 
 
-**A:** Yes. Support for Administrative Units exists in [PowerShell cmdlet documentation](https://docs.microsoft.com/powershell/module/Azuread/?view=azureadps-2.0-preview) and [sample scripts](https://docs.microsoft.com/powershell/azure/active-directory/working-with-administrative-units?view=azureadps-2.0-preview), and support is in the Microsoft Graph for the [administrativeUnit resource type](https://developer.microsoft.com/graph/docs/api-reference/beta/resources/administrativeunit).
+Find support for the [administrativeUnit resource type](https://developer.microsoft.com/graph/docs/api-reference/beta/resources/administrativeunit) in Microsoft Graph.
 
 ## Next steps
 
-- [Administrative units to restrict scope for roles overview](directory-administrative-units.md)
-- [Manage administrative units](roles-admin-units-manage.md)
+- [Restrict scope for roles by using administrative units](directory-administrative-units.md)
+- [Manage administrative units](roles-admin-units-manage.md)
diff --git a/articles/active-directory/users-groups-roles/roles-admin-units-manage.md b/articles/active-directory/users-groups-roles/roles-admin-units-manage.md
@@ -1,6 +1,6 @@
 ---
 title: Add and remove administrative units (preview) - Azure Active Directory | Microsoft Docs
-description: Use administrative units to restrict scope of role permissions in Azure Active Directory
+description: Use administrative units to restrict the scope of role permissions in Azure Active Directory.
 services: active-directory
 documentationcenter: ''
 author: curtand
@@ -18,46 +18,46 @@ ms.collection: M365-identity-device-management
 
 # Manage administrative units in Azure Active Directory
 
-For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope limited to one or more administrative units (AUs).
+For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope that's limited to one or more administrative units (AUs).
 
-## Getting started
+## Get started
 
-1. To run queries from the following instructions via [Graph Explorer](https://aka.ms/ge), please ensure the following:
+1. To run queries from the following instructions via [Graph Explorer](https://aka.ms/ge), do the following:
 
-    1. Go to Azure AD in the portal, and then in the applications select Graph Explorer and provide admin consent to Graph Explorer.
+    a. In the Azure portal, go to Azure AD. In the applications list, select **Graph Explorer**, and then select **Grant admin consent to Graph Explorer**.
 
-        ![select Graph Explorer and provide admin consent on this page](./media/roles-admin-units-manage/select-graph-explorer.png)
+    ![Screenshot showing link to "Grant admin consent"](./media/roles-admin-units-manage/select-graph-explorer.png)
 
-    1. In the Graph Explorer, ensure that you select the beta version.
+    b. In Graph Explorer, select the **beta** version.
 
-        ![select the beta version before the POST operation](./media/roles-admin-units-manage/select-beta-version.png)
+    ![Screenshot showing the beta version selected](./media/roles-admin-units-manage/select-beta-version.png)
 
-1. Please use the preview version of Azure AD PowerShell. Detailed instructions are here.
+1. Use the preview version of Azure AD PowerShell.
 
 ## Add an administrative unit
 
-### Azure portal
+### Use the Azure portal
 
-1. Go to Active Directory in the portal and select Administrative Units in the left panel.
+1. In the Azure portal, go to Azure AD, and then, in the left pane, select **Administrative units**.
 
-    ![navigate to Administrative units in Azure Active Directory](./media/roles-admin-units-manage/nav-to-admin-units.png)
+    ![Screenshot of the Administrative units (Preview) link in Azure AD](./media/roles-admin-units-manage/nav-to-admin-units.png)
 
-1. Select **Add*** and provide the name of the administrative unit and optionally can add a description for the administrative unit.
+1. Select **Add** and then enter the name of the administrative unit. Optionally, add a description of the administrative unit.
 
-    ![select Add and then enter a name for the administrative unit](./media/roles-admin-units-manage/add-new-admin-unit.png)
+    ![Screenshot of the Add button and the text box for entering the name of the administrative unit](./media/roles-admin-units-manage/add-new-admin-unit.png)
 
 1. Select **Add** to finalize the administrative unit.
 
-### PowerShell
+### Use PowerShell
 
-Install Azure AD PowerShell (preview version) before trying to perform the actions below:
+Install Azure AD PowerShell (preview) before you try to run the following commands:
 
     Connect-AzureAD
     New-AzureADAdministrativeUnit -Description "West Coast region" -DisplayName "West Coast"
 
-The values highlighted above can be modified as required.
+You can modify the values that are enclosed in quotation marks, as required.
 
-### Microsoft Graph
+### Use Microsoft Graph
 
     Http Request
     POST /administrativeUnits
@@ -69,22 +69,24 @@ The values highlighted above can be modified as required.
 
 ## Remove an administrative unit
 
-In Azure Active Directory (Azure AD), you can remove an admin unit that you no longer need as a unit of scope for administrative roles.
+In Azure AD, you can remove an administrative unit that you no longer need as a unit of scope for administrative roles.
 
-### Azure portal
+### Use the Azure portal
 
-Go to **Azure AD > Administrative units** in the portal. Select the administrative unit to be deleted and then select **Delete**. After confirming **Yes**, the administrative unit will be deleted.
+1. In the Azure portal, go to **Azure AD** > **Administrative units**. 
+1. Select the administrative unit to be deleted, and then select **Delete**. 
+1. To confirm that you want to delete the administrative unit, select **Yes**. The administrative unit is deleted.
 
-![Select an administrative unit to delete](./media/roles-admin-units-manage/select-admin-unit-to-delete.png)
+![Screenshot of the administrative unit Delete button and confirmation window](./media/roles-admin-units-manage/select-admin-unit-to-delete.png)
 
-### PowerShell
+### Use PowerShell
 
     $delau = Get-AzureADAdministrativeUnit -Filter "displayname eq 'DeleteMe Admin Unit'"
     Remove-AzureADAdministrativeUnit -ObjectId $delau.ObjectId
 
-The highlighted section may be changed as required for the specific environment.
+You can modify the values that are enclosed in quotation marks, as required for the specific environment.
 
-### Graph API
+### Use the Graph API
 
     HTTP request
     DELETE /administrativeUnits/{Admin id}
@@ -93,5 +95,5 @@ The highlighted section may be changed as required for the specific environment.
 
 ## Next steps
 
-[Managing users in administrative unit](roles-admin-units-add-manage-users.md)
-[Managing groups in administrative unit](roles-admin-units-add-manage-groups.md)
+* [Manage users in an administrative unit](roles-admin-units-add-manage-users.md)
+* [Manage groups in an administrative unit](roles-admin-units-add-manage-groups.md)
