Live publish

Author: buck1ey

powerapps-docs/maker/TOC.yml

@@ -1331,6 +1331,8 @@
           href: ./portals/admin/portal-details.md
         - name: Portal administration from Power Platform admin center
           href: ./portals/admin/power-platform-admin-center.md
+        - name: Roles required for portal administration
+          href: ./portals/admin/portal-admin-roles.md
         - name: Download public key of portal
           href: ./portals/admin/get-public-key.md
         - name: View portal error logs

powerapps-docs/maker/portals/admin/add-custom-___domain.md

@@ -17,6 +17,8 @@ A custom ___domain can help your customers find your support resources more easily
 > [!IMPORTANT]
 > You can add a custom ___domain name to a portal only when the portal is in production state. For more information about portal stages, go to [portal lifecycle](portal-lifecycle.md).
 
+To learn about the roles required to perform this task, read [Admin roles required for portal administrative tasks](portal-admin-roles.md).
+
 1. Open [Power Apps Portals admin center](admin-overview.md).
 
 2. Go to **Portal Actions** > **Add a Custom Domain Name**. A wizard opens to choose the SSL certificate.
@@ -28,7 +30,7 @@ A custom ___domain can help your customers find your support resources more easily
      > [!NOTE]
      > The SSL certificate must meet all the following requirements:
      > - Signed by a trusted certificate authority.
-     > - [Exported](https://docs.microsoft.com/powershell/module/pkiclient/export-pfxcertificate?view=win10-ps) as a password-protected PFX file.
+     > - [Exported](https://docs.microsoft.com/powershell/module/pkiclient/export-pfxcertificate?view=win10-ps&preserve-view=true) as a password-protected PFX file.
      > - Contains private key at least 2048 bits long.
      > - Contains all intermediate certificates in the certificate chain.
      > - Must be SHA2 enabled; SHA1 support is being removed from popular browsers.

powerapps-docs/maker/portals/admin/change-dynamics-instance.md

@@ -17,6 +17,8 @@ After your portal is created and provisioned, you can change the details of your
 > [!IMPORTANT]
 > When changing Dynamics 365 Instance for your portal, ensure the new instance is from the same [region](https://docs.microsoft.com/power-platform/admin/regions-overview) as the current instance. Changing the Dynamics 365 Instance for Power Apps portals across regions isn't supported.
 
+To learn about the roles required to perform this task, read [Admin roles required for portal administrative tasks](portal-admin-roles.md).
+
 1. Go to the **Dynamics 365 Administration Center** page, and then select the **Applications** tab.
 
 2. Select the name of the portal you want to edit, and then select **Manage**.

powerapps-docs/maker/portals/admin/get-public-key.md

@@ -14,6 +14,9 @@ ms.reviewer: tapanm
 
 The public key of a portal is used to configure Live Assist for customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation) to work with authenticated visitors for a portal. [Live Assist](https://www.cafex.com/en/products/live-assist-dynamics-365/), by CafeX, provides a chat solution through which users can embed live chat assistance in their portal. More information on how to use the public key to embed a chat on a portal: [Authenticated Visitors in the Dynamics Customer Portal](https://www.liveassistfor365.com/en/support/authenticated-visitors-in-the-dynamics-customer-portal/)
 
+> [!TIP]
+> To learn about the roles required to perform this task, read [Admin roles required for portal administrative tasks](portal-admin-roles.md).
+
 1. Open [Power Apps Portals admin center](admin-overview.md).
 
 2.	Go to **Portal Actions** > **Get Public Key**. The key is displayed.

powerapps-docs/maker/portals/admin/import-metadata-translation.md

@@ -16,6 +16,9 @@ When you provision a portal, the portal-related solutions are installed on the o
 
 ## To import metadata translation
 
+> [!TIP]
+> To learn about the roles required to perform this task, read [Admin roles required for portal administrative tasks](portal-admin-roles.md).
+
 1.	Open [Power Apps Portals admin center](admin-overview.md).
 
 2.	Go to **Portal Actions** > **Get latest metadata translations**. A confirmation window is displayed asking whether to update the portal solutions.

powerapps-docs/maker/portals/admin/manage-auth-key.md

@@ -29,6 +29,9 @@ For a portal to connect to Common Data Service using an Azure Active Directory a
 
 ### Authentication key details
 
+> [!TIP]
+> To learn about the roles required to perform this task, read [Admin roles required for portal administrative tasks](portal-admin-roles.md).
+
 The details of an authentication key are displayed on Power Apps Portals admin center and portal.
 
 **Power Apps Portals admin center**

powerapps-docs/maker/portals/admin/portal-admin-roles.md

@@ -0,0 +1,106 @@
+---
+title: "Details about different security roles required to administer Power Apps portals with specific actions. | MicrosoftDocs"
+description: "Learn about the available security roles, admin roles, and other permissions that are required to administer Power Apps portals."
+author: neerajnandwana-msft
+ms.service: powerapps
+ms.topic: conceptual
+ms.custom: 
+ms.date: 11/03/2020
+ms.author: nenandw
+ms.reviewer: tapanm
+---
+
+# Roles required for portal administration
+
+Power Apps portals has different kinds of administrative tasks that can be done by the members of different roles. The admin and security roles required to do these tasks vary depending on the impact area.
+
+For example, some tasks may require the user to be a member of admin roles in [Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true), and others may need membership to security roles in [Power Platform environment](https://docs.microsoft.com/power-platform/admin/database-security).
+
+In this article, you'll learn about the roles and permissions required to do different administrative tasks for portals.
+
+## Required roles and permissions
+
+The following table lists different administrative tasks for portals, and the roles required to do that task. The listed tasks can be done through the membership of the roles listed as required.
+
+| Task | Required roles |
+| - | - |
+| [Create portal](..\create-portal.md) | Any one of the following roles and permissions: <ul> <li> [Permissions to register an app](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#permissions-required-for-registering-an-app) in the Azure Active Directory, and any one of the following roles with **Access Mode** set to **Read-Write** under **Client Access License (CAL) Information** for the [user record](https://docs.microsoft.com/power-platform/admin/create-users-assign-online-security-roles#create-a-read-write-user-account) in Power Platform environment: <ul> <li> [System customizer](#system-customizer) </li> <li> [System administrator](#system-administrator) </li> </ul> **Note**: Creating a portal is allowed with these roles only if Global administrator hasn't [disabled portal creation](../create-portal.md#disable-portal-creation-in-a-tenant) in a tenant.</li> <li> [Global administrator](#global-administrator) </li> </ul> |
+| [Download public key of a portal](get-public-key.md) | Any one of the following roles: <ul> <li> [Portal owner](#portal-owner) </li> <li> [System customizer](#system-customizer) </li> <li> [System administrator](#system-administrator) </li> <li> [Dynamics 365 administrator](#dynamics-365-administrator) </li> <li> [Power Platform administrator](#power-platform-administrator) </li> <li> [Global administrator](#global-administrator) </li> </ul> |
+| [Import metadata translation](import-metadata-translation.md) | Any one of the following roles: <ul> <li> [Portal owner](#portal-owner) </li> <li> [System customizer](#system-customizer) </li> <li> [System administrator](#system-administrator) </li> <li> [Dynamics 365 administrator](#dynamics-365-administrator) </li> <li> [Power Platform administrator](#power-platform-administrator) </li> <li> [Global administrator](#global-administrator) </li> </ul> |
+| [View portal error logs](view-portal-error-log.md) | Any one of the following roles: <ul> <li> [Portal owner](#portal-owner) </li> <li> [System administrator](#system-administrator) </li> <li> [Dynamics 365 administrator](#dynamics-365-administrator) </li> <li> [Power Platform administrator](#power-platform-administrator) </li> <li> [Global administrator](#global-administrator) </li> </ul> |
+| [Reset a portal](reset-portal.md) | [Portal app owner](#portal-app-owner) and any one of the following roles: <ul> <li> [Portal owner](#portal-owner) </li> <li> [System customizer](#system-customizer) </li> <li> [System administrator](#system-administrator) </li> <li> [Dynamics 365 administrator](#dynamics-365-administrator) </li> <li> [Power Platform administrator](#power-platform-administrator) </li> <li> [Global administrator](#global-administrator) </li> </ul> |
+| [Convert a portal from trial to production](portal-lifecycle.md#convert-a-portal-from-trial-to-production) | [Portal app owner](#portal-app-owner) and any one of the following roles: <ul> <li> [Portal owner](#portal-owner) </li> <li> [System customizer](#system-customizer) </li> <li> [System administrator](#system-administrator) </li> <li> [Dynamics 365 administrator](#dynamics-365-administrator) </li> <li> [Power Platform administrator](#power-platform-administrator) </li> <li> [Global administrator](#global-administrator) </li> </ul> |
+| [Convert an existing portal to a capacity-based model](portal-lifecycle.md#convert-an-existing-portal-to-a-capacity-based-model) |  [Portal app owner](#portal-app-owner) and any one of the following roles: <ul> <li> [Portal owner](#portal-owner) </li> <li> [System customizer](#system-customizer) </li> <li> [System administrator](#system-administrator) </li> <li> [Dynamics 365 administrator](#dynamics-365-administrator) </li> <li> [Power Platform administrator](#power-platform-administrator) </li> <li> [Global administrator](#global-administrator) </li> </ul> |
+| [Add a custom ___domain name](add-custom-___domain.md) | Any one of the following roles: <ul> <li> [Portal owner](#portal-owner) </li> <li> [System customizer](#system-customizer) </li> <li> [System administrator](#system-administrator) </li> <li> [Dynamics 365 administrator](#dynamics-365-administrator) </li> <li> [Power Platform administrator](#power-platform-administrator) </li> <li> [Global administrator](#global-administrator) </li> </ul>   |
+| [Connect to a Common Data Service environment using a portal](manage-auth-key.md) | Any one of the following roles: <ul> <li> [Portal owner](#portal-owner) </li> <li> [System customizer](#system-customizer) </li> <li> [System administrator](#system-administrator) </li> <li> [Dynamics 365 administrator](#dynamics-365-administrator) </li> <li> [Power Platform administrator](#power-platform-administrator) </li> <li> [Global administrator](#global-administrator) </li> </ul> |
+| [Change the Dynamics 365 instance of a portal](change-dynamics-instance.md) | Any one of the following roles: <ul> <li> [Portal owner](#portal-owner) </li> <li> [System customizer](#system-customizer) </li> <li> [System administrator](#system-administrator) </li> <li> [Dynamics 365 administrator](#dynamics-365-administrator) </li> <li> [Power Platform administrator](#power-platform-administrator) </li> <li> [Global administrator](#global-administrator) </li> </ul> |
+
+## Manage membership of the required roles
+
+This section explains about managing the membership of the required roles listed above for different kinds of administrative tasks in Power Apps portals.
+
+### Portal app owner
+
+Portal app owner is a user who owns [portal application registration](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-ap) in the [Azure portal](https://portal.azure.com)
+
+To add an app owner for the portal app in Azure portal:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. Search for and select **Azure Active Directory**.
+
+1. Under **Manage**, select **App registrations**.
+
+1. Select the Power Apps portals app from the list of available applications.
+
+1. Under **Manage**, select **Owners**.
+
+1. Select **Add owners**.
+
+1. Select a user.
+
+1. Select **Select**.
+
+The user is added as an owner of the portal app.
+
+### Portal owner
+
+Portal owner is the user that created the Power Apps portal. This role can't be managed, and can't be changed.
+
+### System customizer
+
+System customizer is a Power Platform security role. This role has full permissions to customize Power Platform environment.
+
+To assign a user the System administrator Power Platform role, read [Configure user security to resources in an environment](https://docs.microsoft.com/power-platform/admin/database-security).
+
+### System administrator
+
+System administrator is a Power Platform security role. This role has full permissions to customize and administrator Power Platform environment.
+
+To assign a user the System administrator Power Platform role, read [Configure user security to resources in an environment](https://docs.microsoft.com/power-platform/admin/database-security).
+
+### Dynamics 365 administrator
+
+Dynamics 365 administrator is a Power Platform service admin role. This role can do admin functions on Power Platform because they have the system admin role.
+
+To assign a user the Dynamics 365 administrator role, read [Assign a service admin role to a user](https://docs.microsoft.com/power-platform/admin/use-service-admin-role-manage-tenant#assign-a-service-admin-role-to-a-user).
+
+### Power Platform administrator
+
+Power Platform administrator is a Power Platform service admin role. This role can do admin functions on Power Platform because they have the system admin role.
+
+To assign a user the Power Platform administrator role, read [Assign a service admin role to a user](https://docs.microsoft.com/power-platform/admin/use-service-admin-role-manage-tenant#assign-a-service-admin-role-to-a-user).
+
+### Global administrator
+
+Global administrator is a Microsoft 365 admin role. A person who purchases the Microsoft business subscription is a global administrator. A global administrator has unlimited control over products in the subscription and access to most data.
+
+To assign a user the global administrator role, read [Assign admin roles in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/add-users/assign-admin-roles?view=o365-worldwide&preserve-view=true).
+
+More information: [About admin roles in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true)
+
+### See also
+
+- [Portal admin center](admin-overview.md)
+- [Portal Management app](../configure/configure-portal.md)
+- [Portal site settings](../configure/configure-site-settings.md)

powerapps-docs/maker/portals/admin/portal-lifecycle.md

@@ -46,6 +46,7 @@ You can convert a trial portal to a production portal from the notifications dis
 > You must be assigned one of the following roles to convert a portal from trial to production:
 > - Global administrator
 > - System administrator
+> <br> More information: [Admin roles required for portal administrative tasks](portal-admin-roles.md)
 
 When you open the [Power Apps Portals admin center](admin-overview.md) and go to the **[Portal Details](portal-details.md)** tab, you'll see the notification about the trial expiration displayed below the **Type** field.
 
@@ -70,6 +71,9 @@ To convert your portal from trial to production:
 
 You can convert your existing portal license to [capacity-based licensing model](https://docs.microsoft.com/power-platform/admin/powerapps-flow-licensing-faq#can-you-share-more-details-regarding-the-new-power-apps-portals-licensing). To change your portal license to capacity-based model:
 
+> [!TIP]
+> To learn about the roles required to perform this task, read [Admin roles required for portal administrative tasks](portal-admin-roles.md).
+
 1. Go to [Portal details](portal-details.md).
 1. Select **Change License**.
 

powerapps-docs/maker/portals/admin/reset-portal.md

@@ -20,6 +20,9 @@ It is important to note that resetting your portal doesn't remove portal configu
 
 You can reset a completely configured portal, or a portal for which provisioning or updating of an instance has failed.
 
+> [!TIP]
+> To learn about the roles required to perform this task, read [Admin roles required for portal administrative tasks](portal-admin-roles.md).
+
 To reset a configured portal:
 
 1.    Open [Power Apps Portals admin center](admin-overview.md).

powerapps-docs/maker/portals/admin/view-portal-error-log.md

@@ -14,6 +14,9 @@ ms.reviewer: tapanm
 
 As a portal administrator or developer, you can use Power Apps portals to create a website for your customers. One common task for a developer is to debug issues while developing the portal. To help debug, you can access detailed error logs for any issues on your portal. There are multiple ways that you can get error logs for your portals.
 
+> [!TIP]
+> To learn about the roles required to perform tasks in this article, read [Admin roles required for portal administrative tasks](portal-admin-roles.md).
+
 ## Custom error
 
 If any server-side exception occurs in your portal, a customized error page with a user-friendly error message is shown by default. To configure the error message, see [Display a custom error message](#display-a-custom-error-message).