Merge pull request #267506 from rolyon/rolyon-rbac-role-assignments-external-users

[Azure RBAC] Assign Azure roles to external users

Author: Jill Grant

articles/defender-for-iot/device-builders/defender-iot-firmware-analysis-rbac.md

@@ -75,7 +75,7 @@ To upload firmware images:
 ## Invite third parties to interact with your firmware analysis results
 You might want to invite someone to interact solely with your firmware analysis results, without allowing access to other parts of your organization (like other resource groups within your subscription). To allow this type of access, invite the user as a Firmware Analysis Admin at the FirmwareAnalysisRG Resource Group level.
 
-To invite a third party, follow the [Assign Azure roles to external guest users using the Azure portal](../../../articles/role-based-access-control/role-assignments-external-users.md#add-a-guest-user-to-your-directory) tutorial.
+To invite a third party, follow the [Assign Azure roles to external users using the Azure portal](../../../articles/role-based-access-control/role-assignments-external-users.md#invite-an-external-user-to-your-directory) tutorial.
 
 * In step 3, navigate to the **FirmwareAnalysisRG** Resource Group.
 * In step 7, select the **Firmware Analysis Admin** role.

articles/lab-services/how-to-attach-detach-shared-image-gallery.md

@@ -85,7 +85,7 @@ The Azure Lab Services service principal needs to have the [Owner](/azure/role-b
 
 To attach a compute gallery to a lab plan, assign the [Owner](/azure/role-based-access-control/built-in-roles#owner) role to the service principal with application ID `c7bb12bf-0b39-4f7f-9171-f418ff39b76a`.
 
-If your Azure account is a guest user, your Azure account needs to have the [Directory Readers](/azure/active-directory/roles/permissions-reference#directory-readers) role to perform the role assignment. Learn about [role assignments for guest users](/azure/role-based-access-control/role-assignments-external-users#guest-user-cannot-browse-users-groups-or-service-principals-to-assign-roles).
+If your Azure account is a guest user, your Azure account needs to have the [Directory Readers](/azure/active-directory/roles/permissions-reference#directory-readers) role to perform the role assignment. Learn about [role assignments for external users](/azure/role-based-access-control/role-assignments-external-users#external-user-cannot-browse-users-groups-or-service-principals-to-assign-roles).
 
 # [Azure CLI](#tab/azure-cli)
 

articles/role-based-access-control/TOC.yml

@@ -86,7 +86,7 @@
         href: role-assignments-portal.md
       - name: Managed identity
         href: role-assignments-portal-managed-identity.md
-      - name: External guest users
+      - name: External users
         href: role-assignments-external-users.md
     - name: PowerShell
       href: role-assignments-powershell.md

articles/role-based-access-control/classic-administrators.md

@@ -148,7 +148,7 @@ To add a guest user as a Co-Administrator, follow the same steps as in the previ
 
 For more information, about how to add a guest user to your directory, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
 
-Before you remove a guest user from your directory, you should first remove any role assignments for that guest user. For more information, see [Remove a guest user from your directory](./role-assignments-external-users.md#remove-a-guest-user-from-your-directory).
+Before you remove a guest user from your directory, you should first remove any role assignments for that guest user. For more information, see [Remove an external user from your directory](./role-assignments-external-users.md#remove-an-external-user-from-your-directory).
 
 ### Differences for guest users
 
@@ -161,7 +161,7 @@ Guest users that have been assigned the Co-Administrator role might see some dif
 
 You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Microsoft Entra ID as compared to member users. For example, member users can read other users in Microsoft Entra ID and guest users cannot. Member users can register new service principals in Microsoft Entra ID and guest users cannot.
 
-If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Microsoft Entra roles the guest user needs. For example, in the previous scenario, you could assign the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role to read other users and assign the [Application Developer](../active-directory/roles/permissions-reference.md#application-developer) role to be able to create service principals. For more information about member and guest users and their permissions, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md). For more information about granting access for guest users, see [Assign Azure roles to external guest users using the Azure portal](role-assignments-external-users.md).
+If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Microsoft Entra roles the guest user needs. For example, in the previous scenario, you could assign the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role to read other users and assign the [Application Developer](../active-directory/roles/permissions-reference.md#application-developer) role to be able to create service principals. For more information about member and guest users and their permissions, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md). For more information about granting access for guest users, see [Assign Azure roles to external users using the Azure portal](role-assignments-external-users.md).
 
 Note that the [Azure built-in roles](../role-based-access-control/built-in-roles.md) are different than the [Microsoft Entra roles](../active-directory/roles/permissions-reference.md). The built-in roles don't grant any access to Microsoft Entra ID. For more information, see [Understand the different roles](../role-based-access-control/rbac-and-directory-admin-roles.md).