Merge pull request #252374 from rolyon/rolyon-abac-delegate-role-assignments-conditions-video

[Azure RBAC] Delegate role assignments with conditions updates

Author: prmerger-automator[bot]

articles/role-based-access-control/delegate-role-assignments-overview.md

@@ -60,6 +60,8 @@ Instead of assigning the Owner or User Access Administrator roles, a more secure
 
 Delegating role assignments with conditions is a way to restrict the role assignments a user can create. In the preceding example, Alice can allow Dara to create some role assignments on her behalf, but not all role assignments. For example, Alice can constrain the roles that Dara can assign and constrain the principals that Dara can assign roles to. This delegation with conditions is sometimes referred to as *constrained delegation* and is implemented with [Azure attribute-based access control (Azure ABAC) conditions](conditions-overview.md).
 
+To watch an overview video, see [Delegate Azure role assignments with conditions](https://youtu.be/3eDf2thqeO4?si=rBPW9BxRNtISkAGG).
+
 ## Why delegate role assignments with conditions?
 
 Here are some reasons why delegating the role assignment task to others with conditions is more secure:
@@ -136,12 +138,16 @@ To delegate role assignments with conditions, you assign roles as you currently
     # [Template](#tab/template)
 
     Choose from a list of condition templates. Select **Configure** to specify the roles, principal types, or principals.
+
+    For more information, see [Delegate the Azure role assignment task to others with conditions (preview)](delegate-role-assignments-portal.md).
 
     :::image type="content" source="./media/shared/condition-templates.png" alt-text="Screenshot of Add role assignment condition with a list of condition templates." lightbox="./media/shared/condition-templates.png":::
 
     # [Condition editor](#tab/condition-editor)
 
-    If the condition templates don't work for your scenario or if you want more control, you can use the condition editor. For examples, see [Examples to delegate Azure role assignments with conditions (preview)](delegate-role-assignments-examples.md).
+    If the condition templates don't work for your scenario or if you want more control, you can use the condition editor.
+
+    For examples, see [Examples to delegate Azure role assignments with conditions (preview)](delegate-role-assignments-examples.md).
 
     :::image type="content" source="./media/shared/delegate-role-assignments-expression.png" alt-text="Screenshot of condition editor in Azure portal showing a role assignment condition to delegate role assignments with conditions." lightbox="./media/shared/delegate-role-assignments-expression.png":::
 

articles/role-based-access-control/delegate-role-assignments-portal.md

@@ -65,6 +65,11 @@ There are two ways that you can add a condition. You can use a condition templat
 
 1. On the **Conditions** tab under **Delegation type**, select the **Constrained (recommended)** option.
 
+    | Option | Select this option to |
+    | --- | --- |
+    | **Constrained (recommended)** | Pick the roles or principals the user can use in role assignments |
+    | **Not constrained** | Allow the user to assign any role to any principal |
+
     :::image type="content" source="./media/shared/condition-constrained.png" alt-text="Screenshot of Add role assignment with the Constrained option selected." lightbox="./media/shared/condition-constrained.png":::
 
 1. Select **Add condition**.
@@ -75,7 +80,7 @@ There are two ways that you can add a condition. You can use a condition templat
 
 1. Select a condition template and then select **Configure**.
 
-    | Condition template | Description |
+    | Condition template | Select this template to |
     | --- | --- |
     | Constrain roles | Constrain the roles a user can assign |
     | Constrain roles and principal types | Constrain the roles a user can assign and the types of principals the user can assign roles to |
@@ -95,6 +100,11 @@ If the condition templates don't work for your scenario or if you want more cont
 
 1. On the **Conditions** tab under **Delegation type**, select the **Constrained (recommended)** option.
 
+    | Option | Select this option to |
+    | --- | --- |
+    | **Constrained (recommended)** | Pick the roles or principals the user can use in role assignments |
+    | **Not constrained** | Allow the user to assign any role to any principal |
+
     :::image type="content" source="./media/shared/condition-constrained.png" alt-text="Screenshot of Add role assignment with the Constrained option selected." lightbox="./media/shared/condition-constrained.png":::
 
 1. Select **Add condition**.
@@ -103,7 +113,7 @@ If the condition templates don't work for your scenario or if you want more cont
 
     :::image type="content" source="./media/shared/condition-templates.png" alt-text="Screenshot of Add role assignment condition with a list of condition templates." lightbox="./media/shared/condition-templates.png":::
 
-1. Select **Go to advanced condition builder**.
+1. Select **Open advanced condition editor**.
 
     The Add role assignment condition page appears.
 

articles/role-based-access-control/role-assignments-portal.md

@@ -129,7 +129,6 @@ The **Conditions** tab will look different depending on the role you selected.
 If you selected one of the following privileged roles, follow the steps in this section.
 
 - [Owner](built-in-roles.md#owner)
-- Access Review Operator Service Role
 - [Role Based Access Control Administrator (Preview)](built-in-roles.md#role-based-access-control-administrator-preview)
 - [User Access Administrator](built-in-roles.md#user-access-administrator)