Merge pull request #1249 from MicrosoftDocs/deniseb-303141

Deniseb 303141

Author: denisebmsft

defender-endpoint/api/api-hello-world.md

@@ -16,7 +16,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 06/24/2024
+ms.date: 08/29/2024
 ---
 
 # Microsoft Defender for Endpoint API - Hello World
@@ -47,7 +47,7 @@ It only takes 5 minutes done in two steps:
 
 ### Do I need a permission to connect?
 
-For the Application registration stage, you must have the **Global administrator** role assigned in your Microsoft Entra tenant.
+For the Application registration stage, you must have an appropriate role assigned in your Microsoft Entra tenant. For more details about roles, see [Permission options](../user-roles.md#permission-options).
 
 <a name='step-1---create-an-app-in-azure-active-directory'></a>
 

defender-endpoint/api/exposed-apis-create-app-partners.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 06/28/2024
+ms.date: 08/29/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -61,7 +61,7 @@ The following steps guide you how to create a Microsoft Entra application, get a
 
 ## Create the multitenant app
 
-1. Sign in to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role.
+1. Sign in to your [Azure tenant](https://portal.azure.com).
 
 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.
 
@@ -122,17 +122,17 @@ In the following example we use **Read all alerts** permission:
 
    You need your application to be approved in each customer tenant where you intend to use it. This approval is necessary because your application interacts with Microsoft Defender for Endpoint application on behalf of your customer.
 
-   A user with **Global Administrator** from your customer's tenant need to select the consent link and approve your application.
+   A user account with appropriate permissions for your customer's tenant must select the consent link and approve your application.
 
-   Consent link is of the form:
+   The consent link is of the form:
 
    ```http
    https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
    ```
 
    Where `00000000-0000-0000-0000-000000000000` should be replaced with your Application ID.
 
-   After selecting the consent link, sign in as the Global Administrator of the customer's tenant and consent the application.
+   After selecting the consent link, sign into the customer's tenant, and then grant consent for the application.
 
    :::image type="content" source="../media/app-consent-partner.png" alt-text="The Accept button" lightbox="../media/app-consent-partner.png":::
 

defender-endpoint/api/exposed-apis-create-app-webapp.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 06/28/2024
+ms.date: 08/29/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -56,7 +56,7 @@ This article explains how to create a Microsoft Entra application, get an access
 
 ## Create an app
 
-1. Sign in to the [Azure portal](https://portal.azure.com) with a user that has the Global Administrator role.
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**. 
 

defender-endpoint/api/offboard-machine-api.md

@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 06/28/2024
+ms.date: 08/29/2024
 ---
 
 # Offboard machine API
@@ -60,13 +60,13 @@ One of the following permissions is required to call this API. To learn more, in
 > [!IMPORTANT]
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-> [!NOTE]
-> When obtaining a token using user credentials:
->
-> - The user must have a Global Administrator role.
-> - The user must have access to the device, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md).
->
-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.  
+When obtaining a token using user credentials:
+
+- The user must have an appropriate role assigned (see [Permission options](../user-roles.md#permission-options)).
+
+- The user must have access to the device, based on device group settings. For more information, see [Create and manage device groups](../machine-groups.md).
+
+Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.  
 
 ## HTTP request
 

defender-endpoint/api/raw-data-export-storage.md

@@ -43,7 +43,7 @@ ms.date: 06/28/2024
 
 ## Enable raw data streaming
 
-1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as a Security Administrator.
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com).
 
 2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender XDR.
 

defender-endpoint/configure-conditional-access.md

@@ -31,28 +31,26 @@ This section guides you through all the steps you need to take to properly imple
 ## Before you begin
 
 > [!WARNING]
-> It's important to note that Microsoft Entra registered devices aren't supported in this scenario.</br>
-> Only Intune enrolled devices are supported.
+> It's important to note that Microsoft Entra registered devices aren't supported in this scenario. Only Intune enrolled devices are supported.
 
 You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
 
 - IT Admin: For more information on how to enable auto-enrollment, see [Windows Enrollment](/intune/windows-enroll#enable-windows-10-automatic-enrollment)
-- End-user: For more information on how to enroll your Windows 10 and Windows 11 device in Intune, see [Enroll your Windows 10 device in Intune](/intune/quickstart-enroll-windows-device)
+- End user: For more information on how to enroll your Windows 10 and Windows 11 device in Intune, see [Enroll your Windows 10 device in Intune](/intune/quickstart-enroll-windows-device)
 - End-user alternative: For more information on joining a Microsoft Entra domain, see [How to: Plan your Microsoft Entra join implementation](/azure/active-directory/devices/azureadjoin-plan).
 
 There are steps you'll need to take in the Microsoft Defender portal, the Intune portal, and Microsoft Entra admin center.
 
 It's important to note the required roles to access these portals and implement Conditional access:
 
-- **Microsoft Defender portal** - You'll need to sign into the portal with a Global Administrator role to turn on the integration.
+- **Microsoft Defender portal** - You'll need to sign into the portal with an appropriate role to turn on integration. See [Permission options](user-roles.md#permission-options).
 - **Intune** - You'll need to sign in to the portal with Security Administrator rights with management permissions.
-- **Microsoft Entra admin center** - You'll need to sign in as a Global Administrator, Security Administrator, or Conditional Access administrator.
+- **Microsoft Entra admin center** - You'll need to sign in as a Security Administrator or Conditional Access administrator.
 
 > [!IMPORTANT]
 > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-> [!NOTE]
-> You'll need a Microsoft Intune environment, with Intune managed and Microsoft Entra joined Windows 10 and Windows 11 devices.
+You'll need a Microsoft Intune environment, with Intune managed and Microsoft Entra joined Windows 10 and Windows 11 devices.
 
 Take the following steps to enable Conditional Access: