Merge pull request #5419 from MicrosoftDocs/chrisda

Update tenant-allow-block-list-teams-domains-configure.md

Author: chrisda

defender-office-365/tenant-allow-block-list-teams-domains-configure.md

@@ -51,7 +51,9 @@ This article describes how security admins can manage entries for blocked domain
 - An entry should be active within 24 hours.
 
 - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
-  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions *and* permissions for other features in Microsoft 365.
+  - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:
+    - _Add, modify, and delete entries_: Membership in the **Global Administrator**<sup>\*</sup>, **Teams Administrator**, **Security Administrator**, or **Security Operator** roles.
+    - _Read-only access to entries_: **Global Reader**, or **Security Reader** roles.
 
     > [!IMPORTANT]
     > <sup>\*</sup> Microsoft strongly advocates for the principle of least privilege. Assigning accounts only the minimum permissions necessary to perform their tasks helps reduce security risks and strengthens your organization's overall protection. Global Administrator is a highly privileged role that you should limit to emergency scenarios or when you can't use a different role.