Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

.openpublishing.redirection.json

@@ -10248,6 +10248,11 @@
       "redirect_url": "/azure/azure-portal/azure-portal-supported-browsers-devices",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/azure-portal/original-preferences.md",
+      "redirect_url": "/azure/azure-portal/set-preferences",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/azure-portal/admin-timeout.md",
       "redirect_url": "/azure/azure-portal/set-preferences#change-the-directory-timeout-setting-admin",

articles/active-directory/enterprise-users/groups-self-service-management.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: enterprise-users
 ms.workload: identity
 ms.topic: how-to
-ms.date: 07/27/2021
+ms.date: 03/22/2022
 ms.author: curtand
 ms.reviewer: krbain
 ms.custom: "it-pro;seo-update-azuread-jan"
@@ -40,7 +40,7 @@ Groups created in | Security group default behavior | Microsoft 365 group defaul
 
 ## Make a group available for user self-service
 
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with an account that's been assigned the Global Administrator or Privileged Role Administrator role for the directory.
+1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) with an account that's been assigned the Global Administrator or Privileged Role Administrator role for the directory.
 
 1. Select **Groups**, and then select **General** settings.
 
@@ -71,9 +71,6 @@ The group settings enable to control who can create security and Microsoft 365 g
 
 ![Azure Active Directory security groups setting change.](./media/groups-self-service-management/security-groups-setting.png)
 
-> [!NOTE]
-> The behavior of these settings recently changed. Make sure these settings are configured for your organization. For more information, see [Why were the group settings changed?](#why-were-the-group-settings-changed).
-
  The following table helps you decide which values to choose.
 
 | Setting | Value | Effect on your tenant |
@@ -89,12 +86,6 @@ Here are some additional details about these group settings.
 - If you want to enable some, but not all, of your users to create groups, you can assign those users a role that can create groups, such as [Groups Administrator](../roles/permissions-reference.md#groups-administrator).
 - These settings are for users and don't impact service principals. For example, if you have a service principal with permissions to create groups, even if you set these settings to **No**, the service principal will still be able to create groups. 
 
-### Why were the group settings changed?
-
-The previous implementation of the group settings were named **Users can create security groups in Azure portals** and **Users can create Microsoft 365 groups in Azure portals**. The previous settings only controlled group creation in Azure portals and did not apply to API or PowerShell. The new settings control group creation in Azure portals, as well as, API and PowerShell. The new settings are more secure.
-
-The default values for the new settings have been set to your previous API or PowerShell values. There is a possibility that the default values for the new settings are different than your previous values that controlled only the Azure portal behavior. Starting in May 2021, there was a transition period of a few weeks where you could select your preferred default value before the new settings took effect. Now that the new settings have taken effect, you are required to verify the new settings are configured for your organization.
-
 ## Next steps
 
 These articles provide additional information on Azure Active Directory.

articles/active-directory/roles/TOC.yml

@@ -114,6 +114,8 @@
       href: custom-enterprise-app-permissions.md
     - name: App consent permissions
       href: custom-consent-permissions.md
+    - name: Device management permissions
+      href: custom-device-permissions.md
     - name: Group management permissions
       href: custom-group-permissions.md
   - name: Azure AD service limits

articles/active-directory/roles/admin-units-assign-roles.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.subservice: roles
 ms.workload: identity
-ms.date: 03/07/2022
+ms.date: 03/22/2022
 ms.author: rolyon
 ms.reviewer: anandy
 ms.custom: oldportal;it-pro;
@@ -41,6 +41,7 @@ The following Azure AD roles can be assigned with administrative unit scope:
 | Role | Description |
 | -----| ----------- |
 | [Authentication Administrator](permissions-reference.md#authentication-administrator) | Has access to view, set, and reset authentication method information for any non-admin user in the assigned administrative unit only. |
+| [Cloud Device Administrator](permissions-reference.md#cloud-device-administrator) | Limited access to manage devices in Azure AD. |
 | [Groups Administrator](permissions-reference.md#groups-administrator) | Can manage all aspects of groups in the assigned administrative unit only. |
 | [Helpdesk Administrator](permissions-reference.md#helpdesk-administrator) | Can reset passwords for non-administrators in the assigned administrative unit only. |
 | [License Administrator](permissions-reference.md#license-administrator) | Can assign, remove, and update license assignments within the administrative unit only. |

articles/active-directory/roles/admin-units-faq-troubleshoot.yml

@@ -10,7 +10,7 @@ metadata:
   ms.topic: faq
   ms.subservice: roles
   ms.workload: identity
-  ms.date: 11/04/2020
+  ms.date: 03/22/2022
   ms.author: rolyon
   ms.reviewer: anandy
   ms.custom: oldportal;it-pro;
@@ -35,7 +35,7 @@ sections:
       - question: |
           I just added (or removed) a member of the administrative unit. Why is the member not showing up (or still showing up) on the user interface?
         answer: |
-          Sometimes, the addition or removal of one or more members of an administrative unit might take a few minutes to be reflected on the **Administrative units** pane. Alternatively, you can go directly to the associated resource's properties and see whether the action has been completed. For more information about users and groups in administrative units, see [List users or groups in an administrative unit](admin-units-members-list.md).
+          Sometimes, the addition or removal of one or more members of an administrative unit might take a few minutes to be reflected on the **Administrative units** pane. Alternatively, you can go directly to the associated resource's properties and see whether the action has been completed. For more information about members in administrative units, see [List users, groups, or devices in an administrative unit](admin-units-members-list.md).
           
       - question: |
           I am a delegated Password Administrator on an administrative unit. Why am I unable to reset a specific user's password?
@@ -57,7 +57,7 @@ sections:
           Adding a group to an administrative unit brings the group itself into the management scope of any *User Administrator* who is also scoped to that administrative unit. User administrators for the administrative unit can manage the name and membership of the group itself. It does not grant the *User Administrator* permissions to manage the users of the group (for example, to reset their passwords). To grant the *User Administrator* the ability to manage users, the users have to be direct members of the administrative unit.
 
       - question: |
-          Can a resource (user or group) be a member of more than one administrative unit?
+          Can a resource (user, group, or device) be a member of more than one administrative unit?
         answer: |
           Yes, a resource can be a member of more than one administrative unit. The resource can be managed by all organization-wide and administrative unit-scoped administrators who have permissions over the resource.
 

articles/active-directory/roles/admin-units-manage.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.subservice: roles
 ms.workload: identity
-ms.date: 03/03/2022
+ms.date: 03/22/2022
 ms.author: rolyon
 ms.reviewer: anandy
 ms.custom: oldportal;it-pro;
@@ -128,5 +128,5 @@ DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-uni
 
 ## Next steps
 
-- [Add users or groups to an administrative unit](admin-units-members-add.md)
+- [Add users, groups, or devices to an administrative unit](admin-units-members-add.md)
 - [Assign Azure AD roles with administrative unit scope](admin-units-assign-roles.md)

articles/active-directory/roles/admin-units-members-add.md

@@ -1,6 +1,6 @@
 ---
-title: Add users or groups to an administrative unit - Azure Active Directory
-description: Add users or groups to an administrative unit in Azure Active Directory
+title: Add users, groups, or devices to an administrative unit - Azure Active Directory
+description: Add users, groups, or devices to an administrative unit in Azure Active Directory
 services: active-directory
 documentationcenter: ''
 author: rolyon
@@ -9,62 +9,77 @@ ms.service: active-directory
 ms.topic: how-to
 ms.subservice: roles
 ms.workload: identity
-ms.date: 01/14/2022
+ms.date: 03/22/2022
 ms.author: rolyon
 ms.reviewer: anandy
 ms.custom: oldportal;it-pro;
 ms.collection: M365-identity-device-management
 ---
 
-# Add users or groups to an administrative unit
+# Add users, groups, or devices to an administrative unit
 
-In Azure Active Directory (Azure AD), you can add users or groups to an administrative unit to restrict the scope of role permissions. For additional details on what scoped administrators can do, see [Administrative units in Azure Active Directory](administrative-units.md).
+> [!IMPORTANT]
+> Administrative units support for devices is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+In Azure Active Directory (Azure AD), you can add users, groups, or devices to an administrative unit to restrict the scope of role permissions. For additional details on what scoped administrators can do, see [Administrative units in Azure Active Directory](administrative-units.md).
 
 ## Prerequisites
 
 - Azure AD Premium P1 or P2 license for each administrative unit administrator
 - Azure AD Free licenses for administrative unit members
 - Privileged Role Administrator or Global Administrator
 - AzureAD module when using PowerShell
+- AzureADPreview module when using PowerShell for devices
 - Admin consent when using Graph explorer for Microsoft Graph API
 
 For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md).
 
 ## Azure portal
 
-You can add users or groups to administrative units using the Azure portal. You can also add users in a bulk operation.
+You can add users, groups, or devices to administrative units using the Azure portal. You can also add users in a bulk operation.
 
-### Add a single user or group to administrative units
+### Add a single user, group, or device to administrative units
 
 1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
 
 1. Select **Azure Active Directory**.
 
-1. Select **Users** or **Groups** and then select the user or group you want to add to an administrative unit.
+1. Select one of the following:
+
+    - **Users**
+    - **Groups**
+    - **Devices** > **All devices**
+  
+1. Select the user, group, or device you want to add to administrative units.
 
 1. Select **Administrative units**. 
 
 1. Select **Assign to administrative unit**.
 
 1. In the **Select** pane, select the administrative units and then select **Select**.
 
-    ![Screenshot of the "Administrative units" pane for assigning a user to an administrative unit.](./media/admin-units-members-add/assign-users-individually.png)
+    ![Screenshot of the Administrative units page for adding a user to an administrative unit.](./media/admin-units-members-add/assign-users-individually.png)
 
-### Add users or groups to a single administrative unit
+### Add users, groups, or devices to a single administrative unit
 
 1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
 
 1. Select **Azure Active Directory**.
 
-1. Select **Administrative units** and then select the administrative unit that you want to add users or groups to.
+1. Select **Administrative units** and then select the administrative unit that you want to add users, groups, or devices to.
+
+1. Select one of the following:
 
-1. Select **Users** or **Groups**.
+    - **Users**
+    - **Groups**
+    - **Devices**
 
-1. Select **Add member** or **Add**.
+1. Select **Add member**, **Add**, or **Add device**.
 
-1. In the **Select** pane, select the users or groups you want to add to the administrative unit and then select **Select**.
+1. In the **Select** pane, select the users, groups, or devices you want to add to the administrative unit and then select **Select**.
 
-    ![Screenshot of the administrative unit "Users" pane for assigning a user to an administrative unit.](./media/admin-units-members-add/assign-to-admin-unit.png)
+    ![Screenshot of adding multiple devices to an administrative unit.](./media/admin-units-members-add/admin-unit-members-add.png)
 
 ### Add users to an administrative unit in a bulk operation
 
@@ -78,7 +93,7 @@ You can add users or groups to administrative units using the Azure portal. You
 
 1. Select **Users** > **Bulk operations** > **Bulk add members**.
 
-   ![Screenshot of the "Users" pane for assigning users to an administrative unit as a bulk operation.](./media/admin-units-members-add/bulk-assign-to-admin-unit.png)
+   ![Screenshot of the Users page for assigning users to an administrative unit as a bulk operation.](./media/admin-units-members-add/bulk-assign-to-admin-unit.png)
 
 1. In the **Bulk add members** pane, download the comma-separated values (CSV) template.
 
@@ -96,6 +111,8 @@ You can add users or groups to administrative units using the Azure portal. You
 
 Use the [Add-AzureADMSAdministrativeUnitMember](/powershell/module/azuread/add-azureadmsadministrativeunitmember) command to add users or groups to an administrative unit.
 
+Use the [Add-AzureADMSAdministrativeUnitMember (Preview)](/powershell/module/azuread/add-azureadmsadministrativeunitmember?view=azureadps-2.0-preview&preserve-view=true) command to add devices to an administrative unit.
+
 ### Add users to an administrative unit
 
 ```powershell
@@ -112,10 +129,21 @@ $groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
 Add-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -RefObjectId $groupObj.ObjectId
 ```
 
+### Add devices to an administrative unit
+
+```powershell
+$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
+$deviceObj = Get-AzureADDevice -Filter "displayname eq 'TestDevice'"
+Add-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -RefObjectId $deviceObj.ObjectId
+```
+
 ## Microsoft Graph API
 
 Use the [Add a member](/graph/api/administrativeunit-post-members) API to add users or groups to an administrative unit.
 
+Use the [Add a member (Beta)](/graph/api/administrativeunit-post-members?view=graph-rest-beta&preserve-view=true) API to add devices to an administrative unit.
+
+
 ### Add users to an administrative unit
 
 Request
@@ -128,15 +156,15 @@ Body
 
 ```http
 {
-  "@odata.id":"https://graph.microsoft.com/v1.0/users/{user-id}"
+    "@odata.id":"https://graph.microsoft.com/v1.0/users/{user-id}"
 }
 ```
 
 Example
 
 ```http
 {
-  "@odata.id":"https://graph.microsoft.com/v1.0/users/[email protected]"
+    "@odata.id":"https://graph.microsoft.com/v1.0/users/[email protected]"
 }
 ```
 
@@ -152,20 +180,36 @@ Body
 
 ```http
 {
-"@odata.id":"https://graph.microsoft.com/v1.0/groups/{group-id}"
+    "@odata.id":"https://graph.microsoft.com/v1.0/groups/{group-id}"
 }
 ```
 
 Example
 
 ```http
 {
-"@odata.id":"https://graph.microsoft.com/v1.0/groups/871d21ab-6b4e-4d56-b257-ba27827628f3"
+    "@odata.id":"https://graph.microsoft.com/v1.0/groups/871d21ab-6b4e-4d56-b257-ba27827628f3"
+}
+```
+
+### Add devices to an administrative unit
+
+Request
+
+```http
+POST https://graph.microsoft.com/beta/administrativeUnits/{admin-unit-id}/members/$ref
+```
+
+Body
+
+```http
+{
+    "@odata.id":"https://graph.microsoft.com/beta/devices/{device-id}"
 }
 ```
 
 ## Next steps
 
 - [Administrative units in Azure Active Directory](administrative-units.md)
 - [Assign Azure AD roles with administrative unit scope](admin-units-assign-roles.md)
-- [Remove users or groups from an administrative unit](admin-units-members-remove.md)
+- [Remove users, groups, or devices from an administrative unit](admin-units-members-remove.md)