Merge pull request #286038 from davidsmatlak/ds-amg-ga-remediation-20240903

Management groups edits for SFI global admin

Author: prmerger-automator[bot]

articles/governance/management-groups/create-management-group-azure-cli.md

@@ -33,11 +33,9 @@ directory. You receive a notification when the process is complete. For more inf
   [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)
   isn't enabled. This new management group becomes a child of the Root Management Group or the
   [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)
-  and the creator is given an "Owner" role assignment. Management group service allows this ability
-  so that role assignments aren't needed at the root level. No users have access to the Root
-  Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to
-  start using management groups, we allow the creation of the initial management groups at the root
-  level.
+  and the creator is given an Owner role assignment. Management group service allows this ability
+  so that role assignments aren't needed at the root level. When the Root
+  Management Group when is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).
 
 [!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
 

articles/governance/management-groups/create-management-group-dotnet.md

@@ -33,11 +33,9 @@ directory. You receive a notification when the process is complete. For more inf
   [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)
   isn't enabled. This new management group becomes a child of the Root Management Group or the
   [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)
-  and the creator is given an "Owner" role assignment. Management group service allows this ability
-  so that role assignments aren't needed at the root level. No users have access to the Root
-  Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to
-  start using management groups, we allow the creation of the initial management groups at the root
-  level.
+  and the creator is given an Owner role assignment. Management group service allows this ability
+  so that role assignments aren't needed at the root level. When the Root
+    Management Group when is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).
 
 [!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
 

articles/governance/management-groups/create-management-group-go.md

@@ -34,11 +34,9 @@ directory. You receive a notification when the process is complete. For more inf
   [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)
   isn't enabled. This new management group becomes a child of the Root Management Group or the
   [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)
-  and the creator is given an "Owner" role assignment. Management group service allows this ability
-  so that role assignments aren't needed at the root level. No users have access to the Root
-  Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to
-  start using management groups, we allow the creation of the initial management groups at the root
-  level.
+  and the creator is given an Owner role assignment. Management group service allows this ability
+  so that role assignments aren't needed at the root level. When the Root
+    Management Group when is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).
 
 [!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
 

articles/governance/management-groups/create-management-group-javascript.md

@@ -31,11 +31,9 @@ directory. You receive a notification when the process is complete. For more inf
   [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)
   isn't enabled. This new management group becomes a child of the Root Management Group or the
   [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)
-  and the creator is given an "Owner" role assignment. Management group service allows this ability
-  so that role assignments aren't needed at the root level. No users have access to the Root
-  Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to
-  start using management groups, we allow the creation of the initial management groups at the root
-  level.
+  and the creator is given an Owner role assignment. Management group service allows this ability
+  so that role assignments aren't needed at the root level. When the Root
+    Management Group when is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).
 
 [!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
 

articles/governance/management-groups/create-management-group-portal.md

@@ -28,11 +28,9 @@ directory. You receive a notification when the process is complete. For more inf
   [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)
   isn't enabled. This new management group becomes a child of the Root Management Group or the
   [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)
-  and the creator is given an "Owner" role assignment. Management group service allows this ability
-  so that role assignments aren't needed at the root level. No users have access to the Root
-  Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to
-  start using management groups, we allow the creation of the initial management groups at the root
-  level.
+  and the creator is given an Owner role assignment. Management group service allows this ability
+  so that role assignments aren't needed at the root level. When the Root
+    Management Group when is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).
 
 ### Create in portal
 

articles/governance/management-groups/create-management-group-powershell.md

@@ -31,11 +31,9 @@ directory. You receive a notification when the process is complete. For more inf
   [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)
   isn't enabled. This new management group becomes a child of the Root Management Group or the
   [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)
-  and the creator is given an "Owner" role assignment. Management group service allows this ability
-  so that role assignments aren't needed at the root level. No users have access to the Root
-  Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to
-  start using management groups, we allow the creation of the initial management groups at the root
-  level.
+  and the creator is given an Owner role assignment. Management group service allows this ability
+  so that role assignments aren't needed at the root level. When the Root
+    Management Group when is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).
 
 [!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
 

articles/governance/management-groups/create-management-group-python.md

@@ -28,11 +28,9 @@ directory. You receive a notification when the process is complete. For more inf
   [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)
   isn't enabled. This new management group becomes a child of the Root Management Group or the
   [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)
-  and the creator is given an "Owner" role assignment. Management group service allows this ability
-  so that role assignments aren't needed at the root level. No users have access to the Root
-  Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to
-  start using management groups, we allow the creation of the initial management groups at the root
-  level.
+  and the creator is given an Owner role assignment. Management group service allows this ability
+  so that role assignments aren't needed at the root level. When the Root
+    Management Group when is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).
 
 [!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
 

articles/governance/management-groups/create-management-group-rest-api.md

@@ -31,11 +31,9 @@ directory. You receive a notification when the process is complete. For more inf
   [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)
   isn't enabled. This new management group becomes a child of the Root Management Group or the
   [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)
-  and the creator is given an "Owner" role assignment. Management group service allows this ability
-  so that role assignments aren't needed at the root level. No users have access to the Root
-  Management Group when it's created. To avoid the hurdle of finding the Microsoft Entra ID Global Admins to
-  start using management groups, we allow the creation of the initial management groups at the root
-  level.
+  and the creator is given an Owner role assignment. Management group service allows this ability
+  so that role assignments aren't needed at the root level. When the Root
+    Management Group when is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).
 
 [!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
 

articles/governance/management-groups/overview.md

@@ -58,8 +58,7 @@ root management group is built into the hierarchy to have all management groups
 fold up to it.
 
 The root management group allows for the application of global policies and Azure role assignments
-at the directory level. Initially, the [Microsoft Entra Global Administrator needs to elevate
-themselves](../../role-based-access-control/elevate-access-global-admin.md) to the User Access
+at the directory level. Initially, the [Elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md) to the User Access
 Administrator role of this root group. After elevating access, the administrator can
 assign any Azure role to other directory users or groups to manage the hierarchy. As an administrator,
 you can assign your account as the owner of the root management group.