Merge pull request #286073 from dlepow/grp

[APIM] Administrators group

Author: prmerger-automator[bot]

articles/api-management/api-management-howto-add-products.md

@@ -50,7 +50,7 @@ In this tutorial, you learn how to:
     |--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
     | Display name             | The name as you want it to be shown in the [developer portal](api-management-howto-developer-portal.md).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
     | Description              | Provide information about the product such as its purpose, the APIs it provides access to, and other details.                                                                                                                                               |
-    | State                    | Select **Published** if you want to publish the product. Before the APIs in a product can be called, the product must be published. By default, new products are unpublished, and are visible only to the  **Administrators** group.                                                                                      |
+    | State                    | Select **Published** if you want to publish the product to the developer portal. Before the APIs in a product can be discovered by developers, the product must be published. By default, new products are unpublished.                                                                                      |
     | Requires subscription    | Select if a user is required to subscribe to use the product (the product is *protected*) and a subscription key must be used to access the product's APIs. If a subscription isn't required (the product is *open*), a subscription key isn't required to access the product's APIs. See [Access to product APIs](#access-to-product-apis) later in this article.                                                                                                                                                                                                   |
     | Requires approval        | Select if you want an administrator to review and accept or reject subscription attempts to this product. If not selected, subscription attempts are auto-approved.                                                                                                                         |
     | Subscription count limit | Optionally limit the count of multiple simultaneous subscriptions.                                                                                                                                                                                                                                |
@@ -83,7 +83,7 @@ You can specify various values for your product:
    |-----------|-------------|
    | `--product-name` | The name as you want it to be shown in the [developer portal](api-management-howto-developer-portal.md). |
    | `--description`  | Provide information about the product such as its purpose, the APIs it provides access to, and other details. |
-   | `--state`        | Select **published** if you want to publish the product. Before the APIs in a product can be called, the product must be published. By default, new products are unpublished, and are visible only to the  **Administrators** group. |
+   | `--state`        | Select **published** if you want to publish the product to the developer portal. Before the APIs in a product can be discovered by developers, the product must be published. By default, new products are unpublished. |
    | `--subscription-required` | Select if a user is required to subscribe to use the product (the product is *protected*) or a subscription isn't required (the product is *open*). See [Access to product APIs](#access-to-product-apis) later in this article. |
    | `--approval-required` | Select if you want an administrator to review and accept or reject subscription attempts to this product. If not selected, subscription attempts are auto-approved. |
    | `--subscriptions-limit` | Optionally, limit the count of multiple simultaneous subscriptions.|

articles/api-management/api-management-howto-create-groups.md

@@ -1,27 +1,27 @@
 ---
-title: Manage developer accounts using groups in Azure API Management
+title: Manage developer accounts using groups - Azure API Management
 titleSuffix: Azure API Management
 description: Learn how to manage developer accounts using groups in Azure API Management. Create groups, and then associate them with products or developers.
 
 author: dlepow
 ms.service: azure-api-management
-ms.topic: article
-ms.date: 03/17/2023
+ms.topic: concept-article
+ms.date: 09/03/2024
 ms.author: danlep
 ms.custom: engagement-fy23
 ---
 # How to create and use groups to manage developer accounts in Azure API Management
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic-standardv2-basicv2](../../includes/api-management-availability-premium-dev-standard-basic-standardv2-basicv2.md)]
 
-In API Management, groups are used to manage the visibility of products to developers. Products are first made visible to groups, and then developers in those groups can view and subscribe to the products that are associated with the groups. 
+In API Management, groups are used to manage the visibility of products to developers in the developer portal. Products are first made visible to groups, and then developers in those groups can view and subscribe to the products that are associated with the groups. 
 
-API Management has the following immutable system groups:
+API Management has the following immutable groups:
 
-* **Administrators** - Azure subscription administrators are members of this group. Administrators manage API Management service instances, creating the APIs, operations, and products that are used by developers. You can't add users to this group.
+* **Administrators** - Built-in group containing only the administrator email account provided at the time of service creation. Its membership is managed by the system; users can't be added to or removed from the group. The primary purpose of the administrator account is to access the developer portal's administrative interface to [customize and publish](api-management-howto-developer-portal-customize.md) the portal content. Any user that has [Azure RBAC permissions](/azure/api-management/developer-portal-faq#what-permissions-do-i-need-to-edit-the-developer-portal) to customize the developer portal can authenticate as the administrator to customize the portal.
 
     > [!NOTE]
-    > You can change the administrator [email settings](api-management-howto-configure-notifications.md#configure-email-settings) that are used in notifications sent to developers from your API Management instance.
+    > At any time, a service owner can update the administrator [email settings](api-management-howto-configure-notifications.md#configure-email-settings) that are used in notifications from your API Management instance.
 
 * **Developers** - Authenticated developer portal users fall into this group. Developers are the customers that build applications using your APIs. Developers are granted access to the developer portal and build applications that call the operations of an API.
 * **Guests** - Unauthenticated developer portal users, such as prospective customers visiting the developer portal of an API Management instance fall into this group. They can be granted certain read-only access, such as the ability to view APIs but not call them.
@@ -51,7 +51,7 @@ This section shows how to add a new group to your API Management account.
 Once the group is created, it's added to the **Groups** list. 
     * To edit the **Name** or **Description** of the group, click the name of the group and select **Settings**
 
-    * To delete the group, click the name of the group and press **Delete**.
+    * To delete the group, select the name of the group and press **Delete**.
 
 Now that the group is created, it can be associated with products and developers.
 
@@ -89,7 +89,7 @@ This section shows how to associate groups with members.
 
 Once the association is added between the developer and the group, you can view it in the **Users** tab.
 
-## <a name="next-steps"> </a>Next steps
+## <a name="next-steps"> </a>Related content
 
 * Once a developer is added to a group, they can view and subscribe to the products associated with that group. For more information, see [How to create and publish a product in Azure API Management][How create and publish a product in Azure API Management].
 * You can control how the developer portal content appears to different users and groups you've configured. Learn more about [visibility and access controls in the developer portal](developer-portal-overview.md#content-visibility-and-access). 

articles/api-management/api-management-key-concepts.md

@@ -157,20 +157,17 @@ When a product is ready for use by developers, it can be published. Once publish
 
 ### Groups
 
-Groups are used to manage the visibility of products to developers. API Management has the following built-in groups:
-
-* **Administrators** -  Manage API Management service instances and create the APIs, operations, and products that are used by developers.
-
-    Azure subscription administrators are members of this group. 
+Groups are used to manage the visibility of products to developers. API Management has the following built-in groups for developers: 
 
 * **Developers** - Authenticated developer portal users that build applications using your APIs. Developers are granted access to the developer portal and build applications that call the operations of an API. 
 
 * **Guests** - Unauthenticated developer portal users, such as prospective customers visiting the developer portal. They can be granted certain read-only access, such as the ability to view APIs but not call them.
 
-Administrators can also create custom groups or use external groups in an [associated Microsoft Entra tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group.
+API Management service owners can also create custom groups or use external groups in an [associated Microsoft Entra tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group.
 
 **More information**: 
 * [How to create and use groups][How to create and use groups]
+* [How to manage user accounts](api-management-howto-create-or-invite-developers.md)
 
 ### Developers
 
@@ -184,7 +181,7 @@ When developers subscribe to a product, they're granted the primary and secondar
 
 ### Workspaces
 
-Workspaces allow decentralized API development teams to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. Each workspace contains APIs, products, subscriptions, and related entities that are accessible only to the workspace collaborators. Access is controlled through Azure role-based access control (RBAC).
+Workspaces allow decentralized API development teams to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. Each workspace contains APIs, products, subscriptions, and related entities that are accessible only to the workspace collaborators. Access is controlled through Azure role-based access control (RBAC). Each workspace is associated with a workspace gateway that routes API traffic to its backend services.
 
 **More information**:
 

articles/api-management/get-started-create-service-instance.md

@@ -45,7 +45,7 @@ Sign in to the [Azure portal](https://portal.azure.com).
    | **Region**          | Select a geographic region near you from the available API Management service locations. | 
    | **Resource name**                | A unique name for your API Management instance. The name can't be changed later. The service name refers to both the service and the corresponding Azure resource. <br/><br/> The service name is used to generate a default domain name: *\<name\>.azure-api.net.* If you would like to configure a custom domain name later, see [Configure a custom domain](configure-custom-domain.md). |
    | **Organization name**   | The name of your organization. This name is used in many places, including the title of the developer portal and sender of notification emails. |                                                         
-   | **Administrator email** | The email address to which all the notifications from **API Management** will be sent.   |  
+   | **Administrator email** | The email address to which all system notifications from **API Management** will be sent.   |  
    | **Pricing tier**        | Select **Developer** tier to evaluate the service. This tier isn't for production use. For more information about scaling the API Management tiers, see [upgrade and scale](upgrade-and-scale.md). |
 
 1. Select **Review + create**.