Merge pull request #28737 from MicrosoftDocs/deniseb-sfistuff

SFI -- Global Admin fixes

Author: denisebmsft

microsoft-365/enterprise/PortalLaunchScheduler.md

@@ -181,6 +181,9 @@ The SharePoint Portal launch scheduler tool was originally only available via [S
 
 1. Connect to SharePoint as a [global admin or SharePoint admin](/sharepoint/sharepoint-admin-role) in Microsoft 365. To learn how, see [Getting started with SharePoint Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).
 
+   > [!IMPORTANT]
+   > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ### View any existing portal launch setups
 
 To see if there are existing portal launch configurations:

microsoft-365/enterprise/cross-tenant-onedrive-migration-step6.md

@@ -29,8 +29,8 @@ This article is Step 6 in a solution designed to complete a Cross-tenant OneDriv
 - **Step 6: [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)**
 - Step 7: [Post migration steps](cross-tenant-onedrive-migration-step7.md)
 
->[!IMPORTANT]
->Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 Now you're ready to start your OneDrive migration. Before starting any cross-tenant migration, do the following steps.
 
@@ -127,7 +127,7 @@ Example:
 Get-SPOUserAndContentMoveState -PartnerCrossTenantHostURL https://m365x946316-my.sharepoint.com -SourceUserPrincipalName [email protected]
 ```
 
-To get the status of the move based on a particular user’s UPN but with more information, use the *-Verbose* parameter.
+To get the status of the move based on a particular user's UPN but with more information, use the *-Verbose* parameter.
 
 Example:
 

microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6.md

@@ -18,8 +18,8 @@ description: "Step 6 of the SharePoint site Cross-tenant migration feature"
 ---
 # Step 6: Start a SharePoint site cross-tenant migration (preview)
 
->[!Note]
->Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+> [!NOTE]
+> Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
 
 This is Step 6 in a solution designed to complete a Cross-tenant SharePoint migration. To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md).
 

microsoft-365/enterprise/deploy-identity-solution-identity-model.md

@@ -58,7 +58,6 @@ Here are the two types of identity and their best fit and benefits.
 | **How Microsoft 365 authenticates user credentials** | The Microsoft Entra tenant for your Microsoft 365 subscription performs the authentication with the cloud identity account. | The Microsoft Entra tenant for your Microsoft 365 subscription either handles the authentication process or redirects the user to another identity provider. |
 | **Best for** | Organizations that do not have or need an on-premises AD DS. | Organizations using AD DS or another identity provider. |
 | **Greatest benefit** | Simple to use. No extra directory tools or servers required. | Users can use the same credentials when accessing on-premises or cloud-based resources. |
-||||
 
 ## Cloud-only identity
 

microsoft-365/enterprise/join-leave-multi-tenant-org.md

@@ -22,6 +22,9 @@ To join a multitenant organization, a global administrator in the owner organiza
 
 Once you've joined, you can leave a multitenant organization at any time.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 <a name='related-settings-in-azure-ad'></a>
 
 ## Related settings in Microsoft Entra ID

microsoft-365/enterprise/m365-dr-workload-copilot.md

@@ -53,6 +53,9 @@ Required Conditions:
 1. For existing _Tenant_ that has data stored in a _Macro Region Geography_, the _Tenant_ Global Admin must opt in to move the _Tenant_ data into the _Local Region Geography_.
 1. The Microsoft 365 Copilot subscription customer data is provisioned in _Local Region Geography_.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 **Commitment:**
 
 Refer to the [ADR Commitment page](m365-dr-commitments.md#microsoft-365-copilot) to understand the specific data at rest commitments for Microsoft 365 Copilot. Examples of the committed data include:

microsoft-365/enterprise/microsoft-365-secure-sign-in.md

@@ -59,6 +59,9 @@ MFA requires that user sign-ins be subject to an additional verification beyond
 
 Your first step in using MFA is to [require it for all administrator accounts](protect-your-global-administrator-accounts.md), also known as privileged accounts. Beyond this first step, Microsoft recommends MFA For all users.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 There are three ways to require your users to use MFA based on your Microsoft 365 plan.
 
 | Plan | Recommendation |
@@ -107,8 +110,8 @@ This table shows the results of enabling MFA with security defaults and Conditio
 
 | Method | Enabled | Disabled | Additional authentication method |
 |:-------|:-----|:-------|:-------|
-| **Security defaults**  | Can’t use Conditional Access policies | Can use Conditional Access policies | Microsoft Authenticator app |
-| **Conditional Access policies** | If any are enabled, you can’t enable security defaults | If all are disabled, you can enable security defaults  | User specifies during MFA registration  |
+| **Security defaults**  | Can't use Conditional Access policies | Can use Conditional Access policies | Microsoft Authenticator app |
+| **Conditional Access policies** | If any are enabled, you can't enable security defaults | If all are disabled, you can enable security defaults  | User specifies during MFA registration  |
 ||||
 
 ## Zero Trust identity and device access configurations
@@ -133,14 +136,14 @@ Microsoft highly recommends configuring and rolling out Zero Trust identity and
 
 ## Microsoft Entra ID Protection
 
-In this section, you'll learn how to configure policies that protect against credential compromise, where an attacker determines a user’s account name and password to gain access to an organization’s cloud services and data. Microsoft Entra ID Protection provides a number of ways to help prevent an attacker from compromising a user account's credentials.
+In this section, you'll learn how to configure policies that protect against credential compromise, where an attacker determines a user's account name and password to gain access to an organization's cloud services and data. Microsoft Entra ID Protection provides a number of ways to help prevent an attacker from compromising a user account's credentials.
 
 With Microsoft Entra ID Protection, you can:
 
 |Capability|Description|
 |:---------|:---------|
-| Determine and address potential vulnerabilities in your organization’s identities | Microsoft Entra ID uses machine learning to detect anomalies and suspicious activity, such as sign-ins and post-sign-in activities. Using this data, Microsoft Entra ID Protection generates reports and alerts that help you evaluate the issues and take action.|
-|Detect suspicious actions that are related to your organization’s identities and respond to them automatically|You can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. These policies, in addition to other Conditional Access controls provided by Microsoft Entra ID and Microsoft Intune, can either automatically block access or take corrective actions, including password resets and requiring Microsoft Entra multifactor authentication for subsequent sign-ins. |
+| Determine and address potential vulnerabilities in your organization's identities | Microsoft Entra ID uses machine learning to detect anomalies and suspicious activity, such as sign-ins and post-sign-in activities. Using this data, Microsoft Entra ID Protection generates reports and alerts that help you evaluate the issues and take action.|
+|Detect suspicious actions that are related to your organization's identities and respond to them automatically|You can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. These policies, in addition to other Conditional Access controls provided by Microsoft Entra ID and Microsoft Intune, can either automatically block access or take corrective actions, including password resets and requiring Microsoft Entra multifactor authentication for subsequent sign-ins. |
 | Investigate suspicious incidents and resolve them with administrative actions | You can investigate risk events using information about the security incident. Basic workflows are available to track investigations and initiate remediation actions, such as password resets. |
 |||