role info + other details

JnHs · JnHs · commit b829e0e58e20 · 2020-04-24T08:59:12.000-07:00
diff --git a/articles/lighthouse/concepts/managed-services-offers.md b/articles/lighthouse/concepts/managed-services-offers.md
@@ -13,7 +13,7 @@ This article describes the **Managed Service** offer type in [Azure Marketplace]
 
 Managed service offers streamline the process of onboarding customers for Azure delegated resource management. When a customer purchases an offer in Azure Marketplace, they'll be able to specify which subscriptions and/or resource groups should be onboarded.
 
-After that, users in your organization will be able to work on those resources from within your organization's tenant, according to the access you defined when creating the offer in the [Cloud Partner Portal](https://cloudpartner.azure.com/). This is done through a manifest that specifies the Azure AD users, groups, and service principals that will have access to customer resources using Azure delegated resource management, along with roles that define their level of access. By assigning permissions to an Azure AD group rather than a series of individual user or application accounts, you can add or remove individual users when your access requirements change.
+After that, users in your organization will be able to work on those resources from within your organization's tenant, according to the access you defined when creating the offer. This is done through a manifest that specifies the Azure AD users, groups, and service principals that will have access to customer resources using Azure delegated resource management, along with roles that define their level of access. By assigning permissions to an Azure AD group rather than a series of individual user or application accounts, you can add or remove individual users when your access requirements change.
 
 ## Public and private offers
 
@@ -26,11 +26,11 @@ Public plans let you promote your services to new customers. These are usually m
 If appropriate, you can include both public and private plans in the same offer.
 
 > [!IMPORTANT]
-> Once a plan has been published as public, you can't change it to private. To control which customers can accept your offer and delegate resources, use a private plan. With a public plan, you can't restrict availability to certain customers or even to a certain number of customers (although you can stop selling the plan completely if you choose to do so). You can [remove access to a delegation](../how-to/onboard-customer.md#remove-access-to-a-delegation) after a customer accepts an offer only if you included an **Authorization** with the **Role Definition** set to [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) when you published the offer. You can also reach out to the  customer and ask them to [remove your access](../how-to/view-manage-service-providers.md#add-or-remove-service-provider-offers).
+> Once a plan has been published as public, you can't change it to private. To control which customers can accept your offer and delegate resources, use a private plan. With a public plan, you can't restrict availability to certain customers or even to a certain number of customers (although you can stop selling the plan completely if you choose to do so). You can [remove access to a delegation](../how-to/remove-delegation.md) after a customer accepts an offer only if you included an **Authorization** with the **Role Definition** set to [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) when you published the offer. You can also reach out to the  customer and ask them to [remove your access](../how-to/view-manage-service-providers.md#add-or-remove-service-provider-offers).
 
 ## Publish managed service offers
 
-To learn how to publish a managed services offer, see [Publish a Managed Services offer to Azure Marketplace](../how-to/publish-managed-services-offers.md). For general info about publishing to Azure Marketplace using the Cloud Partner Portal, see [Azure Marketplace and AppSource Publishing Guide](../../marketplace/marketplace-publishers-guide.md).
+To learn how to publish a managed services offer, see [Publish a Managed Services offer to Azure Marketplace](../how-to/publish-managed-services-offers.md).
 
 ## Next steps
 
diff --git a/articles/lighthouse/concepts/tenants-users-roles.md b/articles/lighthouse/concepts/tenants-users-roles.md
@@ -34,7 +34,7 @@ When creating your authorizations, we recommend the following best practices:
 
 - In most cases, you'll want to assign permissions to an Azure AD user group or service principal, rather than to a series of individual user accounts. This lets you add or remove access for individual users without having to update and republish the plan when your access requirements change.
 - Be sure to follow the principle of least privilege so that users only have the permissions needed to complete their job, helping to reduce the chance of inadvertent errors. For more info, see [Recommended security practices](../concepts/recommended-security-practices.md).
-- Include a user with the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) so that you can [remove access to the delegation](../how-to/onboard-customer.md#remove-access-to-a-delegation) later if needed. If this role is not assigned, delegated resources can only be removed by a user in the customer's tenant.
+- Include a user with the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) so that you can [remove access to the delegation](../how-to/remove-delegation.md) later if needed. If this role is not assigned, delegated resources can only be removed by a user in the customer's tenant.
 - Be sure that any user who needs to [view the My customers page in the Azure portal](../how-to/view-manage-customers.md) has the [Reader](../../role-based-access-control/built-in-roles.md#reader) role (or another built-in role which includes Reader access).
 
 > [!IMPORTANT]
diff --git a/articles/lighthouse/how-to/onboard-customer.md b/articles/lighthouse/how-to/onboard-customer.md
@@ -1,7 +1,7 @@
 ---
 title: Onboard a customer to Azure delegated resource management
 description: Learn how to onboard a customer to Azure delegated resource management, allowing their resources to be accessed and managed through your own tenant.
-ms.date: 04/16/2020
+ms.date: 04/24/2020
 ms.topic: conceptual
 ---
 
diff --git a/articles/lighthouse/how-to/publish-managed-services-offers.md b/articles/lighthouse/how-to/publish-managed-services-offers.md
@@ -95,7 +95,7 @@ For each **Authorization**, you'll need to provide the following. You can then s
 - **Assignable Roles**: This is required only if you have selected User Access Administrator in the **Role Definition** for this authorization. If so, you must add one or more assignable roles here. The user in the **Azure AD Object ID** field will be able to assign these **Assignable Roles** to [managed identities](../../active-directory/managed-identities-azure-resources/overview.md), which is required in order to [deploy policies that can be remediated](deploy-policy-remediation.md). Note that no other permissions normally associated with the User Access Administrator role will apply to this user. If you do not select one or more roles here, your submission will not pass certification. (If you did not select User Access Administrator for this user's Role Definition, this field has no effect.)
 
 > [!TIP]
-> To ensure you can [remove access to a delegation](onboard-customer.md#remove-access-to-a-delegation) if needed, include an **Authorization** with the **Role Definition** set to [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role). If this role is not assigned, delegated resources can only be removed by a user in the customer's tenant.
+> To ensure you can [remove access to a delegation](remove-delegation.md) if needed, include an **Authorization** with the **Role Definition** set to [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role). If this role is not assigned, delegated resources can only be removed by a user in the customer's tenant.
 
 Once you've completed the info, you can select **New plan** as many times as you need to create additional plans. When you're done, select **Save**, and then continue to the **Marketplace** section.
 
diff --git a/articles/lighthouse/how-to/remove-delegation.md b/articles/lighthouse/how-to/remove-delegation.md
@@ -1,23 +1,27 @@
 ---
 title: Remove access to a delegation
-description: Learn how to onboard a customer to Azure delegated resource management, allowing their resources to be accessed and managed through your own tenant.
-ms.date: 04/23/2020
+description: Learn how to remove access to resources that had been delegated to a service provider for Azure delegated resource management.
+ms.date: 04/24/2020
 ms.topic: conceptual
 ---
 
 # Remove access to a delegation
 
-This article explains how to remove access to a subscription or resource group that was previously delegated to Azure delegated resource management.
+After a customer's subscription or resource group has been delegated to a service provider for [Azure delegated resource management](../concepts/azure-delegated-resource-management.md), the delegation can be removed if needed. When a delegation is removed, all of the permissions previously granted to users in the service provider tenant will no longer apply.
+
+Removing a delegation can be done by a user in either the customer tenant or the service provider tenant, as long as the user has the appropriate permissions.
 
 ## Customers
 
-By default, users in the customer's tenant who have the appropriate permissions can remove service provider access to delegated resources. To do so, a customer can go to the [Service providers page](view-manage-service-providers.md#add-or-remove-service-provider-offers) of the Azure portal, find the offer on the **Provider offers** screen, and select the trash can icon in the row for that offer. After confirming the deletion, no users in the service provider's tenant will be able to access the resources that had been previously delegated.
+Users in the customer's tenant who have the [Owner built-in role](../../role-based-access-control/built-in-roles.md#owner) for a subscription can remove service provider access to that subscription (or to resource groups in that subscription). To do so, a user in the customer's tenant can go to the [Service providers page](view-manage-service-providers.md#add-or-remove-service-provider-offers) of the Azure portal, find the offer on the **Service provider offers** screen, and select the trash can icon in the row for that offer.
+
+After confirming the deletion, no users in the service provider's tenant will be able to access the resources that had been previously delegated.
 
 ## Service providers
 
-Users in a management tenant can remove access to delegated resources only if they were granted the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) when the customer's resources were onboarded for Azure delegated resource management. If this role was not assigned, the delegation can only be removed by a user in the customer's tenant.
+Users in a management tenant can remove access to delegated resources if they were granted the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) when the customer's resources were onboarded for Azure delegated resource management. If this role was not assigned, the delegation can only be removed by a user in the customer's tenant.
 
-The example below shows an assignment granting the **Managed Services Registration Assignment Delete Role** that can be included in a parameter file:
+The example below shows an assignment granting the **Managed Services Registration Assignment Delete Role** that can be included in a parameter file during the [onboarding process](onboard-customer.md):
 
 ```json
     "authorizations": [ 
diff --git a/articles/lighthouse/how-to/view-manage-service-providers.md b/articles/lighthouse/how-to/view-manage-service-providers.md
@@ -1,14 +1,19 @@
 ---
 title: View and manage service providers
 description: Customers can use the Service providers page in the Azure portal to view info about service providers, service provider offers, and delegated resources.
-ms.date: 02/25/2020
+ms.date: 04/24/2020
 ms.topic: conceptual
 ---
 # View and manage service providers
 
 Customers can use the **Service providers** page in the [Azure portal](https://portal.azure.com) to view info about service providers and service provider offers, delegate specific resources through [Azure delegated resource management](../concepts/azure-delegated-resource-management.md), and shop for new service provider offers. While we'll refer to service providers and customers here, enterprises managing multiple tenants can use the same process to consolidate their management experience.
 
-To access the **Service providers** page in the Azure portal, the customer can select **All services**, then search for **Service providers** and select it. They can also find it by entering “Service providers” in the search box near the top of the Azure portal.
+To access the **Service providers** page in the Azure portal, the customer can select **All services**, then search for **Service providers** and select it. They can also find it by entering "Service providers" or "Azure Lighthouse" in the search box near the top of the Azure portal.
+
+> [!NOTE]
+> To view the **Service providers** page, a user in the customer's tenant must have the [Reader built-in role](../../role-based-access-control/built-in-roles.md#reader) (or another built-in role which includes Reader access).
+>
+> To add offers, delegate resources, and remove offers, the user must have the [Owner built-in role](../../role-based-access-control/built-in-roles.md#owner) for the subscription.
 
 Keep in mind that the **Service providers** page only shows info about the service providers that have access to the customer's subscriptions or resource groups through Azure delegated resource management. If a customer works with additional service providers who don't use Azure delegated resource management to access the customer's resources, info about those service providers is not shown here.
 
@@ -17,15 +22,21 @@ Keep in mind that the **Service providers** page only shows info about the servi
 
 ## View service provider details
 
-To view info about service providers, the customer can select **Provider offers** on the left side of the **Service providers** page.
+To view info about service providers, the customer can select **Service provider offers** on the left side of the **Service providers** page.
 
 For each service provider offer, the customer will see the service provider's name and the offer associated with it, along with the name that the customer entered during the onboarding process.
 
 In the **Delegations** column, the customer sees how many subscriptions and/or resource groups have been delegated to the service provider for that offer. The service provider will be able to access and manage these subscriptions and/or resource groups according to the access levels specified in the offer.
 
+## Add or remove service provider offers
+
+A customer can add a new service provider offer from the **Service provider offers** page by selecting **Add offer**. The service provider must have published an offer for this customer. The customer can then select that offer from the **Private offers** screen and then select **Create**.
+
+If the customer wants to remove a service provider offer, they can select the trash can icon in the row for that offer. After confirming the deletion, that service provider will no longer have access to the customer resources that were formerly delegated for that offer.
+
 ## Delegate resources
 
-Before a service provider can access and manage a customer's resources, they must be delegated. If a customer has accepted an offer but has not yet delegated any resources, they'll see a note at the top of the **Provider offers** section. This lets the customer know that they need to take action before the service provider can access any of the customer's resources.
+Before a service provider can access and manage a customer's resources, they must be delegated. If a customer has accepted an offer but has not yet delegated any resources, they'll see a note at the top of the **Service provider offers** section. This lets the customer know that they need to take action before the service provider can access any of the customer's resources.
 
 To delegate subscriptions or resource groups:
 
@@ -35,15 +46,9 @@ To delegate subscriptions or resource groups:
 1. Choose the subscriptions and/or resource groups you'd like to delegate for this offer, then select **Add**.
 1. Select the checkbox at the bottom of the page to confirm that you want to grant this service provider access to the resources that you've selected, then select **Delegate**.
 
-## Add or remove service provider offers
-
-A customer can add a new service provider offer from the **Provider offers** page by selecting **Add offer**. The service provider must have published an offer for this customer. The customer can then select that offer from the **Private offers** screen and then select **Create**.
-
-If the customer wants to remove a service provider offer, they can select the trash can icon in the row for that offer. After confirming the deletion, that service provider will no longer have access to the customer resources that were formerly delegated for that offer.
-
 ## Update service provider offers
 
-After a customer has added an offer, a service provider may publish an updated version of the same offer to Azure Marketplace. For example, they may want to add a new role definition. If a new version of the offer has been published, the **Provider offers** page will show an "update" icon in the row for that offer. The customer can select this icon to see the differences between the current version of the offer and the new one.
+After a customer has added an offer, a service provider may publish an updated version of the same offer to Azure Marketplace. For example, they may want to add a new role definition. If a new version of the offer has been published, the **Service provider offers** page will show an "update" icon in the row for that offer. The customer can select this icon to see the differences between the current version of the offer and the new one.
 
  ![Update offer icon](../media/update-offer.jpg)
 
@@ -67,6 +72,6 @@ We provide an [Azure Policy built-in policy definition](../../governance/policy/
 For more info about how to assign a policy and view compliance state results, see [Quickstart: Create a policy assignment](../../governance/policy/assign-policy-portal.md).
 
 ## Next steps
- 
+
 - Learn more about [Azure Lighthouse](../overview.md).
-- Learn how service providers can [view and manage customers](view-manage-customers.md) by going to **My customers** in the Azure portal.
+- Learn how service providers can [view and manage customers](view-manage-customers.md) by going to **My customers** in the Azure portal.
