updated RBAC

Justinha · Justinha · commit ad41c06115c1 · 2022-03-07T10:09:20.000-08:00
diff --git a/articles/active-directory-domain-services/create-resource-forest-powershell.md b/articles/active-directory-domain-services/create-resource-forest-powershell.md
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 07/27/2020
+ms.date: 03/07/2022
 ms.author: justinha 
 ms.custom: devx-track-azurepowershell
 
@@ -51,8 +51,8 @@ To complete this article, you need the following resources and privileges:
 * Install and configure Azure AD PowerShell.
     * If needed, follow the instructions to [install the Azure AD PowerShell module and connect to Azure AD](/powershell/azure/active-directory/install-adv2).
     * Make sure that you sign in to your Azure AD tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet.
-* You need *global administrator* privileges in your Azure AD tenant to enable Azure AD DS.
-* You need *Contributor* privileges in your Azure subscription to create the required Azure AD DS resources.
+* You need [Application Administrator](/azure/active-directory/roles/permissions-reference#application-administrator) and [Groups Administrator](/azure/active-directory/roles/permissions-reference#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.
+* You need [Contributor](/azure/role-based-access-control/built-in-roles#contributor) Azure role to create the required Azure AD DS resources.
 
 ## Sign in to the Azure portal
 
diff --git a/articles/active-directory-domain-services/csp.md b/articles/active-directory-domain-services/csp.md
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 07/09/2020
+ms.date: 03/07/2022
 ms.author: justinha
 
 ---
@@ -49,7 +49,7 @@ There are two ways in which you can use Azure AD DS with an Azure CSP subscripti
 
 In this deployment model, Azure AD DS is enabled within a virtual network that belongs to the Azure CSP subscription. The CSP partner's admin agents have the following privileges:
 
-* *Global administrator* privileges in the customer's Azure AD tenant.
+* You need [Application Administrator](/azure/active-directory/roles/permissions-reference#application-administrator) and [Groups Administrator](/azure/active-directory/roles/permissions-reference#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.
 * *Subscription owner* privileges on the Azure CSP subscription.
 
 ![Direct deployment model](./media/csp/csp_direct_deployment_model.png)
diff --git a/articles/active-directory-domain-services/deploy-azure-app-proxy.md b/articles/active-directory-domain-services/deploy-azure-app-proxy.md
@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: how-to
-ms.date: 07/09/2020
+ms.date: 03/07/2022
 ms.author: justinha
 
 ---
diff --git a/articles/active-directory-domain-services/migrate-from-classic-vnet.md b/articles/active-directory-domain-services/migrate-from-classic-vnet.md
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: how-to
-ms.date: 08/11/2021
+ms.date: 03/07/2022
 ms.author: justinha 
 ms.custom: devx-track-azurepowershell
 
@@ -198,7 +198,7 @@ To prepare the managed domain for migration, complete the following steps:
 
 1. Create a variable to hold the credentials for by the migration script using the [Get-Credential][get-credential] cmdlet.
 
-    The user account you specify needs *global administrator* privileges in your Azure AD tenant to enable Azure AD DS and then *Contributor* privileges in your Azure subscription to create the required Azure AD DS resources.
+    The user account you specify needs [Application Administrator](/azure/active-directory/roles/permissions-reference#application-administrator) and [Groups Administrator](/azure/active-directory/roles/permissions-reference#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS and [Contributor](/azure/role-based-access-control/built-in-roles#contributor) Azure role to create the required Azure AD DS resources.
 
     When prompted, enter an appropriate user account and password:
 
diff --git a/articles/active-directory-domain-services/powershell-scoped-synchronization.md b/articles/active-directory-domain-services/powershell-scoped-synchronization.md
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/08/2021
+ms.date: 03/07/2022
 ms.author: justinha 
 ms.custom: devx-track-azurepowershell
 
@@ -32,7 +32,7 @@ To complete this article, you need the following resources and privileges:
     * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
     * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services managed domain][tutorial-create-instance].
-* You need *global administrator* privileges in your Azure AD tenant to change the Azure AD DS synchronization scope.
+* You need [Application Administrator](/azure/active-directory/roles/permissions-reference#application-administrator) and [Groups Administrator](/azure/active-directory/roles/permissions-reference#groups-administrator) Azure AD roles in your tenant to change the Azure AD DS synchronization scope.
 
 ## Scoped synchronization overview
 
