Merge pull request #224443 from rolyon/rolyon-rbac-directory-activity-logs

[Azure RBAC] View elevate access log entries

Author: Jill Grant

articles/active-directory/roles/permissions-reference.md

@@ -931,7 +931,7 @@ This administrator manages federation between Azure AD organizations and externa
 
 ## Global Administrator
 
-Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like the Microsoft 365 Defender portal, the Microsoft Purview compliance portal, Exchange Online, SharePoint Online, and Skype for Business Online. Furthermore, Global Administrators can [elevate their access](../../role-based-access-control/elevate-access-global-admin.md) to manage all Azure subscriptions and management groups. This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators. A Global Administrator cannot remove their own Global Administrator assignment. This is to prevent a situation where an organization has zero Global Administrators.
+Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like the Microsoft 365 Defender portal, the Microsoft Purview compliance portal, Exchange Online, SharePoint Online, and Skype for Business Online. Global Administrators can view Directory Activity logs. Furthermore, Global Administrators can [elevate their access](../../role-based-access-control/elevate-access-global-admin.md) to manage all Azure subscriptions and management groups. This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators. A Global Administrator cannot remove their own Global Administrator assignment. This is to prevent a situation where an organization has zero Global Administrators.
 
 > [!NOTE]
 > As a best practice, Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization. For more information, see [Best practices for Azure AD roles](best-practices.md).
@@ -1465,7 +1465,7 @@ Users with this role have global permissions to manage settings within Microsoft
 
 ## Knowledge Administrator
 
-Users in this role have full access to all knowledge, learning and intelligent features settings in the Microsoft 365 admin center. They have a general understanding of the suite of products, licensing details and has responsibility to control access. Knowledge Administrator can create and manage content, like topics, acronyms and learning resources. Additionally, these users can create content centers, monitor service health, and create service requests.
+Users in this role have full access to all knowledge, learning and intelligent features settings in the Microsoft 365 admin center. They have a general understanding of the suite of products, licensing details and have responsibility to control access. Knowledge Administrator can create and manage content, like topics, acronyms and learning resources. Additionally, these users can create content centers, monitor service health, and create service requests.
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
@@ -2403,7 +2403,7 @@ Users with this role **cannot** do the following:
 Users with this role can do the following tasks:
 
 - Manage and configure all aspects of Virtual Visits in Bookings in the Microsoft 365 admin center, and in the Teams EHR connector
-- View usage reports for Virtual Visits in the Teams admin center, Microsoft 365 admin center, and PowerBI
+- View usage reports for Virtual Visits in the Teams admin center, Microsoft 365 admin center, and Power BI
 - View features and settings in the Microsoft 365 admin center, but can't edit any settings
 
 Virtual Visits are a simple way to schedule and manage online and video appointments for staff and attendees. For example, usage reporting can show how sending SMS text messages before appointments can reduce the number of people who don't show up for appointments.

articles/role-based-access-control/elevate-access-global-admin.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 10/19/2022
+ms.date: 03/21/2023
 ms.author: rolyon 
 ms.custom: devx-track-azurepowershell, devx-track-azurecli
 ---
@@ -333,13 +333,11 @@ When you call `elevateAccess`, you create a role assignment for yourself, so to
     DELETE https://management.azure.com/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111?api-version=2022-04-01
     ```
 
-## View elevate access logs
+## View elevate access log entries in the Directory Activity logs
 
-When access is elevated, an entry is added to the logs. As a Global Administrator in Azure AD, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the directory activity logs. This section describes different ways that you can view the elevate access logs.
+When access is elevated, an entry is added to the logs. As a Global Administrator in Azure AD, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the Directory Activity logs. This section describes different ways that you can view the elevate access log entries.
 
-### View elevate access logs using the Azure portal
-
-1. Follow the steps earlier in this article to elevate your access.
+### View elevate access log entries using the Azure portal
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
 
@@ -353,11 +351,7 @@ When access is elevated, an entry is added to the logs. As a Global Administrato
 
     ![Screenshot showing directory activity logs in Monitor.](./media/elevate-access-global-admin/monitor-directory-activity.png)
 
-1. Follow the steps earlier in this article to remove elevated access.
-
-### View elevate access logs using Azure CLI
-
-1. Follow the steps earlier in this article to elevate your access.
+### View elevate access log entries using Azure CLI
 
 1. Use the [az login](/cli/azure/reference-index#az-login) command to sign in as Global Administrator.
 
@@ -390,18 +384,14 @@ When access is elevated, an entry is added to the logs. As a Global Administrato
       },
     ```
 
-1. Follow the steps earlier in this article to remove elevated access.
+### Delegate access to a group to view elevate access log entries using Azure CLI
 
-### Delegate access to a group to view elevate access logs using Azure CLI
-
-If you want to be able to periodically get the elevate access logs, you can delegate access to a group and then use Azure CLI.
+If you want to be able to periodically get the elevate access log entries, you can delegate access to a group and then use Azure CLI.
 
 1. Open **Azure Active Directory** > **Groups**.
 
 1. Create a new security group and note the group object ID.
 
-1. Follow the steps earlier in this article to elevate your access.
-
 1. Use the [az login](/cli/azure/reference-index#az-login) command to sign in as Global Administrator.
 
 1. Use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to assign the [Reader](built-in-roles.md#reader) role to the group who can only read logs at the directory level, which are found at `Microsoft/Insights`.
@@ -412,9 +402,7 @@ If you want to be able to periodically get the elevate access logs, you can dele
 
 1. Add a user who will read logs to the previously created group.
 
-1. Follow the steps earlier in this article to remove elevated access.
-
-A user in the group can now periodically run the [az rest](/cli/azure/reference-index#az-rest) command to view elevate access logs.
+A user in the group can now periodically run the [az rest](/cli/azure/reference-index#az-rest) command to view elevate access log entries.
 
 ```azurecli
 az rest --url "https://management.azure.com/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2021-09-10T20:00:00Z'" > output.txt