Update howto-use-break-glass-access.md

Author: sushantjrao

articles/operator-nexus/howto-use-break-glass-access.md

@@ -13,6 +13,8 @@ ms.custom: template-how-to, devx-track-azurecli
 
 Break glass access using Method D v2.0 is a streamlined approach for administrators to grant secure, emergency access to critical network fabric devices. This guide walks you through setting up and using break glass access, including generating SSH keys, granting permissions, and accessing network fabric devices.
 
+Method D v2.0 also supports assigning roles to Entra Groups, streamlining the management of break glass access by leveraging group-based role assignments. 
+
 ## Generating SSH Keys using the Nexusidentity Azure CLI
 
 To start with break glass Identity and Access Management (IAM) configuration, you need to set up SSH keys using the Nexusidentity extension. Make sure you have the following prerequisites installed and updated.
@@ -31,6 +33,11 @@ To start with break glass Identity and Access Management (IAM) configuration, yo
 - **Microsoft Authentication Library (MSAL) version**: 1.31.2b1
 - **azure-mgmt-resource**: 23.1.1
 
+### Prerequisites and Setup for Group-based role assignments
+
+**Create Security Groups**: Define Entra security groups that include users requiring BreakGlass access.
+**Assign Roles to Groups**: Assign BreakGlass roles to security groups instead of individual users.
+
 ### Steps to install Nexusidentity extension and generate SSH keys 
 
 1.  **Enabling long paths** (Windows OS only)
@@ -125,6 +132,19 @@ Once these roles are assigned, the corresponding username and public SSH key are
 > [!Note]
 > break glass user accounts are reconciled every 4 hours. For immediate reconciliation, open a support ticket with the network fabric support team.
 
+## Scope for group based role assignments
+
+Role assignments can be made at either the subscription or fabric scope. But these role assignments have been validated at the fabric level. Each user must have rights for the specific fabric instance, which may be inherited from higher-level grants (e.g., subscription-level assignments).
+
+Multiple groups can be assigned the same NNF built-in role (e.g., Nexus Network Fabric Service Reader or Writer) for a given fabric instance.
+
+### User Limitations
+A maximum of 200 user accounts (across all groups and individual assignments) can be granted BreakGlass access. This limit is subject to review in future releases.
+Multiple groups may be assigned the same role for a fabric instance, but the 200-user limit still applies.
+
+> [!Note] 
+> Nested groups are not supported. Only direct group memberships are considered.
+
 ## Break-glass access to Network Fabric device
 
 Once permissions are granted, users can access network fabric devices with their FIDO-2 hardware token (for example, YubiKey). Follow these steps to use break glass access.
@@ -145,3 +165,19 @@ Once permissions are granted, users can access network fabric devices with their
 
 > [!Note]
 > This command establishes a secure connection, using the jump server as an intermediary for authentication.
+
+## Group based role assignment synchronization
+Upon assigning an Entra Group to a BreakGlass role, all users in that group will have the appropriate device access provisioned during the next synchronization cycle.
+
+### Reconciliation Process
+
+BreakGlass account reconciliation occurs every four hours and ensures alignment between Entra role assignments and device access:
+
+- **User Removed from Group**: Device access will be revoked.
+
+- **User Added to Group**: Appropriate device access will be provisioned.
+
+- **Group Role Assignment Removed**: All users in the group will have their access revoked.
+
+- **Failure to Resolve Group Membership**: If group membership cannot be verified (e.g., due to Entra API failures or connectivity issues), no changes will be made to existing device accounts.
+