Merge pull request #19454 from MandiOhlinger/ado36397339

v-shils · web-flow · commit 34e22881d749 · 2026-01-27T12:32:17.000-08:00
ADO 36397339 - SFI: Global admin
diff --git a/intune/intune-service/apps/app-protection-policies-monitor.md b/intune/intune-service/apps/app-protection-policies-monitor.md
@@ -9,17 +9,18 @@ ms.collection:
 ---
 
 # How to Monitor App Protection Policies
-[!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
 You can monitor the status of the app protection policies that you applied to users from the Intune app protection pane in Intune. Additionally, you can find information about the users affected by app protection policies, policy compliance status, and any issues that your users might be experiencing.
 
 App protection data is retained for a minimum of 90 days. Any app instances that checked in to the Intune service within the past 90 days is included in the app protection status report.
 
-> [!NOTE]
-> When you delete an app protection policy, scoped admins no longer see app instances associated with that policy. Global admins continue to see the policy name listed as "not available."
+## Before you begin
 
-> [!NOTE]
-> For iOS 16 and later devices, the **Device Name** value in all app protection reports is a generic device name. For more information, see [Apple Developer documentation](https://developer.apple.com/documentation/uikit/uidevice/1620015-name).
+- When you delete an app protection policy, scoped admins no longer see app instances associated with that policy. Global Administrators continue to see the policy name listed as "not available."
+
+  [!INCLUDE [global-admin](../includes/global-admin.md)]
+
+- For iOS 16 and later devices, the **Device Name** value in all app protection reports is a generic device name. For more information, see [Apple Developer documentation](https://developer.apple.com/documentation/uikit/uidevice/1620015-name).
 
 ## View the **App protection status** report
 
diff --git a/intune/intune-service/apps/tutorial-configure-slack-enterprise-grid.md b/intune/intune-service/apps/tutorial-configure-slack-enterprise-grid.md
@@ -38,11 +38,6 @@ Turn on EMM for your Slack Enterprise Grid plan by following [Slack's instructio
 
 Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as the built-in **[Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator)** Microsoft Entra role.
 
-If you created an Intune Trial subscription, the account that created the subscription is a Microsoft Entra [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator).
-
-> [!CAUTION]
-> [!INCLUDE [global-admin](../includes/global-admin.md)]
-
 ## Set up Slack for EMM on iOS devices
 
 Add the iOS/iPadOS app Slack for EMM to your Intune tenant and create an app configuration policy to enable your organizations' iOS/iPadOS users to access Slack with Intune as an EMM provider.
diff --git a/intune/intune-service/fundamentals/deployment-plan-setup.md b/intune/intune-service/fundamentals/deployment-plan-setup.md
@@ -21,7 +21,7 @@ The first step when deploying Microsoft Intune is to set up your Intune environm
 
 This article takes you through each step in the process of setting up Microsoft Intune. This article also provides the choices and considerations you need to make when setting up an endpoint-management solution such as Intune.
 
-The purpose of this article is to help you get a better understanding of Intune's supported configurations. After reviewing the article, you should be able to sign up for the Microsoft Intune's free trial, add end users, define user groups, assign licenses to users, and set up the other needed settings to begin using Microsoft Intune. All the steps provided in the article help you to add and manage devices and apps using Intune.
+The purpose of this article is to help you get a better understanding of Intune's supported configurations. After reviewing the article, you should be able to sign up for the [Microsoft Intune's free trial](try-intune-overview.md), add end users, define user groups, assign licenses to users, and set up the other needed settings to begin using Microsoft Intune. All the steps provided in the article help you to add and manage devices and apps using Intune.
 
 ## Prerequisites
 
@@ -95,10 +95,7 @@ The people in your organization each need a user account before they can sign in
 
 As an administrator, you can add users individually or in bulk to Intune.
 
-You must be a Microsoft Entra [License Administrator](/entra/identity/role-based-access-control/permissions-reference#license-administrator) or [User Administrator](/entra/identity/role-based-access-control/permissions-reference#user-administrator) to add users to Intune. If you created an Intune Trial subscription, the account that created the subscription is a Microsoft Entra [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator).
-
-> [!CAUTION]
-> [!INCLUDE [global-admin](../includes/global-admin.md)]
+You must be a Microsoft Entra [License Administrator](/entra/identity/role-based-access-control/permissions-reference#license-administrator) or [User Administrator](/entra/identity/role-based-access-control/permissions-reference#user-administrator) to add users to Intune.
 
 ## 5 - Create groups in Intune
 
@@ -120,7 +117,7 @@ For guidance, go to [Microsoft Intune licensing](licenses.md).
 
 ✔️ **Get started with assigning licenses to users**
 
-Whether you added users one at a time or all at once, you must assign each user an Intune license before users can enroll their devices in Intune. The Microsoft Intune free trial provides 25 Intune licenses. For a list of licenses, see Licenses that include Intune.
+Whether you added users one at a time or all at once, you must assign each user an Intune license before users can enroll their devices in Intune. The [Microsoft Intune's free trial](try-intune-overview.md) provides 25 Intune licenses. For a list of licenses, see Licenses that include Intune.
 Give users permission to use Intune. Each user or userless device requires an Intune license to access the service.
 
 For guidance, go to [Assign licenses](licenses-assign.md).
diff --git a/intune/intune-service/fundamentals/microsoft-intune-service-description.md b/intune/intune-service/fundamentals/microsoft-intune-service-description.md
@@ -1,9 +1,9 @@
 ---
 title: Microsoft Intune Service Description
 description: Microsoft Intune is a cloud-based service that helps you manage Windows, iOS/iPadOS, macOS, and Android devices.
-author: dougeby
-ms.author: dougeby
-ms.date: 12/12/2023
+author: MandiOhlinger
+ms.author: mandia
+ms.date: 01/27/2026
 ms.topic: article
 ms.reviewer: cacamp
 ms.collection:
@@ -13,7 +13,7 @@ ms.collection:
 
 # Microsoft Intune service description
 
-Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected. With Intune, you can:
+Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected. By using Intune, you can:
 
 * Manage the mobile devices your workforce uses to access company data.
 * Manage the client apps your workforce uses.
@@ -22,66 +22,61 @@ Intune is a cloud-based enterprise mobility management (EMM) service that helps
 
 Intune integrates closely with Microsoft Entra ID for identity and access control, and Azure Information Protection for data protection. You can also integrate it with Configuration Manager to extend your management capabilities.
 
-To learn more about how you can manage devices, apps, and protect corporate data with Intune, see the [Intune documentation](../index.yml).
+To learn more about how you can manage devices, apps, and protect corporate data with Intune, see [Microsoft Intune securely manages identities, apps, and devices](what-is-intune.md).
 
 ## 30-day free trial
 
 You can start to use Intune with a 30-day free trial that includes 100 user licenses. To start your free trial, [go to the Intune Sign up page](https://admin.microsoft.com/Signup/Signup.aspx?OfferId=40BE278A-DFD1-470a-9EF7-9F2596EA7FF9&dl=INTUNE_A&ali=1#0%20). If your organization has an Enterprise Agreement or equivalent volume licensing agreement, contact your Microsoft representative to set up your free trial.
 
-> [!NOTE]
-> If your organization has a Microsoft Online Services work or school account, and you might continue with this Intune subscription in production after the trial period ends, then choose the **Sign in** option on that page and authenticate by using the Global Administrator account for your organization. This action ensures that your Intune trial links to your existing work or school account.
-
-Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to the initial set up or emergency scenarios when you can't use an existing role.
-
-<!--- For a list of settings that you can set up on mobile devices, see:
+If your organization has a Microsoft Online Services work or school account, and you might continue with this Intune subscription in production after the trial period ends, select the **Sign in** option on that page and authenticate by using the Microsoft Entra Global Administrator account for your organization. This action ensures that your Intune trial links to your existing work or school account.
 
-- [Enrolled device management capabilities of Microsoft Intune](introduction-intune.md)
+> [!IMPORTANT]
+> [!INCLUDE [global-admin](../includes/global-admin.md)]
 
---->
 ## Intune Onboarding benefit
 
-Microsoft offers the Intune Onboarding benefit for eligible services in eligible plans. The Onboarding benefit lets you work remotely with Microsoft specialists to get your Intune environment ready for use. For more about the Onboarding benefit, see [Microsoft Intune Onboarding Benefit Description](/fasttrack/introduction).
+Microsoft offers the Intune Onboarding benefit for eligible services in eligible plans. The Onboarding benefit lets you work remotely with Microsoft specialists to get your Intune environment ready for use. For more about the Onboarding benefit, see [Microsoft Intune Onboarding Benefit Description](/microsoft-365/fasttrack/introduction).
 
 ## Learn how Intune service updates affect you
 
-Because the mobile device management ecosystem changes frequently with operating system updates and mobile app releases, Microsoft updates Intune regularly. There are three ways you can learn about changes in the Intune service:
+Because the mobile device management ecosystem changes frequently with operating system updates and mobile app releases, Microsoft regularly updates Intune. You can learn about changes in the Intune service through three main sources:
 
-* [What's new in Microsoft Intune](whats-new.md). This topic is updated with the monthly service update and weekly when, for example, apps such as the Company Portal app are released.
+* [What's new in Microsoft Intune](whats-new.md). This article is updated monthly and can be updated weekly when, for example, apps such as the Company Portal app are released.
 
-* Important service updates are also announced in the [Microsoft 365 admin center](https://admin.microsoft.com/) Message Center. If you install the companion [Microsoft 365 Admin mobile app](https://support.office.com/article/Office-365-Admin-Mobile-App-e16f6421-2a1a-4142-bf9d-9846600a060a), you can receive notifications on your mobile device. Learn more about how to work with the [Microsoft 365 Message Center](/microsoft-365/admin/manage/message-center).
+* The [Microsoft 365 admin center](https://admin.microsoft.com/) Message Center announces important service updates. If you install the companion [Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app), you can receive notifications on your mobile device. Learn more about how to work with the [Microsoft 365 Message Center](/microsoft-365/admin/manage/message-center).
 
   A few helpful hints:
 
-  * The messages in the Microsoft 365 Message Center are targeted. This means that if your company doesn't have an Intune for Education offer, we won't message you about Intune for Education.
+  * The messages in the Microsoft 365 Message Center are targeted. So, if your company doesn't have an Intune for Education offer, you won't receive messages about Intune for Education.
 
-  * Messages expire. For example, the notification that your service has been updated with a link to the What's new page will likely expire prior to the next service update notification. Otherwise, you'd have a large backlog of posts that may no longer be relevant.
+  * Messages expire. For example, the notification that your service is updated with a link to the What's new page likely expires prior to the next service update notification. Otherwise, you'd have a large backlog of posts that might no longer be relevant.
 
-  * The Microsoft 365 admin mobile app allows you to search through all the messages and to forward the notification if you wanted to share it with peers in your organization.
+  * The Microsoft 365 admin mobile app allows you to search through all the messages. You can also forward the notification to share it with others in your organization.
 
-  * Under Edit message center preferences, we'll eventually have a toggle for **Intune** so you can look at those messages posted to an Intune subscription. If you see Mobile Device Management for Microsoft 365, that is a different service, not Intune.
+    * Under **Edit message center preferences**, you might see an **Intune** toggle so you can look at those messages posted to an Intune subscription. If you see **Mobile Device Management for Microsoft 365**, that is a different service, not Intune.
 
-* We also use two blogs to share new features and capabilities and best practices with Microsoft Intune:
+* Two blogs share new features, capabilities, and best practices for Microsoft Intune:
 
   * [Microsoft Intune Blog](https://aka.ms/IntuneBlog)
 
   * [Intune Customer Success Blog](https://aka.ms/IntuneCustomerSuccess)
 
 > [!NOTE]
-> You can monitor Intune service health in the [Microsoft 365 admin center](https://admin.microsoft.com). Choose **Service Health** in the left pane. You can also use the [Microsoft 365 Admin mobile app](https://support.office.com/article/Office-365-Admin-Mobile-App-e16f6421-2a1a-4142-bf9d-9846600a060a) to view service health.
+> You can monitor Intune service health in the [Microsoft 365 admin center](https://admin.microsoft.com). Choose **Service Health** in the left pane. You can also use the [Microsoft 365 Admin mobile app](/microsoft-365/admin/admin-overview/admin-mobile-app) to view service health.
 
 ## Types of notices Microsoft provides about the Intune service
 
-To help you plan for service changes, we notify you at least 7-90 days prior to the service change, depending on the impact of the change. These changes might include any of the following types of change:
+To help you plan for service changes, Microsoft notifies you at least 7-90 days prior to the service change, depending on the impact of the change. These changes might include any of the following types of change:
 
-- Changes to the end-user experience that you may want to share with your helpdesk staff or your end users. We provide typically 7 to 30 days notice of those changes and document them on the [What's new in Intune App UI](whats-new-app-ui.md). For something like a spelling error fix, we won't typically call out in documentation. But a change in the end-user enrollment experience is significant enough in the UI that we'll both post a message to customers in the Microsoft 365 Message center and link to the What's new in the Intune App UI so you are notified of what's changing and have time to evaluate and update your end-user guidance before the changes rolling out in production.
+- Changes to the end-user experience that you might want to share with your helpdesk staff or your end users. Microsoft typically provides 7 to 30 days' notice of those changes and documents them on the [What's new in Intune App UI](whats-new-app-ui.md). For something like a spelling error fix, Microsoft typically doesn't call out the change in documentation. But a change in the end-user enrollment experience is significant enough in the UI that Microsoft posts a message to customers in the Microsoft 365 Message center and links to the What's new in the Intune App UI. So, you're notified of what's changing and have time to evaluate and update your end-user guidance before the changes roll out in production.
 
-- Changes that require you to take action are called **Plan for Change** and typically provide about 30 days notice. In the Microsoft 365 Message Center the Category specifically says Plan for Change, and if we have an exact date for when the change is in production, we also put in an **Act By** date and that gives you a visual queue and an explanation mark.
+- Changes that require you to take action are called **Plan for Change** and typically provide about 30 days' notice. In the Microsoft 365 Message Center, the category specifically says Plan for Change. If Microsoft has an exact date for when the change is in production, there's an **Act By** date. That date gives you a visual queue and an explanation mark.
 
-- For most deprecations, we prefer to provide 90 days notice of that deprecation. For example, if we're no longer going to support a specific version of IE, our goal is to provide 90 days notice. However, deprecations do get complicated when it's another company announcing the deprecation. For example, a browser company provided notice that they would no longer support Silverlight with their latest build, so we let customers know we were dropping support of that browser, but our notification to customers under the 90-day period.
+- For most deprecations, Microsoft prefers to provide 90 days' notice of that deprecation. For example, if Microsoft is no longer going to support a specific version of IE, the goal is to provide 90 days' notice. However, deprecations get complicated when it's another company announcing the deprecation. For example, a browser company provided notice that they won't support Silverlight with their latest build. So, Microsoft lets customers know we're dropping support of that browser, but the Microsoft notification to customers might be under the 90-day period.
 
 - In the event of Intune service retirement, you would be notified 12 months in advance.
 
-Finally, in the rare event there's any post-incident action needed to get your service back to normal or a large change that we deem potentially disruptive based on customer feedback, we will email the service administrators based on how your [Microsoft 365 communication preferences](https://support.office.com/article/Change-your-contact-preferences-for-communications-from-Microsoft-6f70de1b-a64d-4498-bfbd-be8c83a9c0fc) are set and whether you include a valid (and preferably work) email address.
+Finally, in the rare event there's any post-incident action needed to get your service back to normal or a large change that Microsoft deems potentially disruptive based on customer feedback, Microsoft emails the service administrators based on how your [Microsoft 365 communication preferences](/microsoft-365/admin/manage/change-address-contact-and-more) are set. Be sure to include a valid work email address.
 
 ## Language support
 
diff --git a/intune/intune-service/includes/global-admin.md b/intune/intune-service/includes/global-admin.md
@@ -1,12 +1,12 @@
 ---
 author: MandiOhlinger
 ms.topic: include
-ms.date: 08/04/2025
+ms.date: 01/27/2026
 ms.author: mandia
 ---
 
 <!-- This include file is used in articles that mention global admin. -->
 
 The Global Administrator built-in role is a [privileged Microsoft Entra role](/entra/identity/role-based-access-control/privileged-roles-permissions), and has more permissions than needed for Intune. To reduce risk, don't use the Global Administrator role to manage Intune.
 
-Assign the least-privileged role that can complete the task. For more information on the built-in roles and what they can do, see [Role-based access control (RBAC) with Intune](../fundamentals/role-based-access-control.md) and [Built-in role permissions for Intune](../fundamentals/role-based-access-control-reference.md).
+Assign the least-privileged role that can complete the task. For more information on the built-in Intune roles and what they can do, see [Role-based access control (RBAC) with Intune](../fundamentals/role-based-access-control.md) and [Built-in role permissions for Intune](../fundamentals/role-based-access-control-reference.md).
