Merge pull request #238015 from jkdouglas/xtap-custom-role-support

XTAP supports custom roles and protected actions

Author: prmerger-automator[bot]

articles/active-directory/external-identities/cross-cloud-settings.md

@@ -49,7 +49,7 @@ After each organization has completed these steps, Azure AD B2B collaboration be
 
 In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator, Security administrator, or an account with a [custom role](cross-tenant-access-overview.md#custom-roles-for-managing-cross-tenant-access-settings) you've created. Then open the **Azure Active Directory** service.
 1. Select **External Identities**, and then select **Cross-tenant access settings**.
 1. Select **Microsoft cloud settings**.
 1. Select the checkboxes next to the external Microsoft Azure clouds you want to enable.

articles/active-directory/external-identities/cross-tenant-access-overview.md

@@ -123,7 +123,7 @@ To collaborate with a partner tenant in a different Microsoft Azure cloud, both
 > [!IMPORTANT]
 > Changing the default inbound or outbound settings to block access could block existing business-critical access to apps in your organization or partner organizations. Be sure to use the tools described in this article and consult with your business stakeholders to identify the required access.
 
-- To configure cross-tenant access settings in the Azure portal, you'll need an account with a Global administrator or Security administrator role.
+- To configure cross-tenant access settings in the Azure portal, you'll need an account with a Global administrator, Security administrator, or a [custom role](#custom-roles-for-managing-cross-tenant-access-settings) you've defined.
 
 - To configure trust settings or apply access settings to specific users, groups, or applications, you'll need an Azure AD Premium P1 license. The license is required on the tenant that you configure. For B2B direct connect, where mutual trust relationship with another Azure AD organization is required, you'll need an Azure AD Premium P1 license in both tenants. 
 
@@ -144,6 +144,78 @@ To collaborate with a partner tenant in a different Microsoft Azure cloud, both
 
 - If you block access to all apps by default, users will be unable to read emails encrypted with Microsoft Rights Management Service (also known as Office 365 Message Encryption or OME). To avoid this issue, we recommend configuring your outbound settings to allow your users to access this app ID: 00000012-0000-0000-c000-000000000000. If this is the only application you allow, access to all other apps will be blocked by default.
 
+## Custom roles for managing cross-tenant access settings
+
+Cross-tenant access settings can be managed with custom roles defined by your organization. This enables you to [define your own finely-scoped roles](../roles/custom-create.md) to manage cross-tenant access settings instead of using one of the built-in roles for management.
+Your organization can define custom roles to manage cross-tenant access settings. This allows you to create [your own finely-scoped roles](../roles/custom-create.md) to manage cross-tenant access settings instead of using built-in roles for management.
+### Recommended custom roles
+
+#### Cross-tenant access administrator
+
+This role can manage everything in cross-tenant access settings, including default and organizational based settings. This role should be assigned to users who need to manage all settings in cross-tenant access settings.
+
+Please find the list of recommended actions for this role below.
+
+| Actions |
+| ------- |
+| microsoft.directory.tenantRelationships/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update |
+| microsoft.directory/crossTenantAccessPolicy/basic/update |
+| microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update |
+| microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update |
+| microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update |
+| microsoft.directory/crossTenantAccessPolicy/default/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/create |
+| microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/delete |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update |
+
+#### Cross-tenant access reader
+This role can read everything in cross-tenant access settings, including default and organizational based settings. This role should be assigned to users who only need to review settings in cross-tenant access settings, but not manage them.
+
+Please find the list of recommended actions for this role below.
+
+| Actions |
+| ------- |
+| microsoft.directory.tenantRelationships/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/default/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/standard/read |
+
+#### Cross-tenant access partner administrator
+This role can manage everything relating to partners and read the default settings. This role should be assigned to users who need to manage organizational based settings but not be able to change default settings.
+
+Please find the list of recommended actions for this role below.
+
+| Actions |
+| ------- |
+| microsoft.directory.tenantRelationships/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/basic/update |
+| microsoft.directory/crossTenantAccessPolicy/default/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/create |
+| microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/delete |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create |
+| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/standard/read |
+| microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update |
+
+## Protect cross-tenant access administrative actions
+Any actions that modify cross-tenant access settings are considered protected actions and can be additionally protected with Conditional Access policies. For more information and configuration steps see [protected actions](../roles/protected-actions-overview.md).
+
 ## Identify inbound and outbound sign-ins
 
 Several tools are available to help you identify the access your users and partners need before you set inbound and outbound access settings. To ensure you don’t remove access that your users and partners need, you should examine current sign-in behavior. Taking this preliminary step will help prevent loss of desired access for your end users and partner users. However, in some cases these logs are only retained for 30 days, so we strongly recommend you speak with your business stakeholders to ensure required access isn't lost.

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -37,7 +37,7 @@ Use External Identities cross-tenant access settings to manage how you collabora
 
  Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings.  If you want to modify the Azure AD-provided default settings, follow these steps.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator, Security administrator, or an account with a [custom role](cross-tenant-access-overview.md#custom-roles-for-managing-cross-tenant-access-settings) you've created. Then open the **Azure Active Directory** service.
 1. Select **External Identities**, and then select **Cross-tenant access settings**.
 1. Select the **Default settings** tab and review the summary page.
 

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md

@@ -42,7 +42,7 @@ Learn more about using cross-tenant access settings to [manage B2B direct connec
 
  Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings. If you want to modify the Azure AD-provided default settings, follow these steps.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator, Security administrator, or an account with a [custom role](cross-tenant-access-overview.md#custom-roles-for-managing-cross-tenant-access-settings) you've created. Then open the **Azure Active Directory** service.
 1. Select **External Identities**, and then select **Cross-tenant access settings**.
 1. Select the **Default settings** tab and review the summary page.
 

articles/active-directory/roles/protected-actions-overview.md

@@ -35,6 +35,7 @@ We recommend using multi-factor authentication on all accounts, especially accou
 Conditional Access policies can be applied to limited set of permissions. You can use protected actions in the following areas:
 
 - Conditional Access policy management
+- Cross-tenant access settings management
 - Custom rules that define network locations
 - Protected action management
 
@@ -46,6 +47,20 @@ Here's the initial set of permissions:
 > | microsoft.directory/conditionalAccessPolicies/basic/update | Update basic properties for Conditional Access policies |
 > | microsoft.directory/conditionalAccessPolicies/create | Create Conditional Access policies |
 > | microsoft.directory/conditionalAccessPolicies/delete | Delete Conditional Access policies |
+> | microsoft.directory/conditionalAccessPolicies/basic/update | Update basic properties for conditional access policies |
+> | microsoft.directory/conditionalAccessPolicies/create | Create conditional access policies |
+> | microsoft.directory/conditionalAccessPolicies/delete | Delete conditional access policies |
+> | microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of the cross-tenant access policy|
+> | microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | Update Azure AD B2B collaboration settings of the default cross-tenant access policy |
+> | microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of the default cross-tenant access policy |
+> | microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy.
+> | microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | Update tenant restrictions of the default cross-tenant access policy.
+> | microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | Update Azure AD B2B collaboration settings of cross-tenant access policy for partners. |
+> | microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of cross-tenant access policy for partners. |
+> | microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners. |
+> | microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings  of cross-tenant access policy for partners. |
+> | microsoft.directory/crossTenantAccessPolicy/partners/delete | Delete cross-tenant access policy for partners. |
+> | microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | Update tenant restrictions of cross-tenant access policy for partners. |
 > | microsoft.directory/namedLocations/basic/update | Update basic properties of custom rules that define network locations |
 > | microsoft.directory/namedLocations/create | Create custom rules that define network locations |
 > | microsoft.directory/namedLocations/delete | Delete custom rules that define network locations |