Merge pull request #9906 from MicrosoftDocs/main

publish main to live 10:30 AM 6/4/24

education/windows/configure-aad-google-trust.md

@@ -18,7 +18,7 @@ To configure Google Workspace as an IdP for Microsoft Entra ID, the following pr
 1. A Microsoft Entra tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*)
     - If the federated domain hasn't yet been added to Microsoft Entra ID, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace
     - Learn how to [Add your custom domain name using the Microsoft Entra admin center](/azure/active-directory/fundamentals/add-custom-domain)
-1. Access to Microsoft Entra ID with an account with the *Global Administrator* role
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [External Identity Provider Administrator](/entra/identity/role-based-access-control/permissions-reference#external-identity-provider-administrator)
 1. Access to Google Workspace with an account with *super admin* privileges
 
 To test federation, the following prerequisites must be met:
@@ -56,7 +56,7 @@ To test federation, the following prerequisites must be met:
     |Basic Information: Primary Email|App attributes: IDPEmail|
 
     > [!IMPORTANT]
-    > You must ensure that your the Microsoft Entra user accounts email match those in your Google Workspace.
+    > You must ensure that your Microsoft Entra user account's email matches that in your Google Workspace.
 
 1. Select **Finish**
 
@@ -73,7 +73,7 @@ Now that the app is configured, you must enable it for the users in Google Works
 ## Configure Microsoft Entra ID as a Service Provider (SP) for Google Workspace
 
 The configuration of Microsoft Entra ID consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
-Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with the *Global Administrator* role.
+Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, sign in as at least a [External Identity Provider Administrator](/entra/identity/role-based-access-control/permissions-reference#external-identity-provider-administrator)
 
 ```powershell
 Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

education/windows/use-set-up-school-pcs-app.md

@@ -110,7 +110,7 @@ A package expiration date is also attached to the end of each package. For examp
 
 After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.
 
-To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.  
+To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. You can access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](/entra/identity/role-based-access-control/permissions-reference#user-administrator), and rename the package there.
 
 ### Sign in
 

store-for-business/prerequisites-microsoft-store-for-business.md

@@ -65,11 +65,10 @@ If your organization restricts computers on your network from connecting to the
 - `account.live.com`
 - `clientconfig.passport.net`
 - `windowsphone.com`
-- `\*.wns.windows.com`
+- `*.wns.windows.com`
-- `\*.microsoft.com`
+- `*.microsoft.com`
-- `\*.s-microsoft.com`
+- `*.s-microsoft.com`
 - `www.msftncsi.com` (prior to Windows 10, version 1607)
-- `www.msftconnecttest.com/connecttest.txt` (replaces `www.msftncsi.com`
+- `www.msftconnecttest.com/connecttest.txt` (replaces `www.msftncsi.com` starting with Windows 10, version 1607)
-  starting with Windows 10, version 1607)
  
 Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md

@@ -495,7 +495,7 @@ Connector group automatically round-robin, load balance the Microsoft Entra appl
 
 Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
 1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
 1. Under **MANAGE**, select **Application proxy**
 1. Select **Download connector service**. Select **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain
@@ -506,7 +506,7 @@ Sign-in a workstation with access equivalent to a *domain user*.
 1. Start **AADApplicationProxyConnectorInstaller.exe**
 1. Read the license terms and then select **I agree to the license terms and conditions**. Select **Install**
    ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
-1. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**
+1. Sign-in as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
    ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
 1. When the installation completes. Read the information regarding outbound proxy servers. Select **Close**
    ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
@@ -516,7 +516,7 @@ Sign-in a workstation with access equivalent to a *domain user*.
 
 Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
 1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
 1. Under **MANAGE**, select **Application proxy**.
 
@@ -533,7 +533,7 @@ Sign-in a workstation with access equivalent to a *domain user*.
 
 Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
 1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
 1. Under **MANAGE**, select **Application proxy**
 1. Select **Configure an app**
@@ -692,7 +692,7 @@ Optionally (not required), you can configure the Intune connector for certificat
 
 Sign-in a workstation with access equivalent to a *domain user*.
 
-1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**
+1. Access to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator)
 1. Select **All Services**. Type **Microsoft Entra ID** to filter the list of services. Under **SERVICES**, select **Microsoft Entra ID**
 1. Select **Groups**. Select **New group**
 1. Select **Security** from the **Group type** list

windows/security/identity-protection/hello-for-business/pin-reset.md

@@ -49,7 +49,7 @@ To register the applications, follow these steps:
 
 :::row:::
   :::column span="3":::
-  1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in using a *Global Administrator* account you use to manage your Microsoft Entra tenant. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
+  1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pin-reset/pin-reset-service-prompt.png" lightbox="images/pin-reset/pin-reset-service-prompt.png" border="true":::
@@ -57,7 +57,7 @@ To register the applications, follow these steps:
 :::row-end:::
 :::row:::
   :::column span="3":::
-  2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign in using a *Global Administrator* account you use to manage your Microsoft Entra tenant. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
+  2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pin-reset/pin-reset-client-prompt.png" lightbox="images/pin-reset/pin-reset-client-prompt.png" border="true":::