fix: make RBAC include generic (shared across 6 MTO endpoints)

srinivaspadala-msft · Copilot · srinivaspadala-msft · commit d229c836637a · 2026-05-14T15:59:54.000-07:00
The rbac-multitenantorganization-apis-read.md include is consumed by
6 different endpoints returning different resource types. Remove
member-specific property names (displayName, tenantId, role, state,
etc.) that are incorrect for the non-member endpoints (MTO object,
join request, sync policy template, partner config template).

Property-specific details remain in the individual API docs where
they are correct and scoped to the right resource type.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md b/api-reference/beta/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md
@@ -5,7 +5,7 @@ ms.topic: include
 
 > [!IMPORTANT]
 > For delegated access using work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role that grants the permissions required for this operation. This operation supports the following built-in roles, which provide only the least privilege necessary:
-> - **Security Reader** — Can read basic tenant information (**displayName** and **tenantId** only).
-> - **Global Reader** — Can read basic tenant information (**displayName** and **tenantId** only).
+> - Security Reader
+> - Global Reader
 >
-> To read all properties (including **role**, **state**, **addedByTenantId**, **addedDateTime**, **joinedDateTime**, and **transitionDetails**), the signed-in user must be assigned a role that grants the `MultiTenantOrganization.Read.All` or `MultiTenantOrganization.ReadWrite.All` permission, such as the **Global Administrator** role.
+> These roles grant limited read access. To read all properties, the signed-in user must be assigned a role with the `MultiTenantOrganization.Read.All` or `MultiTenantOrganization.ReadWrite.All` permission.
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md
@@ -5,7 +5,7 @@ ms.topic: include
 
 > [!IMPORTANT]
 > For delegated access using work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role that grants the permissions required for this operation. This operation supports the following built-in roles, which provide only the least privilege necessary:
-> - **Security Reader** — Can read basic tenant information (**displayName** and **tenantId** only).
-> - **Global Reader** — Can read basic tenant information (**displayName** and **tenantId** only).
+> - Security Reader
+> - Global Reader
 >
-> To read all properties (including **role**, **state**, **addedByTenantId**, **addedDateTime**, **joinedDateTime**, and **transitionDetails**), the signed-in user must be assigned a role that grants the `MultiTenantOrganization.Read.All` or `MultiTenantOrganization.ReadWrite.All` permission, such as the **Global Administrator** role.
+> These roles grant limited read access. To read all properties, the signed-in user must be assigned a role with the `MultiTenantOrganization.Read.All` or `MultiTenantOrganization.ReadWrite.All` permission.
