Merge pull request #15696 from sethmanheim/globaladmin8-19

Security initiative: remove global admin

Author: sethmanheim

azure-stack/asdk/asdk-admin-basics.md

@@ -4,10 +4,8 @@ description: Learn how to do basic admin tasks for the Azure Stack Development K
 author: sethmanheim
 
 ms.topic: article
-ms.date: 10/29/2021
+ms.date: 08/19/2024
 ms.author: sethm
-ms.reviewer: misainat
-ms.lastreviewed: 10/15/2019
 
 # Intent: As an ASDK user, I want to familiarize myself with the admin basics so my users can become productive as quickly as possible.
 # Keyword: asdk admin basics
@@ -16,22 +14,22 @@ ms.lastreviewed: 10/15/2019
 
 
 # ASDK admin basics
+
 There are several things you need to know if you're new to Azure Stack Development Kit (ASDK) administration. This guidance provides an overview of your role as an Azure Stack operator in the evaluation environment. Familiarizing yourself with this info ensures your test users will become productive as quickly as possible.
 
 First, you should review the [What is Azure Stack Development Kit?](asdk-what-is.md) article to make sure you understand the purpose of the ASDK and its limitations. You should use the development kit as a "sandbox," where you can evaluate Azure Stack to develop and test your apps in a non-production environment. 
 
 Like Azure, Azure Stack innovates rapidly so we'll regularly release new builds of the ASDK. However, you can't upgrade the ASDK like you can Azure Stack integrated systems deployments. So, if you want to move to the latest build, you must completely [redeploy the ASDK](asdk-redeploy.md). You can't apply update packages. This process takes time, but the benefit is that you can try out the latest features as soon as they become available. 
 
 ## What account should I use?
+
 There are a few account considerations you should be aware of when managing Azure Stack. This is especially true in deployments using Windows Server Active Directory Federation Services (AD FS) as the identity provider instead of Microsoft Entra ID. The following account considerations apply to both Azure Stack integrated systems and ASDK deployments:
 
 |Account|Microsoft Entra ID|AD FS|
 |-----|-----|-----|
 |Local Admin (.\Administrator)|ASDK host admin|ASDK host admin|
 |AzureStack\AzureStackAdmin|ASDK host admin<br><br>Can be used to sign in to the Azure Stack administrator portal<br><br>Access to view and administer Service Fabric rings|ASDK host admin<br><br>No access to the Azure Stack administrator portal<br><br>Access to view and administer Service Fabric rings<br><br>No longer owner of the Default Provider Subscription (DPS)|
 |AzureStack\CloudAdmin|Can access and run permitted commands within the Privileged Endpoint|Can access and run permitted commands within the Privileged Endpoint<br><br>Can't sign in to the ASDK host<br><br>Owner of the Default Provider Subscription (DPS)|
-|Microsoft Entra Global Administrator|Used during installation<br><br>Owner of the Default Provider Subscription (DPS)|Not applicable|
-|
 
 ## What tools do I use to manage?
 You can use the Azure Stack administrator portal `https://adminportal.local.azurestack.external` or PowerShell to manage Azure Stack. The easiest way to learn the basic concepts is through the portal. If you want to use PowerShell, you need to install [PowerShell for Azure Stack](asdk-post-deploy.md#install-azure-stack-powershell) and [download the Azure Stack tools from GitHub](asdk-post-deploy.md#download-the-azure-stack-tools).

azure-stack/asdk/asdk-deploy-considerations.md

@@ -4,10 +4,8 @@ description: Learn about the hardware, software, and environment requirements fo
 author: sethmanheim
 
 ms.topic: article
-ms.date: 09/23/2020
+ms.date: 08/19/2024
 ms.author: sethm
-ms.reviewer: misainat
-ms.lastreviewed: 09/23/2020
 
 # Intent: As an ASDK user, I want to know the requirements for properly deploying the ASDK.
 # Keyword: asdk requirements
@@ -91,7 +89,7 @@ If your environment isn't connected to the internet, or you don't want to use Mi
 <a name='azure-active-directory-accounts'></a>
 
 ### Microsoft Entra accounts
-To deploy Azure Stack by using a Microsoft Entra account, you must prepare a Microsoft Entra account before you run the deployment PowerShell script. This account becomes the Global Admin for the Microsoft Entra tenant. It's used to provision and delegate apps and service principals for all Azure Stack services that interact with Microsoft Entra ID and Graph API. It's also used as the owner of the default provider subscription (which you can later change). You can sign in to your Azure Stack system's administrator portal by using this account.
+To deploy Azure Stack by using a Microsoft Entra account, you must prepare a Microsoft Entra account before you run the deployment PowerShell script. This account becomes the administrator for the Microsoft Entra tenant. It's used to provision and delegate apps and service principals for all Azure Stack services that interact with Microsoft Entra ID and Graph API. It's also used as the owner of the default provider subscription (which you can later change). You can sign in to your Azure Stack system's administrator portal by using this account.
 
 1. Create a Microsoft Entra account that is the directory admin for at least one Microsoft Entra ID. If you already have one, you can use that. Otherwise, you can create one for free at [https://azure.microsoft.com/free/](https://azure.microsoft.com/free/) (in China, visit <https://go.microsoft.com/fwlink/?LinkID=717821> instead). If you plan to later [register Azure Stack with Azure](asdk-register.md), you must also have a subscription in this newly created account.
 
@@ -100,13 +98,11 @@ To deploy Azure Stack by using a Microsoft Entra account, you must prepare a Mic
 
    | **Microsoft Entra account** | **Supported?** |
    | --- | --- |
-   | Work or school account with valid global Azure subscription |Yes |
-   | Microsoft Account with valid global Azure subscription |Yes |
+   | Work or school account with valid Azure subscription |Yes |
+   | Microsoft Account with valid Azure subscription |Yes |
    | Work or school account with valid China Azure subscription |Yes |
    | Work or school account with valid US Government Azure subscription |Yes |
 
-After deployment, Microsoft Entra global admin permission isn't required. However, some operations may require the global admin credential. Examples of such operations include a resource provider installer script or a new feature requiring a permission to be granted. You can either temporarily reinstate the account's global admin permissions or use a separate global admin account that's an owner of the *default provider subscription*.
-
 ## Network
 ### Switch
 One available port on a switch for the ASDK machine.  

azure-stack/asdk/asdk-deploy-powershell.md

@@ -4,10 +4,8 @@ description: Learn how to deploy the ASDK from the command line using PowerShell
 author: sethmanheim
 
 ms.topic: article
-ms.date: 10/14/2020
+ms.date: 08/19/2024
 ms.author: sethm
-ms.reviewer: misainat
-ms.lastreviewed: 10/14/2020
 
 # Intent: As an ASDK user, I want to deploy the ASDK using the command line in Powershell so I can evaluate Azure Stack features.
 # Keyword: deploy asdk command line
@@ -84,9 +82,7 @@ Run the following PowerShell commands to deploy the ASDK using Microsoft Entra I
   .\InstallAzureStackPOC.ps1 -AdminPassword $adminpass.Password
   ```
 
-A few minutes into ASDK installation you'll be prompted for Microsoft Entra credentials. Provide the global admin credentials for your Microsoft Entra tenant.
-
-After deployment, Microsoft Entra global admin permission isn't required. However, some operations may require the global admin credential. Examples of such operations include a resource provider installer script or a new feature requiring a permission to be granted. You can either temporarily reinstate the account's global admin permissions or use a separate global admin account that's an owner of the *default provider subscription*.
+A few minutes into ASDK installation you'll be prompted for Microsoft Entra credentials. Provide the Microsoft Entra admin credentials for your tenant.
 
 ### Deploy Azure Stack using AD FS 
 To deploy the ASDK  **using AD FS as the identity provider**, run the following PowerShell commands (you just need to add the -UseADFS parameter):
@@ -115,15 +111,15 @@ If your Microsoft Entra identity is only associated with **one** Microsoft Entra
 ```powershell
 cd C:\CloudDeployment\Setup 
 $adminpass = Get-Credential Administrator 
-$aadcred = Get-Credential "<Azure AD global administrator account name>" 
+$aadcred = Get-Credential "<Microsoft Entra administrator account name>" 
 .\InstallAzureStackPOC.ps1 -AdminPassword $adminpass.Password -InfraAzureDirectoryTenantAdminCredential $aadcred -TimeServer 52.168.138.145 #Example time server IP address.
 ```
 
 If your Microsoft Entra identity is associated with **greater than one** Microsoft Entra directory:
 ```powershell
 cd C:\CloudDeployment\Setup 
 $adminpass = Get-Credential Administrator 
-$aadcred = Get-Credential "<Azure AD global administrator account name>" #Example: [email protected] 
+$aadcred = Get-Credential "<Microsoft Entra administrator account name>" #Example: [email protected] 
 .\InstallAzureStackPOC.ps1 -AdminPassword $adminpass.Password -InfraAzureDirectoryTenantAdminCredential $aadcred -InfraAzureDirectoryTenantName "<Azure AD directory in the form of domainname.onmicrosoft.com or an Azure AD verified custom domain name>" -TimeServer 52.168.138.145 #Example time server IP address.
 ```
 

azure-stack/asdk/asdk-install.md

@@ -4,10 +4,8 @@ description: Learn how to install the Azure Stack Development Kit (ASDK).
 author: sethmanheim
 
 ms.topic: article
-ms.date: 05/06/2019
+ms.date: 08/19/2024
 ms.author: sethm
-ms.reviewer: misainat
-ms.lastreviewed: 02/08/2019
 
 # Intent: As an ASDK user, I want to install the ASDK so I can start using it. 
 # Keyword: install asdk
@@ -34,9 +32,7 @@ The steps in this article show you how to deploy the ASDK using a graphical user
 
     ![Identity provider type drop-down in ASDK](media/asdk-install/2.PNG) 
 
-    If you choose an Azure subscription identity provider, you need an internet connection, the full name of a Microsoft Entra directory tenant in the form of *domainname*.onmicrosoft.com, or a Microsoft Entra ID verified custom domain name. You also need global admin credentials for the specified directory.
-
-    After deployment, Microsoft Entra global admin permission isn't required. However, some operations may require the global admin credential. For example, a resource provider installer script or a new feature requiring a permission to be granted. You can either temporarily reinstate the account's global admin permissions or use a separate global admin account that's an owner of the *default provider subscription*.
+    If you choose an Azure subscription identity provider, you need an internet connection, the full name of a Microsoft Entra directory tenant in the form of *domainname*.onmicrosoft.com, or a Microsoft Entra ID verified custom domain name. You also need admin credentials for the specified directory.
 
     When using AD FS as the identity provider, the default stamp directory service is used. The default account to sign in with is [email protected], and the password to use is the one you provided as part of setup.
 
@@ -67,7 +63,7 @@ The steps in this article show you how to deploy the ASDK using a graphical user
     > [!TIP]
     > Here you can also copy the PowerShell setup commands that'll be used to install the ASDK. This is helpful if you ever need to [redeploy the ASDK on the host computer using PowerShell](asdk-deploy-powershell.md).
 
-8. If you're doing a Microsoft Entra deployment, you'll be prompted to enter your Microsoft Entra global admin account credentials a few minutes after setup starts.
+8. If you're doing a Microsoft Entra deployment, you'll be prompted to enter your Microsoft Entra admin account credentials a few minutes after setup starts.
 
 9. The deployment process will take a few hours, during which time the host computer will automatically reboot once. If you want to monitor the deployment progress, sign in as azurestack\AzureStackAdmin after the ASDK host restarts. When the deployment succeeds, the PowerShell console displays: **COMPLETE: Action 'Deployment'**. 
     > [!IMPORTANT]
@@ -85,4 +81,5 @@ If the deployment fails for some reason, you can [redeploy](asdk-redeploy.md) fr
   ```
 
 ## Next steps
+
 [Post deployment configuration](asdk-post-deploy.md)

azure-stack/asdk/asdk-register.md

@@ -2,16 +2,13 @@
 title: Register the ASDK with Azure 
 description: Learn how to register the Azure Stack Development Kit (ASDK) with Azure to enable marketplace syndication and usage reporting.
 author: sethmanheim
-
 ms.topic: article
 ms.custom:
   - devx-track-azurepowershell
-ms.date: 1/20/2021
+ms.date: 08/19/2024
 ms.author: sethm
-ms.reviewer: misainat
-ms.lastreviewed: 1/20/2021
 
-# Intent: As an ASDK user, I want to register my ASDK with Azure so I can download marketplace items and report data back to global Azure.
+# Intent: As an ASDK user, I want to register my ASDK with Azure so I can download marketplace items and report data back to Azure.
 # Keyword: register asdk azure
 ---
 
@@ -34,7 +31,7 @@ $ExecutionContext.SessionState.LanguageMode
 
 Ensure the output returns **FullLanguage**. If any other language mode is returned, registration needs to be run on another computer or the language mode set to **FullLanguage** before continuing.
 
-The Microsoft Entra account used for registration needs to have access to the Azure subscription and have permissions to create identity apps and service principals in the directory associated with that subscription. We recommend you register Azure Stack Hub with Azure by [creating a service account to use for registration](../operator/azure-stack-registration-role.md) rather than using global admin credentials.
+The Microsoft Entra account used for registration needs to have access to the Azure subscription and have permissions to create identity apps and service principals in the directory associated with that subscription. We recommend you register Azure Stack Hub with Azure by [creating a service account to use for registration](../operator/azure-stack-registration-role.md).
 
 ## Register the ASDK
 

azure-stack/mdc/azure-stack-version-profiles-azurecli-2-tzl.md

@@ -6,10 +6,8 @@ author: sethmanheim
 manager: femila
 ms.service: azure-stack
 ms.topic: article
-ms.date: 12/2/2020
+ms.date: 08/19/2024
 ms.author: sethm
-ms.reviewer: raymondl
-ms.lastreviewed: 12/2/2020 
 ms.custom: devx-track-azurecli, linux-related-content
 ---
 # Manage and deploy resources to Azure Stack Hub with Azure CLI - Modular Data Center (MDC)
@@ -94,7 +92,7 @@ This section walks you through setting up CLI if you're using Microsoft Entra ID
      You can either specify the username and password directly within the `az login` command, or authenticate by using a browser. You must do the latter if your account has multi-factor authentication enabled:
 
      ```azurecli
-     az login -u <Active directory global administrator or user account. For example: username@<aadtenant>.onmicrosoft.com> --tenant <Azure Active Directory Tenant name. For example: myazurestack.onmicrosoft.com>
+     az login -u <Microsoft Entra administrator or user account. For example: username@<aadtenant>.onmicrosoft.com> --tenant <Azure Active Directory Tenant name. For example: myazurestack.onmicrosoft.com>
      ```
 
      > [!NOTE]

azure-stack/mdc/operator/azure-stack-manage-basics-tzl.md

@@ -60,7 +60,7 @@ There are a few account considerations to be aware of when managing Azure Stack
 | **Account** | **Azure** | **AD FS** |
 |---|---|---|
 | Local administrator (.\Administrator) |   |
-| Microsoft Entra Global Administrator | Used during installation. <br> Owner of the default provider | Not applicable. |
+| Microsoft Entra Application Administrator | Used during installation. <br> Owner of the default provider | Not applicable. |
 | Account for Extended Storage|   |   |
 ||
 
@@ -141,7 +141,7 @@ There's information your users must understand before they use services and buil
 - [Azure Stack Hub VM features](../../user/azure-stack-vm-considerations.md)
 - [Azure Stack Hub storage: Differences and considerations](../../user/azure-stack-acs-differences.md)
 
-The information in these articles summarizes the differences between a service in Azure and Azure Stack Hub. It supplements the information that's available for an Azure service in the global Azure documentation.
+The information in these articles summarizes the differences between a service in Azure and Azure Stack Hub. It supplements the information that's available for an Azure service in the Azure documentation.
 
 ### Connect to Azure Stack Hub as a user
 

azure-stack/mdc/operator/registration-tzl.md

@@ -5,10 +5,8 @@ author: sethmanheim
 ms.topic: article
 ms.custom:
   - devx-track-azurepowershell
-ms.date: 10/13/2021
+ms.date: 08/19/2024
 ms.author: sethm
-ms.reviewer: unknown
-ms.lastreviewed: 10/26/2020
 ---
 
 # Register Azure Stack Hub with Azure - Modular Data Center (MDC)
@@ -54,8 +52,6 @@ Before registering Azure Stack Hub with Azure, you must have:
 - The user account needs to have access to the Azure subscription and have permissions to create identity apps and service principals in the directory associated with that subscription. We recommend that you register Azure Stack Hub with Azure using least-privilege administration. For more information about how to create a custom role definition that limits access to your subscription for registration, see [Create a registration role for Azure Stack Hub](../../operator/azure-stack-registration-role.md).
 - Register the Azure Stack Hub resource provider (see the following sections for details).
 
-After registration, Microsoft Entra Global Administrator permission is not required. However, some operations might require the global admin credential (for example, a resource provider installer script or a new feature requiring a permission to be granted). You can either temporarily reinstate the account's global admin permissions, or use a separate global admin account that is an owner of the *default provider subscription*.
-
 The user who registers Azure Stack Hub is the owner of the service principal in Microsoft Entra ID. Only the user who registered Azure Stack Hub can modify the Azure Stack Hub registration. If a non-admin user that's not an owner of the registration service principal attempts to register or re-register Azure Stack Hub, they might see a 403 response. A 403 response indicates that the user has insufficient permissions to complete the operation.
 
 Registering Azure Stack Hub incurs no cost on your Azure subscription.

azure-stack/operator/app-service-rotate-certificates.md

@@ -3,7 +3,7 @@ title: Rotate App Service on Azure Stack Hub secrets and certificates
 description: Learn how to rotate secrets and certificates used by Azure App Service on Azure Stack Hub.
 author: sethmanheim
 ms.topic: article
-ms.date: 08/12/2024
+ms.date: 08/19/2024
 ms.author: sethm
 ms.reviewer: anwestg
 ms.lastreviewed: 04/09/2020
@@ -90,7 +90,7 @@ The identity application is created by the operator before deployment of Azure A
 
 To rotate the certificate for the application in Microsoft Entra ID, follow these steps:
 
-1. Go to the **Azure portal** and sign in using the Global Admin used to deploy Azure Stack Hub.
+1. Go to the **Azure portal** and sign in using the admin used to deploy Azure Stack Hub.
 
 1. Go to **Microsoft Entra ID** and browse to **App Registrations**.