billing info roles

JnHs · JnHs · commit ba1f6f517668 · 2020-04-03T15:01:39.000-07:00
diff --git a/articles/lighthouse/concepts/tenants-users-roles.md b/articles/lighthouse/concepts/tenants-users-roles.md
@@ -1,7 +1,7 @@
 ---
 title: Tenants, roles, and users in Azure Lighthouse scenarios
 description: Understand the concepts of Azure Active Directory tenants, users, and roles, as well as how they can be used in Azure Lighthouse scenarios.
-ms.date: 03/24/2020
+ms.date: 04/03/2020
 ms.topic: conceptual
 ---
 
@@ -36,6 +36,7 @@ When creating your authorizations, we recommend the following best practices:
 - Be sure to follow the principle of least privilege so that users only have the permissions needed to complete their job, helping to reduce the chance of inadvertent errors. For more info, see [Recommended security practices](../concepts/recommended-security-practices.md).
 - Include a user with the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) so that you can [remove access to the delegation](../how-to/onboard-customer.md#remove-access-to-a-delegation) later if needed. If this role is not assigned, delegated resources can only be removed by a user in the customer's tenant.
 - Be sure that any user who needs to [view the My customers page in the Azure portal](../how-to/view-manage-customers.md) has the [Reader](../../role-based-access-control/built-in-roles.md#reader) role (or another built-in role which includes Reader access).
+- Users in the managing tenant will not have access to view billing info for a delegated customer subscription, even if they have a built-in role that would typically allow access. This is because access to billing information requires additional steps that are currently only supported for users within the same tenant.
 
 > [!IMPORTANT]
 > In order to add permissions for an Azure AD group, the **Group type** must be **Security** and not **Office 365**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
