Merge pull request #307918 from Molishv/whats-new-rbac-clean

RBAC changes are included in what's new, discover VMware and discover…

Author: Stacyrch140

articles/migrate/includes/migrate-rbac-permissions.md

@@ -0,0 +1,17 @@
+---
+author: molish
+ms.author: molir 
+ms.topic: include
+ms.date: 11/6/2025
+# Customer intent: As a cloud admin I can use Azure Migrate built in roles to distribute access to Migration teams.
+---
+## Prepare Azure accounts
+Assign the following built-in roles to prepare Azure accounts. To create an Azure Migrate project, the user **must have the Azure Migrate Owner role** or a higher privileged role.
+
+| S.no. | Built-in role | Description | ID | Scope |
+|-------|---------------|-------------|-----|-------|
+| 1 | Azure Migrate Owner | Grants **full access** to **create** and manage **Azure Migrate projects**, including appliance-based or import-based discovery, business case & assessment creation, and migration execution; also grants permission to assign Azure Migrate-specific roles in Azure Role-Based Access Control (RBAC).. | fd8ea4d5-6509-4db0-bada-356ab233b4fa | Scope is resource group or subscription where **Azure Migrate project is created**. |
+| 2 | Azure Migrate Decide and Plan Expert | Grants **restricted access on an Azure Migrate project** to only **perform planning operations** including discovery using an appliance or import, updating and managing inventory, identifying server dependencies, defining applications, and creating business cases and assessments. | 7859c0b0-0bb9-4994-bd12-cd529af7d646 | Scope is resource group or subscription where **Azure Migrate project is created**. |
+| 3 | Azure Migrate Execute Expert | Grants **restricted access on an Azure Migrate project** to only perform **migration related operations**,  including replication, executing test migrations, tracking and monitoring migration progress, and performing agentless and agent-based migrations. | 1cfa4eac-9a23-481c-a793-bfb6958e836b | Source resource group or subscription where **Azure Migrate project is created**; **Target resource group or subscription** where servers and workloads are migrated to. |
+
+To register an Azure Migrate appliance or an Azure Site Recovery replication appliance, users must have additional Application Developer role at Microsoft Entra ID level. 

articles/migrate/tutorial-discover-hyper-v.md

@@ -48,6 +48,8 @@ Before you start this tutorial, check you have these prerequisites in place.
 **Servers** | All Windows and Linux OS versions are supported for discovery of configuration and performance metadata. <br /><br /> For application discovery on servers, all Windows and Linux OS versions are supported. Check the [OS versions supported for agentless dependency analysis](migrate-support-matrix-hyper-v.md#dependency-analysis-requirements-agentless).<br /><br /> To discover ASP.NET web apps running on IIS web server, check [supported Windows OS and IIS versions](migrate-support-matrix-vmware.md#web-apps-discovery-requirements). For discovery of installed applications and for agentless dependency analysis, Windows servers must have PowerShell version 2.0 or later installed.<br /><br />  To discover Java web apps running on Apache Tomcat web server, check [supported Linux OS and Tomcat versions](migrate-support-matrix-vmware.md#web-apps-discovery-requirements). 
 **SQL Server access** | To discover SQL Server instances and databases, the Windows or SQL Server account [requires these permissions](migrate-support-matrix-hyper-v.md#configure-the-custom-login-for-sql-server-discovery) for each SQL Server instance. You can use the [account provisioning utility](least-privilege-credentials.md) to create custom accounts or use any existing account that is a member of the sysadmin server role for simplicity.
 
+[!INCLUDE [migrate-rbac-permissions](includes/migrate-rbac-permissions.md)]
+
 ## Prepare an Azure user account
 
 To create a project and register the Azure Migrate appliance, you need an account with:

articles/migrate/whats-new.md

@@ -18,6 +18,15 @@ ms.custom: mvc, engagement-fy25
 
 ## Update (November 2025)
 
+- Azure Migrate now offers three built-in roles for role-based access control (RBAC), enabling you to implement least privilege access for your Azure Migrate projects. These new roles replace the previous requirement for Contributor or Owner permissions at the subscription level and allow you to grant only the necessary permissions for each migration phase.
+
+  The three new built-in roles are:
+  - **[Azure Migrate Owner](prepare-azure-accounts.md#azure-migrate-owner)**: Permissions to perform end-to-end operations across all migration phases (Decide, Plan, and Execute). A user must be assigned the Azure Migrate Owner role or a higher privileged role to create an Azure Migrate project.
+  - **[Azure Migrate Decide & Plan Expert](prepare-azure-accounts.md#azure-migrate-decide-and-plan-expert)**: Provides limited permissions to perform scoped operations in the Decide and Plan phases of migration.
+  - **[Azure Migrate Execute Expert](prepare-azure-accounts.md#azure-migrate-execute-expert)**: Permissions for executing migrations and monitoring progress during the Execute phase.
+
+  This enhanced security model follows Azure security best practices and enables organizations to implement granular access control for their migration teams.
+- Public preview: Azure Migrate now supports adding code insights using GitHub Copilot assessment to enhance web app assessments. This capability helps you evaluate migration readiness more accurately and get recommend migration strategy for Azure Kubernetes Service (AKS) or Azure App Service. You can add code insights by either uploading a ZIP file of reports or requesting a report through a GitHub connection. [Learn more](add-copilot-code-insights.md).
 - Public preview: Azure Migrate now enables **Windows Server redeployment to Azure using Infrastructure as Code (IaC)**. Generate IaC templates for assessed workloads, deploy application landing zones, and integrate disk configurations for complete, repeatable migrations—reducing manual effort and improving consistency. [Learn more](server-redeploy.md).
 
 - Public preview: Azure Migrate now supports adding code insights using GitHub Copilot assessment to enhance web app assessments. This capability helps you evaluate migration readiness more accurately and get the recommended migration strategy for Azure Kubernetes Service (AKS) or Azure App Service. You can add code insights by either uploading a ZIP file of reports or requesting a report through a GitHub connection. [Learn more](add-copilot-code-insights.md).