Merge pull request #297290 from rolyon/rolyon-rbac-freshness-mar2025

[Azure RBAC] Freshness pass for March 2025

Author: v-ccolin

articles/role-based-access-control/best-practices.md

@@ -5,7 +5,7 @@ author: rolyon
 manager: femila
 ms.service: role-based-access-control
 ms.topic: conceptual
-ms.date: 01/30/2024
+ms.date: 03/30/2025
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to learn how to best use Azure RBAC.
 ---
@@ -22,7 +22,7 @@ When planning your access control strategy, it's a best practice to grant users
 
 The following diagram shows a suggested pattern for using Azure RBAC.
 
-![Azure RBAC and least privilege](./media/best-practices/rbac-least-privilege.png)
+:::image type="content" source="./media/best-practices/rbac-least-privilege.png" alt-text="Diagram of suggested pattern for using Azure RBAC and least privilege." lightbox="./media/best-practices/rbac-least-privilege.png":::
 
 For information about how to assign roles, see [Assign Azure roles using the Azure portal](role-assignments-portal.yml).
 

articles/role-based-access-control/custom-roles-portal.md

@@ -5,13 +5,13 @@ author: rolyon
 manager: femila
 ms.service: role-based-access-control
 ms.topic: how-to
-ms.date: 04/05/2023
+ms.date: 03/30/2025
 ms.author: rolyon
 ---
 
 # Create or update Azure custom roles using the Azure portal
 
-If the [Azure built-in roles](built-in-roles.md) don't meet the specific needs of your organization, you can create your own Azure custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription and resource group scopes. Custom roles are stored in a Microsoft Entra directory and can be shared across subscriptions. Each directory can have up to 5000 custom roles. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API. This article describes how to create custom roles using the Azure portal.
+If the [Azure built-in roles](built-in-roles.md) don't meet the specific needs of your organization, you can create your own Azure custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes. Custom roles are stored in a Microsoft Entra directory and can be shared across subscriptions. Each directory can have up to 5000 custom roles. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API. This article describes how to create custom roles using the Azure portal.
 
 ## Prerequisites
 
@@ -40,15 +40,15 @@ If an existing role does not quite have the permissions you need, you can clone
 
     The following screenshot shows the Access control (IAM) page opened for a subscription.
 
-    ![Access control (IAM) page for a subscription](./media/shared/sub-access-control.png)
+    :::image type="content" source="./media/shared/sub-access-control.png" alt-text="Screenshot of Access control (IAM) page for a subscription." lightbox="./media/shared/sub-access-control.png":::
 
 1. Click the **Roles** tab to see a list of all the built-in and custom roles.
 
 1. Search for a role you want to clone such as the Billing Reader role.
 
 1. At the end of the row, click the ellipsis (**...**) and then click **Clone**.
 
-    ![Clone context menu](./media/custom-roles-portal/clone-menu.png)
+    :::image type="content" source="./media/custom-roles-portal/clone-menu.png" alt-text="Screenshot of Clone context menu." lightbox="./media/custom-roles-portal/clone-menu.png":::
 
     This opens the custom roles editor with the **Clone a role** option selected.
 
@@ -62,7 +62,7 @@ If you prefer, you can follow these steps to start a custom role from scratch.
 
 1. Click **Add** and then click **Add custom role**.
 
-    ![Screenshot showing Add custom role menu.](./media/custom-roles-portal/add-custom-role-menu.png)
+    :::image type="content" source="./media/custom-roles-portal/add-custom-role-menu.png" alt-text="Screenshot of Add custom role menu." lightbox="./media/custom-roles-portal/add-custom-role-menu.png":::
 
     This opens the custom roles editor with the **Start from scratch** option selected.
 
@@ -126,7 +126,7 @@ If you prefer, you can specify most of your custom role values in a JSON file. Y
 
 1. Click **Add** and then click **Add custom role**.
 
-    ![Screenshot showing Add custom role menu.](./media/custom-roles-portal/add-custom-role-menu.png)
+    :::image type="content" source="./media/custom-roles-portal/add-custom-role-menu.png" alt-text="Screenshot of Add custom role menu." lightbox="./media/custom-roles-portal/add-custom-role-menu.png":::
 
     This opens the custom roles editor.
 
@@ -148,13 +148,13 @@ On the **Basics** tab, you specify the name, description, and baseline permissio
 
     The **Baseline permissions** option should already be set based on the previous step, but you can change.
 
-    ![Basics tab with values specified](./media/custom-roles-portal/basics-values.png)
+    :::image type="content" source="./media/custom-roles-portal/basics-values.png" alt-text="Screenshot of Basics tab with values specified." lightbox="./media/custom-roles-portal/basics-values.png":::
 
 ## Step 4: Permissions
 
 On the **Permissions** tab, you specify the permissions for your custom role. Depending on whether you cloned a role or if you started with JSON, the Permissions tab might already list some permissions.
 
-![Permissions tab of create custom role](./media/custom-roles-portal/permissions.png)
+:::image type="content" source="./media/custom-roles-portal/permissions.png" alt-text="Screenshot of Permissions tab for create custom role." lightbox="./media/custom-roles-portal/permissions.png":::
 
 ### Add or remove permissions
 
@@ -168,13 +168,13 @@ Follow these steps to add or remove permissions for your custom role.
 
     A list of resource provider cards will be displayed based on your search string. For a list of how resource providers map to Azure services, see [Resource providers for Azure services](../azure-resource-manager/management/azure-services-resource-providers.md).
 
-    ![Add permissions pane with resource provider](./media/shared/add-permissions-provider.png)
+    :::image type="content" source="./media/shared/add-permissions-provider.png" alt-text="Screenshot of Add permissions pane with resource provider." lightbox="./media/shared/add-permissions-provider.png":::
 
 1. Click a resource provider card that might have the permissions you want to add to your custom role, such as **Microsoft Billing**.
 
     A list of the management permissions for that resource provider is displayed based on your search string.
 
-    ![Add permissions list](./media/shared/add-permissions-list.png)
+    :::image type="content" source="./media/shared/add-permissions-list.png" alt-text="Screenshot of Add permissions list." lightbox="./media/shared/add-permissions-list.png":::
 
 1. If you are looking for permissions that apply to the data plane, click **Data Actions**. Otherwise, leave the actions toggle set to **Actions** to list permissions that apply to the control plane. For more information, about the differences between the control plane and data plane, see [Control and data actions](role-definitions.md#control-and-data-actions).
 
@@ -186,7 +186,7 @@ Follow these steps to add or remove permissions for your custom role.
 
     The permission gets added as an `Actions` or a `DataActions`.
 
-    ![Permission added](./media/custom-roles-portal/permissions-list-add.png)
+    :::image type="content" source="./media/custom-roles-portal/permissions-list-add.png" alt-text="Screenshot of permission added." lightbox="./media/custom-roles-portal/permissions-list-add.png":::
 
 1. To remove permissions, click the delete icon at the end of the row. In this example, since a user will not need the ability to create support tickets, the `Microsoft.Support/*` permission can be deleted.
 
@@ -201,7 +201,7 @@ Microsoft.CostManagement/exports/*
 If you want to add a new wildcard permission, you can't add it using the **Add permissions** pane. To add a wildcard permission, you have to add it manually using the **JSON** tab. For more information, see [Step 6: JSON](#step-6-json).
 
 > [!NOTE]
-> It's recommended that you specify `Actions` and `DataActions` explicitly instead of using the wildcard (`*`) character. The additional access and permissions granted through future `Actions` or `DataActions` may be unwanted behavior using the wildcard.
+> It's recommended that you specify `Actions` and `DataActions` explicitly instead of using the wildcard (`*`) character. The additional access and permissions granted through future `Actions` or `DataActions` might be unwanted behavior using the wildcard.
 
 ### Exclude permissions
 
@@ -228,11 +228,11 @@ When you exclude a permission, it is added as a `NotActions` or `NotDataActions`
 
 1. Once you find one or more permissions that you want to exclude, add a check mark next to the permissions and then click the **Add** button.
 
-    ![Exclude permissions pane - permission selected](./media/custom-roles-portal/exclude-permissions-select.png)
+    :::image type="content" source="./media/custom-roles-portal/exclude-permissions-select.png" alt-text="Screenshot of Exclude permissions pane with permission selected." lightbox="./media/custom-roles-portal/exclude-permissions-select.png":::
 
     The permission gets added as a `NotActions` or `NotDataActions`.
 
-    ![Permission excluded](./media/custom-roles-portal/exclude-permissions-list-add.png)
+    :::image type="content" source="./media/custom-roles-portal/exclude-permissions-list-add.png" alt-text="Screenshot of permission excluded." lightbox="./media/custom-roles-portal/exclude-permissions-list-add.png":::
 
 ## Step 5: Assignable scopes
 
@@ -242,11 +242,11 @@ On the **Assignable scopes** tab, you specify where your custom role is availabl
 
 1. Click **Add assignable scopes** to open the Add assignable scopes pane.
 
-    ![Assignable scopes tab](./media/custom-roles-portal/assignable-scopes.png)
+    :::image type="content" source="./media/custom-roles-portal/assignable-scopes.png" alt-text="Screenshot of Assignable scopes tab." lightbox="./media/custom-roles-portal/assignable-scopes.png":::
 
 1. Click one or more scopes that you want to use, typically your subscription.
 
-    ![Add assignable scopes](./media/custom-roles-portal/add-assignable-scopes.png)
+    :::image type="content" source="./media/custom-roles-portal/add-assignable-scopes.png" alt-text="Screenshot of Add assignable scopes." lightbox="./media/custom-roles-portal/add-assignable-scopes.png":::
 
 1. Click the **Add** button to add your assignable scope.
 
@@ -256,7 +256,7 @@ On the **JSON** tab, you see your custom role formatted in JSON. If you want, yo
 
 1. To edit the JSON, click **Edit**.
 
-    ![JSON tab showing custom role](./media/custom-roles-portal/json.png)
+    :::image type="content" source="./media/custom-roles-portal/json.png" alt-text="Screenshot of JSON tab showing custom role." lightbox="./media/custom-roles-portal/json.png":::
 
 1. Make changes to the JSON.
 
@@ -270,17 +270,17 @@ On the **Review + create** tab, you can review your custom role settings.
 
 1. Review your custom role settings.
 
-    ![Review + create tab](./media/custom-roles-portal/review-create.png)
+    :::image type="content" source="./media/custom-roles-portal/review-create.png" alt-text="Screenshot of Review + create tab." lightbox="./media/custom-roles-portal/review-create.png":::
 
 1. Click **Create** to create your custom role.
 
     After a few moments, a message box appears indicating your custom role was successfully created.
 
-    ![Create custom role message](./media/custom-roles-portal/custom-role-success.png)
+    :::image type="content" source="./media/custom-roles-portal/custom-role-success.png" alt-text="Screenshot of create custom role message." lightbox="./media/custom-roles-portal/custom-role-success.png":::
 
     If any errors are detected, a message will be displayed.
 
-    ![Review + create error](./media/custom-roles-portal/review-create-error.png)
+    :::image type="content" source="./media/custom-roles-portal/review-create-error.png" alt-text="Screenshot of Review + create error." lightbox="./media/custom-roles-portal/review-create-error.png":::
 
 1. View your new custom role in the **Roles** list. If you don't see your custom role, click **Refresh**.
 
@@ -298,7 +298,7 @@ Follow these steps to view your custom roles.
 
     If you just created your custom role and you don't see it in the list, click **Refresh**.
 
-    ![Custom role list](./media/custom-roles-portal/custom-role-list.png)
+    :::image type="content" source="./media/custom-roles-portal/custom-role-list.png" alt-text="Screenshot of custom role list" lightbox="./media/custom-roles-portal/custom-role-list.png":::
 
 ## Update a custom role
 
@@ -308,7 +308,7 @@ Follow these steps to view your custom roles.
 
     The custom role is opened in the editor.
 
-    ![Custom role menu](./media/custom-roles-portal/edit-menu.png)
+    :::image type="content" source="./media/custom-roles-portal/edit-menu.png" alt-text="Screenshot of Custom role menu." lightbox="./media/custom-roles-portal/edit-menu.png":::
 
 1. Use the different tabs to update the custom role.
 
@@ -324,7 +324,7 @@ Follow these steps to view your custom roles.
 
 1. Click the ellipsis (**...**) for the custom role you want to delete and then click **Delete**.
 
-    ![Screenshot of a list of custom roles that can be selected for deletion.](./media/shared/custom-roles-delete-menu.png)
+    :::image type="content" source="./media/shared/custom-roles-delete-menu.png" alt-text="Screenshot of a list of custom roles that can be selected for deletion." lightbox="./media/shared/custom-roles-delete-menu.png":::
 
     It can take a few minutes for your custom role to be completely deleted.
 

articles/role-based-access-control/quickstart-assign-role-user-portal.md

@@ -6,7 +6,7 @@ author: rolyon
 manager: femila
 ms.service: role-based-access-control
 ms.topic: tutorial
-ms.date: 10/15/2021
+ms.date: 03/30/2025
 ms.author: rolyon
 ms.custom: subject-rbac-steps
 #Customer intent: As a new user, I want to see how to grant access to resources in the portal, so that I can start granting access to others.
@@ -30,19 +30,19 @@ Sign in to the [Azure portal](https://portal.azure.com).
 
 ## Create a resource group
 
-1. In the navigation list, click **Resource groups**.
+1. In the navigation list, select **Resource groups**.
 
-1. Click **New** to open the **Create a resource group** page.
+1. Select **New** to open the **Create a resource group** page.
 
-   ![Create a new resource group page.](./media/quickstart-assign-role-user-portal/resource-group.png)
+    :::image type="content" source="./media/quickstart-assign-role-user-portal/resource-group.png" alt-text="Screenshot of Create a new resource group page." lightbox="./media/quickstart-assign-role-user-portal/resource-group.png":::
 
 1. Select a subscription.
 
 1. For **Resource group** name, enter **example-group** or another name.
 
-1. Click **Review + create** and then click **Create** to create the resource group.
+1. Select **Review + create** and then select **Create** to create the resource group.
 
-1. Click **Refresh** to refresh the list of resource groups.
+1. Select **Refresh** to refresh the list of resource groups.
 
    The new resource group appears in your resource groups list.
 
@@ -52,54 +52,53 @@ In Azure RBAC, to grant access, you assign an Azure role.
 
 1. In the list of **Resource groups**, open the new **example-group** resource group.
 
-1. In the navigation menu, click **Access control (IAM)**.
+1. In the navigation menu, select **Access control (IAM)**.
 
-1. Click the **Role assignments** tab to see the current list of role assignments.
+1. Select the **Role assignments** tab to see the current list of role assignments.
 
-   ![Access control (IAM) page for resource group.](./media/shared/rg-role-assignments.png)
+    :::image type="content" source="./media/shared/rg-role-assignments.png" alt-text="Screenshot of Access control (IAM) page for resource group." lightbox="./media/shared/rg-role-assignments.png":::
 
-
-1. Click **Add** > **Add role assignment**.
+1. Select **Add** > **Add role assignment**.
 
    If you don't have permissions to assign roles, the Add role assignment option will be disabled.
 
-   ![Access control (IAM) page with Add role assignment menu open.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png)
+    :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot of Access control (IAM) page with Add role assignment menu open." lightbox="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png":::
 
 1. On the **Role** tab, select the **Virtual Machine Contributor** role.
 
-    ![Add role assignment page with Role tab selected.](~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png)
+    :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png" alt-text="Screenshot of Add role assignment page with Role tab selected." lightbox="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-role-generic.png":::
 
 1. On the **Members** tab, select yourself or another user.
 
 1. On the **Review + assign** tab, review the role assignment settings.
 
-1. Click **Review + assign** to assign the role.
+1. Select **Review + assign** to assign the role.
 
    After a few moments, the user is assigned the Virtual Machine Contributor role at the example-group resource group scope.
 
-   ![Virtual Machine Contributor role assignment.](./media/quickstart-assign-role-user-portal/vm-contributor-assignment.png)
+    :::image type="content" source="./media/quickstart-assign-role-user-portal/vm-contributor-assignment.png" alt-text="Screenshot of Virtual Machine Contributor role assignment." lightbox="./media/quickstart-assign-role-user-portal/vm-contributor-assignment.png":::
 
 ## Remove access
 
 In Azure RBAC, to remove access, you remove a role assignment.
 
 1. In the list of role assignments, add a checkmark next to the user with the Virtual Machine Contributor role.
 
-1. Click **Remove**.
+1. Select **Remove**.
 
-   ![Remove role assignments message.](./media/quickstart-assign-role-user-portal/remove-role-assignment.png)
+    :::image type="content" source="./media/quickstart-assign-role-user-portal/remove-role-assignment.png" alt-text="Screenshot of Remove role assignments message." lightbox="./media/quickstart-assign-role-user-portal/remove-role-assignment.png":::
 
-1. In the remove role assignment message that appears, click **Yes**.
+1. In the remove role assignment message that appears, select **Yes**.
 
 ## Clean up
 
-1. In the navigation list, click **Resource groups**.
+1. In the navigation list, select **Resource groups**.
 
-1. Click **example-group** to open the resource group.
+1. Select **example-group** to open the resource group.
 
-1. Click **Delete resource group** to delete the resource group.
+1. Select **Delete resource group** to delete the resource group.
 
-1. On the **Are you sure you want to delete** pane, type the resource group name and then click **Delete**.
+1. On the **Are you sure you want to delete** pane, type the resource group name and then select **Delete**.
 
 ## Next steps
 

articles/role-based-access-control/role-assignments-cli.md

@@ -5,7 +5,7 @@ author: rolyon
 manager: femila
 ms.service: role-based-access-control
 ms.topic: how-to
-ms.date: 01/02/2024
+ms.date: 03/30/2025
 ms.author: rolyon
 ms.custom: devx-track-azurecli
 ---

articles/role-based-access-control/role-assignments-external-users.md

@@ -5,7 +5,7 @@ author: rolyon
 manager: femila
 ms.service: role-based-access-control
 ms.topic: how-to
-ms.date: 02/28/2024
+ms.date: 03/30/2025
 ms.author: rolyon
 ms.custom: it-pro,subject-rbac-steps
 ---

articles/role-based-access-control/role-assignments-list-cli.yml

@@ -7,7 +7,7 @@ metadata:
   ms.author: rolyon
   manager: femila
   ms.reviewer: bagovind
-  ms.date: 01/02/2024
+  ms.date: 03/30/2025
   ms.service: role-based-access-control
   ms.topic: how-to
   ms.custom:

articles/role-based-access-control/role-assignments-list-powershell.yml

@@ -7,7 +7,7 @@ metadata:
   ms.author: rolyon
   manager: femila
   ms.reviewer: bagovind
-  ms.date: 07/28/2020
+  ms.date: 03/30/2025
   ms.service: role-based-access-control
   ms.topic: how-to
   ms.custom: