Merge pull request #101248 from JnHs/jh-azurelighthouse-rbacnote

PRMerger18 · web-flow · commit c7b4978fc615 · 2020-01-15T11:49:12.000-08:00
Add note about viewing role assignments
diff --git a/articles/lighthouse/how-to/view-manage-service-providers.md b/articles/lighthouse/how-to/view-manage-service-providers.md
@@ -1,7 +1,7 @@
 ---
 title: View and manage service providers
 description: Customers can use the Service providers page in the Azure portal to view info about service providers, service provider offers, and delegated resources.
-ms.date: 11/15/2019
+ms.date: 01/15/2020
 ms.topic: conceptual
 ---
 # View and manage service providers
@@ -55,6 +55,9 @@ Delegations represent the role assignments that grant permissions to the service
 
 Filters at the top of the page let you sort and group your delegation info or filter by specific customers, offers, or keywords.
 
+> [!NOTE]
+> Customers will not see these role assignments, or any users from the service provider tenant who have been granted these roles, when [viewing role assignment info for the delegated scope in the Azure portal](../../role-based-access-control/role-assignments-list-portal.md#list-role-assignments-at-a-scope) or via APIs.
+
 ## Next steps
 
 - Learn more about [Azure Lighthouse](../overview.md).
diff --git a/articles/lighthouse/how-to/view-service-provider-activity.md b/articles/lighthouse/how-to/view-service-provider-activity.md
@@ -1,7 +1,7 @@
 ---
 title: View service provider activity
 description: Customers can view logged activity to see actions performed by service providers through Azure delegated resource management.
-ms.date: 12/6/2019
+ms.date: 01/15/2020
 ms.topic: conceptual
 ---
 
@@ -20,6 +20,9 @@ In the activity log, you'll see the name of the operation and its status, along
 
 Logged activity is available in the Azure portal for the past 90 days. To learn how to store this data for longer than 90 days, see [Collect and analyze Azure activity logs in Log Analytics workspace in Azure Monitor](../../azure-monitor/platform/activity-log-collect.md)
 
+> [!NOTE]
+> Users from the service provider appear in the activity log, but these users and their role assignments are not shown in **Access Control (IAM)** or when retrieving role assignment info via APIs.
+
 ## Set alerts for critical operations
 
 To stay aware of critical operations that service providers (or users in your own tenant) are performing, we recommend creating [activity log alerts](../../azure-monitor/platform/activity-log-alerts.md). For example, you may want to track all administrative actions for a subscription, or be notified when any virtual machine in a particular resource group is deleted. When you create alerts, they will include actions taken by users in the customer's own tenant as well as in any managing tenants.
