Merge pull request #1957 from MicrosoftDocs/main

Publish main to live, Wednesday 3:30PM PDT, 07/31
MicrosoftDocs · Jul 31, 2024 · 3755250 · 3755250
2 parents c56141a + 3f6984c
commit 3755250
Show file tree

Hide file tree

Showing 12 changed files with 91 additions and 74 deletions.
diff --git a/surface-hub/admin-group-management-for-surface-hub.md b/surface-hub/admin-group-management-for-surface-hub.md
@@ -57,14 +57,12 @@ Surface Hub doesn't support applying Group Policy or certificates from the domai
 
 You can use Microsoft Entra ID to join the Surface Hub to allow IT pros from your Microsoft Entra tenant to configure settings. During first run, choose to use [Microsoft Entra ID](first-run-program-surface-hub.md#microsoft-azure-active-directory). You need to provide credentials that are capable of joining the Microsoft Entra tenant of your choice. After you successfully Microsoft Entra join, the appropriate people will be granted admin rights on the device.
 
-By default, all **global administrators** are given admin rights on a Microsoft Entra joined Surface Hub. With **Microsoft Entra ID P1 or P2** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
+By default, all **Global administrators** are given admin rights on a Microsoft Entra joined Surface Hub.
 
-1. In the [Azure classic portal](https://portal.azure.com/), select **Active Directory**, and then select the name of your organization's directory.
-2. On the **Configure** page, under **Devices** > **Additional administrators on Microsoft Entra joined devices**, select **Selected**.
-3. Select **Add**, and select the users you want to add as administrators on your Surface Hub and other Microsoft Entra joined devices.
-4. When you finish, select the checkmark button to save your change.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
 
-<a name='what-happens-when-you-azure-ad-join-your-surface-hub'></a>
+You can add additional administrators as [detailed on this page](#configure-non-global-admin-accounts-on-microsoft-entra-joined-devices). 
 
 #### What happens when you Microsoft Entra join your Surface Hub?
 
@@ -92,6 +90,7 @@ If your organization is using Active Directory or Microsoft Entra ID, we recomme
 | Microsoft Entra join the device | Your organization uses Microsoft Entra Basic   | Global administrators only |
 | &nbsp;                                            | Your organization uses Microsoft Entra ID P1 or P2 or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |
 
+
 <a name='configure-non-global-admin-accounts-on-azure-ad-joined-devices'></a>
 
 ### Configure non-Global Admin accounts on Microsoft Entra joined devices

diff --git a/surface-hub/first-run-program-surface-hub.md b/surface-hub/first-run-program-surface-hub.md
@@ -109,6 +109,9 @@ You can only set up device admins during first-time Setup. For more information,
 
     :::image type="content" source="images/hub-setup-signin.png" alt-text="The screenshot shows the dialog to sign in with a work or school account.":::
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
+
 > [!TIP]
 > To configure who can use the Settings app to manage Surface Hubs, ensure that automatic Intune enrollment is enabled in your tenant before joining the device to Microsoft Entra ID. Intune policies can then be used to [configure non-Global admins](surface-hub-2s-nonglobal-admin.md) on Surface Hubs.
 

diff --git a/surface-hub/prepare-your-environment-for-surface-hub.md b/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -62,6 +62,9 @@ You can still enroll the device with Intune to centrally manage settings on your
 
 When you choose to affiliate your Surface Hub with Microsoft Entra ID, any user with the Global Administrator role can sign in to the Settings app on Surface Hub. You can also configure non-Global Admin accounts that limit permissions to management of the Settings app on Surface Hub. This enables you to scope admin permissions for Surface Hubs only and prevent potentially unwanted admin access across an entire Microsoft Entra domain.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
+
 > [!NOTE]
 > Surface Hub administrator accounts can only sign in to the Settings app when [authenticating via Microsoft Entra ID](/azure/active-directory/hybrid/choose-ad-authn#cloud-authentication). Third-party federated Identity Providers (IdPs) are not supported.
 

diff --git a/surface-hub/provisioning-packages-for-surface-hub.md b/surface-hub/provisioning-packages-for-surface-hub.md
@@ -72,7 +72,10 @@ For advanced provisioning options, refer to the section below [Add a certificate
  > [!div class="mx-imgBorder"]
  > ![Join Active Directory, Microsoft Entra ID, or create a local admin account.](images/sh2-wcd.png)
 
-You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Microsoft Entra ID to allow global admins to use the Settings app, or create a local administrator account on the device.
+You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Microsoft Entra ID to allow Global admins to use the Settings app, or create a local administrator account on the device.
+
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
 
 1. To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain. Then, specify the security group to have admin credentials on Surface Hub. If applying the package to a Surface Hub that was reset, you can use the same domain account as long as it's the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.
 2. Before you use Windows Configuration Designer to configure bulk Microsoft Entra enrollment, [Plan your Microsoft Entra join implementation](/azure/active-directory/devices/azureadjoin-plan). The **maximum number of devices per user** setting in your Microsoft Entra tenant determines how often the bulk token you get in the wizard can be used.

diff --git a/surface-hub/setup-worksheet-surface-hub.md b/surface-hub/setup-worksheet-surface-hub.md
@@ -55,6 +55,9 @@ Use Device affiliation to manage user access to the Settings app on Surface Hub.
 | Microsoft Entra tenant user credentials (username and password) | If you decide to have people in your Microsoft Entra organization become admins on the device, then you'll need to join the Surface Hub to Microsoft Entra ID. To join it to Microsoft Entra ID, you'll need valid credentials for an account in the tenant.                                                               | admin1@contoso.com, #MyPassw0rd | [Admin group management](admin-group-management-for-surface-hub.md)                     |
 | Non Global Admin accounts                                | For Surface Hub devices joined to Microsoft Entra ID,  you can limit admin permissions to management of the Settings app on Surface Hub. This permission confinement enables you to scope admin permissions for Surface Hub only and prevent potentially unwanted admin access an entire Microsoft Entra domain. |                                 | [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md) |
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. To learn more, see the recommended guidance in [Configure non-Global Admin accounts on Surface Hub](surface-hub-2s-nonglobal-admin.md).
+
 ### If you’re joining a domain
 
 | Property                                           | What this property is used for                                                                                                                                                                                                                        | Example                                         |