Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into ddos

Author: dlepow

articles/active-directory/conditional-access/media/concept-conditional-access-cloud-apps/conditional-access-authentication-context-in-policy.png

@@ -1,73 +1,93 @@
 ---
-title: Assign Azure AD roles to users - Azure Active Directory | Microsoft Docs
-description: Instructions about how to assign administrator and non-administrator roles to users with Azure Active Directory.
+title: Manage Azure AD user roles - Azure Active Directory | Microsoft Docs
+description: Instructions about how to assign and update user roles with Azure Active Directory.
 services: active-directory
-author: barclayn
+author: shlipsey3
 manager: amycolannino
 
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: how-to
-ms.date: 08/17/2022
-ms.author: barclayn
+ms.date: 10/17/2022
+ms.author: sarahlipsey
 ms.reviewer: jeffsta
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
 
-# Assign administrator and non-administrator roles to users with Azure Active Directory
+# Assign user roles with Azure Active Directory
 
-In Azure Active Directory (Azure AD), if one of your users needs permission to manage Azure AD resources, you must assign them to a role that provides the permissions they need. For info on which roles manage Azure resources and which roles manage Azure AD resources, see [Classic subscription administrator roles, Azure roles, and Azure AD roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).
+The ability to manage Azure resources is granted by assigning roles that provide the required permissions. Roles can be assigned to individual users or groups. To align with the [Zero Trust guiding principles](/azure/security/fundamentals/zero-trust), use Just-In-Time and Just-Enough-Access policies when assigning roles.
 
-For more information about the available Azure AD roles, see [Assigning administrator roles in Azure Active Directory](../roles/permissions-reference.md). To add users, see [Add new users to Azure Active Directory](add-users-azure-active-directory.md).
+Before assigning roles to users, review the following Microsoft Learn articles:
+
+- [Learn about Azure AD roles](../roles/concept-understand-roles.md)
+- [Learn about role based access control](../../role-based-access-control/rbac-and-directory-admin-roles.md)
+- [Explore the Azure built-in roles](../roles/permissions-reference.md)
 
 ## Assign roles
 
-A common way to assign Azure AD roles to a user is on the **Assigned roles** page for a user. You can also configure the user eligibility to be elevated just-in-time into a role using Privileged Identity Management (PIM). For more information about how to use PIM, see [Privileged Identity Management](../privileged-identity-management/index.yml).
+There are two main steps to the role assignment process. First you'll select the role to assign. Then you'll adjust the role settings and duration.
+
+### Select the role to assign
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) using the Privileged Role Administrator role for the directory.
+
+1. Go to **Azure Active Directory** > **Users**.
+
+1. Search for and select the user getting the role assignment.
+
+      ![Screenshot of the Users - All users list with Alain Charon highlighted.](media/active-directory-users-assign-role-azure-portal/select-existing-user.png)
+
+1. Select **Assigned roles** from the side menu, then select **Add assignments**. 
+
+    ![Screenshot of the user's overview page with Assigned roles option highlighted.](media/active-directory-users-assign-role-azure-portal/user-profile-assign-roles.png)
+
+1. Select a role to assign from the dropdown list and select the **Next** button.
+
+### Adjust the role settings
+
+You can assign roles as either _eligible_ or _active_. Eligible roles are assigned to a user but must be elevated Just-In-Time by the user through Privileged Identity Management (PIM). For more information about how to use PIM, see [Privileged Identity Management](../privileged-identity-management/index.yml).
 
-> [!Note]
-> If you have an Azure AD Premium P2 license plan and already use PIM, all role management tasks are performed in the [Privileged Identity Management experience](../roles/manage-roles-portal.md). This feature is currently limited to assigning only one role at a time. You can't currently select multiple roles and assign them to a user all at once.
->
-> ![Azure AD roles managed in PIM for users who already use PIM and have a Premium P2 license](./media/active-directory-users-assign-role-azure-portal/pim-manages-roles-for-p2.png)
+![Screenshot of the assigned roles page with the assignment types highlighted.](media/active-directory-users-assign-role-azure-portal/role-assignment-types.png)
 
-## Assign a role to a user
+1. From the Setting section of the **Add assignments** page, select an **Assignment type** option.
 
-1. Go to the [Azure portal](https://portal.azure.com/) and sign in using a Global administrator account for the directory.
+1. Leave the **Permanently eligible** option selected if the role should always be available to elevate for the user.
 
-2. Search for and select **Azure Active Directory**.
+    If you uncheck this option, you can specify a date range for the role eligibility.
 
-      ![Azure portal search for Azure Active Directory](media/active-directory-users-assign-role-azure-portal/search-azure-active-directory.png)
+1. Select the **Assign** button.
 
-3. Select **Users**.
+    Assigned roles appear in the associated section for the user, so eligible and active roles are listed separately. 
 
-4. Search for and select the user getting the role assignment. For example, _Alain Charon_.
+    ![Screenshot of the role assignment settings.](media/active-directory-users-assign-role-azure-portal/role-assignment-settings.png)
 
-      ![All users page - select the user](media/active-directory-users-assign-role-azure-portal/directory-role-select-user.png)
+## Update roles
 
-5. On the **Alain Charon - Profile** page, select **Assigned roles**.
+You can change the settings of a role assignment, for example to change an active role to eligible.
 
-    The **Alain Charon - Administrative roles** page appears.
+1. Go to **Azure Active Directory** > **Users**.
 
-6. Select **Add assignments**, select the role to assign to Alain (for example, _Application administrator_), and then choose **Select**.
+1. Search for and select the user getting their role updated.
 
-    ![Assigned roles page - showing the selected role](media/active-directory-users-assign-role-azure-portal/directory-role-select-role.png)
+1. Go to the **Assigned roles** page and select the **Update** link for the role that needs to be changed.
 
-    The Application administrator role is assigned to Alain Charon and it appears on the **Alain Charon - Administrative roles** page.
+1. Change the settings as needed and select the **Save** button.
 
-## Remove a role assignment
+    ![Screenshot of assigned roles page with the Remove and Update options highlighted.](media/active-directory-users-assign-role-azure-portal/remove-update-role-assignment.png)
 
-If you need to remove the role assignment from a user, you can also do that from the **Alain Charon - Administrative roles** page.
+## Remove roles
 
-### To remove a role assignment from a user
+You can remove role assignments from the **Administrative roles** page for a selected user.
 
-1. Select **Azure Active Directory**, select **Users**, and then search for and select the user getting the role assignment removed. For example, _Alain Charon_.
+1. Go to **Azure Active Directory** > **Users**.
 
-2. Select **Assigned roles**, select **Application administrator**, and then select **Remove assignment**.
+1. Search for and select the user getting the role assignment removed.
 
-    ![Assigned roles page, showing the selected role and the remove option](media/active-directory-users-assign-role-azure-portal/directory-role-remove-role.png)
+1. Go to the **Assigned roles** page and select the **Remove** link for the role that needs to be removed. Confirm the change in the pop-up message.
 
-    The Application administrator role is removed from Alain Charon and it no longer appears on the **Alain Charon - Administrative roles** page.
 
 ## Next steps
 
@@ -77,5 +97,4 @@ If you need to remove the role assignment from a user, you can also do that from
 
 - [Add guest users from another directory](../external-identities/what-is-b2b.md)
 
-Other user management tasks you can check out
-are available in [Azure Active Directory user management documentation](../enterprise-users/index.yml).
+- [Explore other user management tasks](../enterprise-users/index.yml)

articles/active-directory/conditional-access/media/concept-conditional-access-cloud-apps/conditional-access-cloud-apps-or-actions.png

@@ -1,69 +1,88 @@
 ---
 title: Add or update user profile information - Azure AD
-description: Instructions about how to add information to a user's profile in Azure Active Directory, including a picture and job details.
+description: Instructions about how to manage a user's profile and settings in Azure Active Directory.
 services: active-directory
-author: barclayn
+author: shlipsey3
 manager: amycolannino
 
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: how-to
-ms.date: 08/17/2022
-ms.author: barclayn
+ms.date: 10/17/2022
+ms.author: sarahlipsey
 ms.reviewer: jeffsta
 ms.collection: M365-identity-device-management
 ---
 
-# Add or update a user's profile information using Azure Active Directory
-Add user profile information, including a profile picture, job-specific information, and some settings using Azure Active Directory (Azure AD). For more information about adding new users, see [How to add or delete users in Azure Active Directory](add-users-azure-active-directory.md).
+# Add or update a user's profile information and settings
+A user's profile information and settings can be managed on an individual basis and for all users in your directory. When you look at these settings together, you can see how permissions, restrictions, and other connections work together.
 
-## Add or change profile information
-As you'll see, there's more information available in a user's profile than what you're able to add during the user's creation. All this additional information is optional and can be added as needed by your organization.
-
-## To add or change profile information
+This article covers how to add user profile information, such as a profile picture and job-specific information. You can also choose to allow users to connect their LinkedIn accounts or restrict access to the Azure AD administration portal. Some settings may be managed in more than one area of Azure AD. For more information about adding new users, see [How to add or delete users in Azure Active Directory](add-users-azure-active-directory.md). 
 
->[!Note]
->The user name and email address properties can't contain accent characters.
+## Add or change profile information
+When new users are created, only some details are added to their user profile. If your organization needs more details, they can be added after the user is created. 
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) in the User Administrator role for the organization.
 
-2. Select **Azure Active Directory**, select **Users**, and then select a user. For example, _Alain Charon_.
-
-    The **Alain Charon - Profile** page appears.
+1. Go to **Azure Active Directory** > **Users** and select a user.
+   
+1. There are two ways to edit user profile details. Either select **Edit properties** from the top of the page or select **Properties**.
 
-    ![User's profile page, including editable information](media/active-directory-users-profile-azure-portal/user-profile-all-blade.png)
+    ![Screenshot of the overview page for a selected user, with the edit options highlighted.](media/active-directory-users-profile-azure-portal/user-profile-overview.png)
 
-3. Select **Edit** to optionally add or update the information included in each of the editable sections.
+1. After making any changes, select the **Save** button. 
 
-    - **Profile picture.** Select a thumbnail image for the user's account. This picture appears in Azure Active Directory and on the user's personal pages, such as the myapps.microsoft.com page.
+If you selected the **Edit properties option**:
+   - The full list of properties appears in edit mode on the **All** category.
+   - To edit properties based on the category, select a category from the top of the page.
+   - Select the **Save** button at the bottom of the page to save any changes.
+    
+   ![Screenshot a selected user's details, with the detail categories and save button highlighted.](media/active-directory-users-profile-azure-portal/user-profile-properties-tabbed-view.png)
+    
+If you selected the **Properties tab option**:
+   - The full list of properties appears for you to review.
+   - To edit a property, select the pencil icon next to the category heading.
+   - Select the **Save** button at the bottom of the page to save any changes.
+    
+   ![Screenshot the Properties tab, with the edit options highlighted.](media/active-directory-users-profile-azure-portal/user-profile-properties-single-page-view.png)
 
-    - **Identity.** Add or update an additional identity value for the user, such as a married last name. You can set this name independently from the values of First name and Last name. For example, you could use it to include initials, a company name, or to change the sequence of names shown. In another example, for two users whose names are ‘Chris Green’ you could use the Identity string to set their names to 'Chris B. Green' 'Chris R. Green (Contoso).'
+### Profile categories
+There are six categories of profile details you may be able to edit. 
 
-    - **Job info.** Add any job-related information, such as the user's job title, department, or manager.
+- **Identity:** Add or update other identity values for the user, such as a married last name. You can set this name independently from the values of First name and Last name. For example, you could use it to include initials, a company name, or to change the sequence of names shown. If you have two users with the same name, such as ‘Chris Green,’ you could use the Identity string to set their names to 'Chris B. Green' and 'Chris R. Green.'
 
-    - **Settings.** Decide whether the user can sign in to Azure Active Directory tenant. You can also specify the user's global location.
+- **Job information:** Add any job-related information, such as the user's job title, department, or manager.
 
-    - **Contact info.** Add any relevant contact information for the user, except for some user's phone or mobile contact info (only a global administrator can update for users in administrator roles).
+- **Contact info:** Add any relevant contact information for the user.
 
-    - **Authentication contact info.** Verify this information to make sure there's an active phone number and email address for the user. This information is used by Azure Active Directory to make sure the user is really the user during sign-in. Authentication contact info can be updated only by a global administrator.
+- **Parental controls:** For organizations like K-12 school districts, the user's age group may need to be provided. *Minors* are 12 and under, *Not adult* are 13-18 years old, and *Adults* are 18 and over. The combination of age group and consent provided by parent options determine the Legal age group classification. The Legal age group classification may limit the user's access and authority.
 
-4. Select **Save**.
+- **Settings:** Decide whether the user can sign in to the Azure Active Directory tenant. You can also specify the user's global location.
 
-    All your changes are saved for the user.
+- **On-premises:** Accounts synced from Windows Server Active Directory include additional values not applicable to Azure AD accounts.
 
     >[!Note]
     >You must use Windows Server Active Directory to update the identity, contact info, or job info for users whose source of authority is Windows Server Active Directory. After you complete your update, you must wait for the next synchronization cycle to complete before you'll see the changes.
-    >
-    > If you're having issues updating a user's Profile picture, please ensure that your Office 365 Exchange Online Enterprise App is Enabled for users to sign-in.
 
-## Next steps
-After you've updated your users' profiles, you can perform the following basic processes:
+### Add or edit the profile picture
+On the user's overview page, select the camera icon in the lower-right corner of the user's thumbnail. If no image has been added, the user's initials appear here. This picture appears in Azure Active Directory and on the user's personal pages, such as the myapps.microsoft.com page. 
 
+All your changes are saved for the user.
+
+>[!Note]
+> If you're having issues updating a user's profile picture, please ensure that your Office 365 Exchange Online Enterprise App is Enabled for users to sign in.
+
+## Manage settings for all users
+In the **User settings** area of Azure AD, you can adjust several settings that affect all users, such as restricting access to the Azure AD administration portal, how external collaboration is managed, and providing users the option to connect their LinkedIn account. Some settings are managed in a separate area of Azure AD and linked from this page.
+
+Go to **Azure AD** > **User settings**.
+
+## Next steps
 - [Add or delete users](add-users-azure-active-directory.md)
 
 - [Assign roles to users](active-directory-users-assign-role-azure-portal.md)
 
 - [Create a basic group and add members](active-directory-groups-create-azure-portal.md)
 
-Or you can perform other user management tasks, such as assigning delegates, using policies, and sharing user accounts. For more information about other available actions, see [Azure Active Directory user management documentation](../enterprise-users/index.yml).
+- [View Azure AD enterprise user management documentation](../enterprise-users/index.yml).