diff --git a/docs/architecture/govern-service-accounts.md b/docs/architecture/govern-service-accounts.md
index e3595e592f3..f34f874cf2d 100644
--- a/docs/architecture/govern-service-accounts.md
+++ b/docs/architecture/govern-service-accounts.md
@@ -52,7 +52,7 @@ We recommend the following practices for service account privileges.
 - Don't assign built-in roles to service accounts
   - See, [`oAuth2PermissionGrant` resource type](/graph/api/resources/oauth2permissiongrant)
 - The service principal is assigned a privileged role
-  - [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
+  - [Create a custom role in Microsoft Entra ID](../identity/role-based-access-control/custom-create.md)
 - Don't include service accounts as members of any groups with elevated permissions
   - See, [Get-MgDirectoryRoleMember](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdirectoryrolemember):
 
diff --git a/docs/architecture/protect-m365-from-on-premises-attacks.md b/docs/architecture/protect-m365-from-on-premises-attacks.md
index 0ddce9619f8..b2e9e79d9a9 100644
--- a/docs/architecture/protect-m365-from-on-premises-attacks.md
+++ b/docs/architecture/protect-m365-from-on-premises-attacks.md
@@ -88,7 +88,7 @@ In Microsoft Entra ID, users who have privileged roles, such as administrators,
 
 - To enable a rich role assignment experience that includes delegation and multiple roles at the same time, consider using Microsoft Entra security groups or Microsoft 365 Groups. These groups are collectively called *cloud groups*.
 
-  Also, enable role-based access control. See [Assign Microsoft Entra roles to groups](~/identity/role-based-access-control/groups-assign-role.md). You can use administrative units to restrict the scope of roles to a portion of the organization. See [Administrative units in Microsoft Entra ID](~/identity/role-based-access-control/administrative-units.md).
+  Also, enable role-based access control. See [Assign Microsoft Entra roles](../identity/role-based-access-control/manage-roles-portal.md). You can use administrative units to restrict the scope of roles to a portion of the organization. See [Administrative units in Microsoft Entra ID](~/identity/role-based-access-control/administrative-units.md).
 
 - Deploy emergency access accounts. Do *not* use on-premises password vaults to store credentials. See [Manage emergency access accounts in Microsoft Entra ID](~/identity/role-based-access-control/security-emergency-access.md).
 
diff --git a/docs/external-id/reference-cross-tenant-custom-roles.md b/docs/external-id/reference-cross-tenant-custom-roles.md
index a8140895217..dbe9c45b119 100644
--- a/docs/external-id/reference-cross-tenant-custom-roles.md
+++ b/docs/external-id/reference-cross-tenant-custom-roles.md
@@ -13,7 +13,7 @@ ms.custom: it-pro
 
 # Create custom roles for managing cross-tenant access settings
 
-Your organization can [define custom roles](/entra/identity/role-based-access-control/custom-create) to manage cross-tenant access settings. These roles allow for precise control without relying on built-in management roles. This article provides guidance on creating recommended custom roles for managing cross-tenant access settings.
+Your organization can [define custom roles](../identity/role-based-access-control/custom-create.md) to manage cross-tenant access settings. These roles allow for precise control without relying on built-in management roles. This article provides guidance on creating recommended custom roles for managing cross-tenant access settings.
 
 ## Cross-tenant access administrator
 
diff --git a/docs/fundamentals/data-storage-japan.md b/docs/fundamentals/data-storage-japan.md
index 7c5462d9bbf..d2f1eb4b957 100644
--- a/docs/fundamentals/data-storage-japan.md
+++ b/docs/fundamentals/data-storage-japan.md
@@ -8,7 +8,7 @@ ms.author: justinha
 ms.service: entra
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 11/25/2024
+ms.date: 01/03/2024
 ms.custom: it-pro, references_regions
 ms.collection: M365-identity-device-management
 ---
diff --git a/docs/id-governance/entitlement-management-overview.md b/docs/id-governance/entitlement-management-overview.md
index 613203f13f6..f34af924ba8 100644
--- a/docs/id-governance/entitlement-management-overview.md
+++ b/docs/id-governance/entitlement-management-overview.md
@@ -69,7 +69,7 @@ You can also control access to other resources that rely upon Microsoft Entra se
 
 - You can give users licenses for Microsoft 365 by using a Microsoft Entra security group in an access package and configuring [group-based licensing](~/identity/users/licensing-groups-assign.md) for that group.
 - You can give users access to manage Azure resources by using a Microsoft Entra security group in an access package and creating an [Azure role assignment](/azure/role-based-access-control/role-assignments-portal) for that group.
-- You can give users access to manage Microsoft Entra roles by using groups assignable to Microsoft Entra roles in an access package and [assigning a Microsoft Entra role to that group](~/identity/role-based-access-control/groups-assign-role.md).
+- You can give users access to manage Microsoft Entra roles by using groups assignable to Microsoft Entra roles in an access package and [assigning a Microsoft Entra role to that group](../identity/role-based-access-control/manage-roles-portal.md).
 
 ## How do I control who gets access?
 
diff --git a/docs/id-governance/privileged-identity-management/pim-how-to-add-role-to-user.md b/docs/id-governance/privileged-identity-management/pim-how-to-add-role-to-user.md
index c27f0776ddc..6ab88184779 100644
--- a/docs/id-governance/privileged-identity-management/pim-how-to-add-role-to-user.md
+++ b/docs/id-governance/privileged-identity-management/pim-how-to-add-role-to-user.md
@@ -69,7 +69,7 @@ Follow these steps to make a user eligible for a Microsoft Entra admin role.
 
 ## Assign a role with restricted scope
 
-For certain roles, the scope of the granted permissions can be restricted to a single admin unit, service principal, or application. This procedure is an example if assigning a role that has the scope of an administrative unit. For a list of roles that support scope via administrative unit, see [Assign scoped roles to an administrative unit](~/identity/role-based-access-control/admin-units-assign-roles.md). This feature is currently being rolled out to Microsoft Entra organizations.
+For certain roles, the scope of the granted permissions can be restricted to a single admin unit, service principal, or application. This procedure is an example if assigning a role that has the scope of an administrative unit. For a list of roles that support scope via administrative unit, see [Assign roles with administrative unit scope](../../identity/role-based-access-control/manage-roles-portal.md). This feature is currently being rolled out to Microsoft Entra organizations.
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](~/identity/role-based-access-control/permissions-reference.md#privileged-role-administrator).
 
diff --git a/docs/identity-platform/howto-add-app-roles-in-apps.md b/docs/identity-platform/howto-add-app-roles-in-apps.md
index 92047871895..8bcb1676f37 100644
--- a/docs/identity-platform/howto-add-app-roles-in-apps.md
+++ b/docs/identity-platform/howto-add-app-roles-in-apps.md
@@ -73,7 +73,7 @@ Before you can assign app roles to applications, you need to assign yourself as
 
 ## Assign app roles to applications
 
-After adding app roles in your application, you can assign an app role to a client app by using the Microsoft Entra admin center or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments). Assigning an app role to an application shouldn't be confused with [assigning roles to users](/entra/identity/role-based-access-control/manage-roles-portal).
+After adding app roles in your application, you can assign an app role to a client app by using the Microsoft Entra admin center or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments). Assigning an app role to an application shouldn't be confused with [assigning roles to users](../identity/role-based-access-control/manage-roles-portal.md).
 
 When you assign app roles to an application, you create *application permissions*. Application permissions are typically used by daemon apps or back-end services that need to authenticate and make authorized API call as themselves, without the interaction of a user.
 
diff --git a/docs/identity/authentication/accessibility/authentication-methods-accessibility.md b/docs/identity/authentication/accessibility/authentication-methods-accessibility.md
index 17198acad8f..e80ec6b5247 100644
--- a/docs/identity/authentication/accessibility/authentication-methods-accessibility.md
+++ b/docs/identity/authentication/accessibility/authentication-methods-accessibility.md
@@ -5,12 +5,12 @@ author:      gdaluz1 # GitHub alias
 ms.author: justinha
 ms.service: entra-id
 ms.topic: article
-ms.date:     11/05/2024
+ms.date:     01/03/2024
 ms.subservice: authentication
 ---
 # Improve accessibility with multifactor authentication in Microsoft Entra ID
 
-As cybersecurity threats evolve, multifactor authentication (MFA) has become a cornerstone of secure digital identity. Microsoft Entra ID offers a range of MFA methods designed not only for robust security but also to cater to diverse user needs, including those with accessibility constraints. Here's a closer look at how these MFA options enhance accessibility and inclusivity.
+As cybersecurity threats evolve, multifactor authentication (MFA) has become a cornerstone of secure digital identity. Microsoft Entra ID offers a range of MFA methods designed for robust security and diverse user needs, including those with accessibility constraints. Here's a closer look at how these MFA options enhance accessibility and inclusivity.
 
 ## Microsoft Authenticator
 
@@ -20,7 +20,7 @@ The Microsoft Authenticator app provides either notifications for quick approval
 
 ## Text and voice calls
 
-Text and voice call options cater to those who may not use a smartphone app. This can be particularly beneficial for individuals with certain accessibility needs:
+Text and voice call options cater to those who may not use a smartphone app. This can be beneficial for individuals with certain accessibility needs:
 
 - **Text:** Allows users to receive a verification code via text message, which can be useful for those with hearing impairments or those who prefer text-based communication.
 
@@ -30,7 +30,7 @@ For more information, see [Phone authentication methods](/entra/identity/authent
 
 ## FIDO2 security keys
 
-FIDO2 security keys are physical devices that offer a highly accessible and secure MFA option. These hardware keys support biometric authentication (such as fingerprint scans) or PINs, making them ideal for users who may find traditional passwords or other authentication methods challenging. FIDO2 keys are particularly beneficial for users with physical disabilities who may have difficulty typing complex passwords.
+FIDO2 security keys are physical devices that offer a highly accessible and secure MFA option. These hardware keys support biometric authentication (such as fingerprint scans) or PINs, making them ideal for users who may find traditional passwords or other authentication methods challenging. FIDO2 keys are beneficial for users with physical disabilities who may have difficulty typing complex passwords.
 
 For more information, see [How to register passkey (FIDO2)](/entra/identity/authentication/how-to-register-passkey-with-security-key).
 
@@ -51,7 +51,7 @@ References:
 
 ## Conclusion
 
-Microsoft Entra ID's range of MFA options enables individuals with diverse needs to access secure authentication without compromising on usability. By offering various options like the Authenticator app, SMS and voice calls, FIDO2 keys, Windows Hello, and email verification, Microsoft Entra ID ensures that security measures remain accessible and inclusive for all users.
+Microsoft Entra ID's range of MFA options enables individuals with diverse needs to access secure authentication without compromising on usability. To ensure that security measures remain accessible and inclusive for all users, Microsoft Entra ID offers various options like the Authenticator app, SMS and voice calls, FIDO2 keys, Windows Hello, and email verification.
 
 Selecting the right MFA method depends on individual needs and constraints. Microsoft’s commitment to flexible and inclusive authentication helps everyone stay secure, regardless of their physical or technological limitations. For those with specific accessibility requirements, it’s worth exploring each MFA option to find the one that aligns best with personal preferences and usability needs.
 
diff --git a/docs/identity/authentication/certificate-based-authentication-faq.yml b/docs/identity/authentication/certificate-based-authentication-faq.yml
index ffea01d3e4c..1d7d61cea3c 100644
--- a/docs/identity/authentication/certificate-based-authentication-faq.yml
+++ b/docs/identity/authentication/certificate-based-authentication-faq.yml
@@ -6,7 +6,7 @@ metadata:
   ms.subservice: authentication
   ms.custom: has-azure-ad-ps-ref
   ms.topic: faq
-  ms.date: 11/26/2024
+  ms.date: 01/03/2024
   ms.author: justinha
   author: justinha
   manager: amycolannino
diff --git a/docs/identity/authentication/certificate-based-authentication-federation-android.md b/docs/identity/authentication/certificate-based-authentication-federation-android.md
index db1b05dca90..fd052d49971 100644
--- a/docs/identity/authentication/certificate-based-authentication-federation-android.md
+++ b/docs/identity/authentication/certificate-based-authentication-federation-android.md
@@ -6,7 +6,7 @@ ms.service: entra-id
 ms.subservice: authentication
 ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
 ms.topic: how-to
-ms.date: 11/26/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/certificate-based-authentication-federation-get-started.md b/docs/identity/authentication/certificate-based-authentication-federation-get-started.md
index 246c3fa9364..3de25151098 100644
--- a/docs/identity/authentication/certificate-based-authentication-federation-get-started.md
+++ b/docs/identity/authentication/certificate-based-authentication-federation-get-started.md
@@ -6,7 +6,7 @@ ms.service: entra-id
 ms.subservice: authentication
 ms.custom: has-azure-ad-ps-ref
 ms.topic: how-to
-ms.date: 11/26/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/certificate-based-authentication-federation-ios.md b/docs/identity/authentication/certificate-based-authentication-federation-ios.md
index 6da155ba9e9..ff942671447 100644
--- a/docs/identity/authentication/certificate-based-authentication-federation-ios.md
+++ b/docs/identity/authentication/certificate-based-authentication-federation-ios.md
@@ -6,7 +6,7 @@ ms.service: entra-id
 ms.subservice: authentication
 ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
 ms.topic: conceptual
-ms.date: 11/25/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/concept-authentication-authenticator-app.md b/docs/identity/authentication/concept-authentication-authenticator-app.md
index 5d2ff8b8ed5..e4360be95ee 100644
--- a/docs/identity/authentication/concept-authentication-authenticator-app.md
+++ b/docs/identity/authentication/concept-authentication-authenticator-app.md
@@ -5,7 +5,7 @@ description: Learn about using the Microsoft Authenticator in Microsoft Entra ID
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 10/29/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/concept-authentication-default-enablement.md b/docs/identity/authentication/concept-authentication-default-enablement.md
index 9fd07cd14ee..9eb4498c91a 100644
--- a/docs/identity/authentication/concept-authentication-default-enablement.md
+++ b/docs/identity/authentication/concept-authentication-default-enablement.md
@@ -5,7 +5,7 @@ description: Learn about authentication features that can be enabled by default
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/26/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: ChristianCB83
diff --git a/docs/identity/authentication/concept-authentication-external-method-provider.md b/docs/identity/authentication/concept-authentication-external-method-provider.md
index c18f27c85fc..e8564e3e5cb 100644
--- a/docs/identity/authentication/concept-authentication-external-method-provider.md
+++ b/docs/identity/authentication/concept-authentication-external-method-provider.md
@@ -6,7 +6,7 @@ description: Learn how to configure an external authentication method (EAM) prov
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 05/03/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: gregkmsft
diff --git a/docs/identity/authentication/concept-authentication-methods-manage.md b/docs/identity/authentication/concept-authentication-methods-manage.md
index cf981b4a817..df9606be809 100644
--- a/docs/identity/authentication/concept-authentication-methods-manage.md
+++ b/docs/identity/authentication/concept-authentication-methods-manage.md
@@ -5,7 +5,7 @@ description: Learn about the authentication methods policy and different ways to
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 12/03/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/concept-authentication-methods.md b/docs/identity/authentication/concept-authentication-methods.md
index fe76771c7ed..7edd844eb88 100644
--- a/docs/identity/authentication/concept-authentication-methods.md
+++ b/docs/identity/authentication/concept-authentication-methods.md
@@ -5,7 +5,7 @@ description: Learn about the different authentication methods and features avail
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/11/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/concept-authentication-oath-tokens.md b/docs/identity/authentication/concept-authentication-oath-tokens.md
index 06443e59a56..fba98257c61 100644
--- a/docs/identity/authentication/concept-authentication-oath-tokens.md
+++ b/docs/identity/authentication/concept-authentication-oath-tokens.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/15/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/concept-authentication-phone-options.md b/docs/identity/authentication/concept-authentication-phone-options.md
index 1d88b90a582..2f5758c599f 100644
--- a/docs/identity/authentication/concept-authentication-phone-options.md
+++ b/docs/identity/authentication/concept-authentication-phone-options.md
@@ -5,7 +5,7 @@ description: Learn about using phone authentication methods in Microsoft Entra I
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/06/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/concept-authentication-security-questions.md b/docs/identity/authentication/concept-authentication-security-questions.md
index 2c37d992a2a..849f901509b 100644
--- a/docs/identity/authentication/concept-authentication-security-questions.md
+++ b/docs/identity/authentication/concept-authentication-security-questions.md
@@ -5,7 +5,7 @@ description: Learn about using security questions in Microsoft Entra ID to help
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/26/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
@@ -24,7 +24,7 @@ When users register for SSPR, they're prompted to choose the authentication meth
 > [!NOTE]
 > Security questions are stored privately and securely on a user object in the directory and can only be answered by users during registration. There's no way for an administrator to read or modify a user's questions or answers.
 
-Security questions can be less secure than other methods because some people might know the answers to another user's questions. If you use security questions with SSPR, it's recommended to use them in conjunction with another method. A user can be prompted to use the Microsoft Authenticator App or phone authentication to verify their identity during the SSPR process, and choose security questions only if they don't have their phone or registered device with them.
+Security questions can be less secure than other methods because some people might know the answers to another user's questions. If you use security questions with SSPR, it's recommended to use them in along with another method. A user can be prompted to use the Microsoft Authenticator App or phone authentication to verify their identity during the SSPR process, and choose security questions only if they don't have their phone or registered device with them.
 
 ## Predefined questions
 
diff --git a/docs/identity/authentication/concept-authentication-strength-advanced-options.md b/docs/identity/authentication/concept-authentication-strength-advanced-options.md
index 7ebf926519b..2881795bac2 100644
--- a/docs/identity/authentication/concept-authentication-strength-advanced-options.md
+++ b/docs/identity/authentication/concept-authentication-strength-advanced-options.md
@@ -6,7 +6,7 @@ description: Learn how admins can create custom authentication strengths with ad
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/25/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: inbarckms
diff --git a/docs/identity/authentication/concept-authentication-strength-external-users.md b/docs/identity/authentication/concept-authentication-strength-external-users.md
index 4227ebbaaaa..5afdab874e1 100644
--- a/docs/identity/authentication/concept-authentication-strength-external-users.md
+++ b/docs/identity/authentication/concept-authentication-strength-external-users.md
@@ -6,7 +6,7 @@ description: Learn how admins can use authentication strength requirements for e
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/12/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: inbarckms
diff --git a/docs/identity/authentication/concept-authentication-strength-how-it-works.md b/docs/identity/authentication/concept-authentication-strength-how-it-works.md
index 3ce23b283af..4c6b8fd01f3 100644
--- a/docs/identity/authentication/concept-authentication-strength-how-it-works.md
+++ b/docs/identity/authentication/concept-authentication-strength-how-it-works.md
@@ -6,7 +6,7 @@ description: Learn how admins can use a Conditional Access Policy to require spe
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 05/13/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: inbarckms
diff --git a/docs/identity/authentication/concept-authentication-strengths.md b/docs/identity/authentication/concept-authentication-strengths.md
index 0baba613a91..109d61218b2 100644
--- a/docs/identity/authentication/concept-authentication-strengths.md
+++ b/docs/identity/authentication/concept-authentication-strengths.md
@@ -6,7 +6,7 @@ description: Learn how admins can use Microsoft Entra Conditional Access to dist
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/18/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: inbarckms
diff --git a/docs/identity/authentication/concept-authentication-web-browser-cookies.md b/docs/identity/authentication/concept-authentication-web-browser-cookies.md
index 12a63440c4d..a565a896289 100644
--- a/docs/identity/authentication/concept-authentication-web-browser-cookies.md
+++ b/docs/identity/authentication/concept-authentication-web-browser-cookies.md
@@ -5,7 +5,7 @@ description: Learn about Web browser cookies used in Microsoft Entra authenticat
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: overview
-ms.date: 11/26/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: custorod
diff --git a/docs/identity/authentication/concept-certificate-based-authentication-certificateuserids.md b/docs/identity/authentication/concept-certificate-based-authentication-certificateuserids.md
index 7f39c911ce1..5b23edfceaa 100644
--- a/docs/identity/authentication/concept-certificate-based-authentication-certificateuserids.md
+++ b/docs/identity/authentication/concept-certificate-based-authentication-certificateuserids.md
@@ -5,7 +5,7 @@ description: Learn about certificate user IDs for Microsoft Entra certificate-ba
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/26/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: vimrang
diff --git a/docs/identity/authentication/concept-certificate-based-authentication-limitations.md b/docs/identity/authentication/concept-certificate-based-authentication-limitations.md
index 46e4bdf24c0..5b9a0d83d1c 100644
--- a/docs/identity/authentication/concept-certificate-based-authentication-limitations.md
+++ b/docs/identity/authentication/concept-certificate-based-authentication-limitations.md
@@ -5,7 +5,7 @@ description: Learn supported and unsupported scenarios for Microsoft Entra certi
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/26/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/concept-certificate-based-authentication-migration.md b/docs/identity/authentication/concept-certificate-based-authentication-migration.md
index 9133cc05da0..c5154dc570b 100644
--- a/docs/identity/authentication/concept-certificate-based-authentication-migration.md
+++ b/docs/identity/authentication/concept-certificate-based-authentication-migration.md
@@ -5,7 +5,7 @@ description: Learn how to migrate from Federated server to Microsoft Entra ID
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 10/03/2024
+ms.date: 01/03/2024
 
 
 ms.author: justinha
@@ -21,15 +21,15 @@ This article explains how to migrate from running federated servers such as Acti
 
 ## Staged Rollout 
 
-A tenant admin could cut the federated domain fully over to Microsoft Entra CBA without pilot testing by enabling the CBA auth method in Microsoft Entra ID and converting the entire domain to managed authentication. However if customer wants to test a small batch of users authenticate against Microsoft Entra CBA before the full domain cutover to managed, they can make use of staged rollout feature.
+A tenant admin could cut the federated domain fully over to Microsoft Entra CBA without pilot testing. This is done by enabling the CBA auth method in Microsoft Entra ID and converting the entire domain to managed authentication. However, if customer wants to test a small batch of users authenticate against Microsoft Entra CBA before the full domain cutover to managed, they can make use of staged rollout feature.
 
-[Staged Rollout](~/identity/hybrid/connect/how-to-connect-staged-rollout.md) for Certificate-based Authentication (CBA) helps customers transition from performing CBA at a federated IdP to Microsoft Entra ID by selectively moving small set of users to use CBA at Microsoft Entra ID (no longer being redirected to the federated IdP) with selected groups of users before then converting the domain configuration in Microsoft Entra ID from federated to managed. Staged rollout is not designed for the domain to remain federated for long periods of time or for large amounts of users.
+[Staged Rollout](~/identity/hybrid/connect/how-to-connect-staged-rollout.md) for Certificate-based Authentication (CBA) helps customers transition from performing CBA at a federated IdP to Microsoft Entra ID by selectively moving small set of users to use CBA at Microsoft Entra ID (no longer being redirected to the federated IdP) with selected groups of users before then converting the domain configuration in Microsoft Entra ID from federated to managed. Staged rollout isn't designed for the domain to remain federated for long periods of time or for large amounts of users.
 
 Watch this quick video demonstrating the migration from ADFS certificate-based authentication to Microsoft Entra CBA
 > [!VIDEO https://www.youtube.com/embed/jsKQxo-xGgA]
 
 >[!NOTE]
-> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Microsoft Entra ID. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail.
+> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication happens at Microsoft Entra ID. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too. Otherwise, password authentication fails.
 
 ## Enable Staged Rollout for certificate-based authentication on your tenant
 
@@ -39,9 +39,9 @@ To configure Staged Rollout, follow these steps:
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator).
 1. Search for and select **Microsoft Entra Connect**.
-1. On the Microsoft Entra Connect page, under the Staged Rollout of cloud authentication, click **Enable Staged Rollout for managed user sign-in**.
-1. On the **Enable Staged Rollout** feature page, click **On** for the option [Certificate-based authentication](./certificate-based-authentication-federation-get-started.md)
-1. Click **Manage groups** and add groups you want to be part of cloud authentication. To avoid a time-out, ensure that the security groups contain no more than 200 members initially.
+1. On the Microsoft Entra Connect page, under the Staged Rollout of cloud authentication, select **Enable Staged Rollout for managed user sign-in**.
+1. On the **Enable Staged Rollout** feature page, select **On** for the option [Certificate-based authentication](./certificate-based-authentication-federation-get-started.md)
+1. Select **Manage groups** and add groups you want to be part of cloud authentication. To avoid a time-out, ensure that the security groups contain no more than 200 members initially.
 
 For more information, see [Staged Rollout](~/identity/hybrid/connect/how-to-connect-staged-rollout.md).
 
@@ -54,7 +54,7 @@ An AD FS admin can use **Synchronization Rules Editor** to create rules to sync
 Microsoft Entra Connect requires a special role named **Hybrid Identity Administrator**, which grants the necessary permissions. You need this role for permission to write to the new cloud attribute.
 
 >[!NOTE] 
->If a user is using synchronized attributes, such as the onPremisesUserPrincipalName attribute in the user object for username binding, be aware that any user that has administrative access to the Microsoft Entra Connect server can change the synchronized attribute mapping, and change the value of the synchronized attribute. The user does not need to be a cloud admin. The AD FS admin should make sure the administrative access to the Microsoft Entra Connect server should be limited, and privileged accounts should be cloud-only accounts.
+>If a user is using synchronized attributes, such as the onPremisesUserPrincipalName attribute in the user object for username binding, then any user that has administrative access to the Microsoft Entra Connect server can change the synchronized attribute mapping, and change the value of the synchronized attribute. The user doesn't need to be a cloud admin. The AD FS admin should make sure the administrative access to the Microsoft Entra Connect server should be limited, and privileged accounts should be cloud-only accounts.
 
 <a name='frequently-asked-questions-about-migrating-from-ad-fs-to-azure-ad'></a>
 
@@ -66,7 +66,7 @@ Although it's possible, Microsoft recommends privileged accounts be cloud-only a
 
 ### If an organization is a hybrid running both AD FS and Azure CBA, are they still vulnerable to the AD FS compromise?
 
-Microsoft recommends privileged accounts be cloud-only accounts. This practice will limit the exposure in Microsoft Entra ID from a compromised on-premises environment. Maintaining privileged accounts a cloud-only is foundational to this goal. 
+Microsoft recommends privileged accounts be cloud-only accounts. This practice limits the exposure in Microsoft Entra ID from a compromised on-premises environment. Maintaining privileged accounts a cloud-only is foundational to this goal. 
 
 For synchronized accounts:
 
@@ -89,7 +89,7 @@ Microsoft Entra CBA requires the user or application to supply the Microsoft Ent
 
 In the browser example, the user most often types in their Microsoft Entra UPN. The Microsoft Entra UPN is used for realm and user discovery. The certificate used then must match this user by using one of the configured username bindings in the policy. 
 
-In Windows sign-in, the match depends on if the device is hybrid or Microsoft Entra joined. But in both cases, if username hint is provided, Windows will send the hint as a Microsoft Entra UPN. The certificate used then must match this user by using one of the configured username bindings in the policy.
+In Windows sign-in, the match depends on if the device is hybrid or Microsoft Entra joined. But in both cases, if username hint is provided, Windows sends the hint as a Microsoft Entra UPN. The certificate used then must match this user by using one of the configured username bindings in the policy.
 
 
 ## Next steps
@@ -99,6 +99,6 @@ In Windows sign-in, the match depends on if the device is hybrid or Microsoft En
 - [How to configure Microsoft Entra CBA](how-to-certificate-based-authentication.md)
 - [Microsoft Entra CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)
 - [Microsoft Entra CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)
-- [Windows smart card logon using Microsoft Entra CBA](concept-certificate-based-authentication-smartcard.md)
+- [Windows smart card sign-in using Microsoft Entra CBA](concept-certificate-based-authentication-smartcard.md)
 - [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md)
 - [FAQ](certificate-based-authentication-faq.yml)
diff --git a/docs/identity/authentication/concept-certificate-based-authentication-mobile-android.md b/docs/identity/authentication/concept-certificate-based-authentication-mobile-android.md
index b4016836e2f..fa84787bd35 100644
--- a/docs/identity/authentication/concept-certificate-based-authentication-mobile-android.md
+++ b/docs/identity/authentication/concept-certificate-based-authentication-mobile-android.md
@@ -5,7 +5,7 @@ description: Learn about Microsoft Entra certificate-based authentication on And
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/26/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: vimrang
diff --git a/docs/identity/authentication/concept-certificate-based-authentication-mobile-ios.md b/docs/identity/authentication/concept-certificate-based-authentication-mobile-ios.md
index e552e99e3a3..133f191dcd0 100644
--- a/docs/identity/authentication/concept-certificate-based-authentication-mobile-ios.md
+++ b/docs/identity/authentication/concept-certificate-based-authentication-mobile-ios.md
@@ -5,7 +5,7 @@ description: Learn about Microsoft Entra certificate-based authentication on App
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/27/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/concept-certificate-based-authentication-smartcard.md b/docs/identity/authentication/concept-certificate-based-authentication-smartcard.md
index bae700cda0c..a39b4992aee 100644
--- a/docs/identity/authentication/concept-certificate-based-authentication-smartcard.md
+++ b/docs/identity/authentication/concept-certificate-based-authentication-smartcard.md
@@ -5,7 +5,7 @@ description: Learn how to enable Windows smart card sign-in using Microsoft Entr
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/27/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: justinha
diff --git a/docs/identity/authentication/concept-certificate-based-authentication.md b/docs/identity/authentication/concept-certificate-based-authentication.md
index 096c3e8a68c..b7242d2e939 100644
--- a/docs/identity/authentication/concept-certificate-based-authentication.md
+++ b/docs/identity/authentication/concept-certificate-based-authentication.md
@@ -5,7 +5,7 @@ description: Learn about Microsoft Entra certificate-based authentication withou
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/26/2024
+ms.date: 01/03/2024
 
 ms.author: justinha
 author: vimrang
diff --git a/docs/identity/conditional-access/concept-condition-filters-for-devices.md b/docs/identity/conditional-access/concept-condition-filters-for-devices.md
index f796071c291..04d82466de6 100644
--- a/docs/identity/conditional-access/concept-condition-filters-for-devices.md
+++ b/docs/identity/conditional-access/concept-condition-filters-for-devices.md
@@ -55,7 +55,7 @@ Policy 1: All users with an administrator role, accessing the Windows Azure Serv
    1. Under **Include**, select **Directory roles**, then all roles with administrator in the name.
    
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
    1. Select **Done**.
@@ -72,7 +72,7 @@ Policy 2: All users with an administrator role, accessing the Windows Azure Serv
    1. Under **Include**, select **Directory roles**, then all roles with administrator in the name
    
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 
    1. Select **Done**.
diff --git a/docs/identity/conditional-access/concept-conditional-access-users-groups.md b/docs/identity/conditional-access/concept-conditional-access-users-groups.md
index 864c532dbff..625975c249d 100644
--- a/docs/identity/conditional-access/concept-conditional-access-users-groups.md
+++ b/docs/identity/conditional-access/concept-conditional-access-users-groups.md
@@ -50,7 +50,7 @@ The following options are available to include when creating a Conditional Acces
 > If users or groups are a member of over 2048 groups their access may be blocked. This limit applies to both direct and nested group membership.
 
 > [!WARNING]
-> Conditional Access policies do not support users assigned a directory role [scoped to an administrative unit](~/identity/role-based-access-control/admin-units-assign-roles.md) or directory roles scoped directly to an object, like through [custom roles](/entra/identity/role-based-access-control/custom-create).
+> Conditional Access policies do not support users assigned a directory role [scoped to an administrative unit](../role-based-access-control/manage-roles-portal.md) or directory roles scoped directly to an object, like through [custom roles](../role-based-access-control/custom-create.md).
 
 > [!NOTE]
 > When targeting policies to B2B direct connect external users, these policies will also be applied to B2B collaboration users accessing Teams or SharePoint Online who are also eligible for B2B direct connect. The same applies for policies targeted to B2B collaboration external users, meaning users accessing Teams shared channels will have B2B collaboration policies apply if they also have a guest user presence in the tenant.
diff --git a/docs/identity/conditional-access/concept-filter-for-applications.md b/docs/identity/conditional-access/concept-filter-for-applications.md
index b8ecb567677..6196b3ed049 100644
--- a/docs/identity/conditional-access/concept-filter-for-applications.md
+++ b/docs/identity/conditional-access/concept-filter-for-applications.md
@@ -32,7 +32,7 @@ Custom security attributes are security sensitive and can only be managed by del
 | [Attribute Definition Administrator](../role-based-access-control/permissions-reference.md#attribute-definition-administrator) | Define and manage the definition of custom security attributes. |
 | [Attribute Definition Reader](../role-based-access-control/permissions-reference.md#attribute-definition-reader) | Read the definition of custom security attributes. |
 
-Assign the appropriate role to the users who manage or report on these attributes at the directory scope. For detailed steps, see [Assign a role](/entra/identity/role-based-access-control/manage-roles-portal#assign-a-role).
+Assign the appropriate role to the users who manage or report on these attributes at the directory scope. For detailed steps, see [Assign Microsoft Entra roles](../role-based-access-control/manage-roles-portal.md#assign-roles-with-tenant-scope).
 
 [!INCLUDE [security-attributes-roles](../../includes/security-attributes-roles.md)]
 
diff --git a/docs/identity/conditional-access/policy-admin-phish-resistant-mfa.md b/docs/identity/conditional-access/policy-admin-phish-resistant-mfa.md
index 4d497b495cc..c0a3469722f 100644
--- a/docs/identity/conditional-access/policy-admin-phish-resistant-mfa.md
+++ b/docs/identity/conditional-access/policy-admin-phish-resistant-mfa.md
@@ -57,7 +57,7 @@ For external user scenarios, the MFA authentication methods that a resource tena
    1. Under **Include**, select **Directory roles** and choose at least the previously listed roles.
    
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, select **All resources (formerly 'All cloud apps')**.
diff --git a/docs/identity/conditional-access/policy-alt-admin-device-compliand-hybrid.md b/docs/identity/conditional-access/policy-alt-admin-device-compliand-hybrid.md
index dd27c73005d..b40f64e0062 100644
--- a/docs/identity/conditional-access/policy-alt-admin-device-compliand-hybrid.md
+++ b/docs/identity/conditional-access/policy-alt-admin-device-compliand-hybrid.md
@@ -43,7 +43,7 @@ The following steps help create a Conditional Access policy to require multifact
    1. Under **Include**, select **Directory roles** and choose at least the previously listed roles.
    
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, select **All resources (formerly 'All cloud apps')**.
diff --git a/docs/identity/conditional-access/policy-old-require-mfa-admin-portals.md b/docs/identity/conditional-access/policy-old-require-mfa-admin-portals.md
index 6380aa82388..fd7455702fa 100644
--- a/docs/identity/conditional-access/policy-old-require-mfa-admin-portals.md
+++ b/docs/identity/conditional-access/policy-old-require-mfa-admin-portals.md
@@ -35,7 +35,7 @@ Microsoft recommends you require phishing-resistant multifactor authentication o
    1. Under **Include**, select **Directory roles** and choose at least the previously listed roles.
    
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, **Select resources**, select **Microsoft Admin Portals**.
diff --git a/docs/identity/conditional-access/policy-old-require-mfa-admin.md b/docs/identity/conditional-access/policy-old-require-mfa-admin.md
index 1050725c0aa..7ed0a2dc129 100644
--- a/docs/identity/conditional-access/policy-old-require-mfa-admin.md
+++ b/docs/identity/conditional-access/policy-old-require-mfa-admin.md
@@ -39,7 +39,7 @@ The following steps help create a Conditional Access policy to require those ass
    1. Under **Include**, select **Directory roles** and choose at least the previously listed roles.
    
       > [!WARNING]
-      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](~/identity/role-based-access-control/admin-units-assign-roles.md) or [custom roles](/entra/identity/role-based-access-control/custom-create).
+      > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../role-based-access-control/manage-roles-portal.md) or [custom roles](../role-based-access-control/custom-create.md).
 
    1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
 1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, select **All resources (formerly 'All cloud apps')**.
diff --git a/docs/identity/devices/assign-local-admin.md b/docs/identity/devices/assign-local-admin.md
index a5d95b7ca8f..b3135a54d35 100644
--- a/docs/identity/devices/assign-local-admin.md
+++ b/docs/identity/devices/assign-local-admin.md
@@ -34,10 +34,10 @@ By adding users to the Microsoft Entra Joined Device Local Administrator role, y
 
 ## Manage administrator roles
 
-To view and update the membership of an [administrator role](~/identity/role-based-access-control/permissions-reference.md) role, see:
+To view and update the membership of an [administrator role](../role-based-access-control/permissions-reference.md) role, see:
 
-- [View all members of an administrator role in Microsoft Entra ID](/entra/identity/role-based-access-control/manage-roles-portal)
-- [Assign a user to administrator roles in Microsoft Entra ID](~/fundamentals/how-subscriptions-associated-directory.yml)
+- [View all members of an administrator role in Microsoft Entra ID](../role-based-access-control/view-assignments.md)
+- [Assign a user to administrator roles in Microsoft Entra ID](../role-based-access-control/manage-roles-portal.md)
 
 ## Manage the Microsoft Entra Joined Device Local Administrator role
 
diff --git a/docs/identity/devices/howto-manage-local-admin-passwords.md b/docs/identity/devices/howto-manage-local-admin-passwords.md
index ba32e0c91aa..8b4317e3df1 100644
--- a/docs/identity/devices/howto-manage-local-admin-passwords.md
+++ b/docs/identity/devices/howto-manage-local-admin-passwords.md
@@ -68,9 +68,9 @@ LAPS is available to all customers with Microsoft Entra ID Free or higher licens
 
 ### Required roles or permission
 
-Other than the built-in Microsoft Entra roles like [Cloud Device Administrator](../role-based-access-control/permissions-reference.md#cloud-device-administrator) and [Intune Administrator](../role-based-access-control/permissions-reference.md#intune-administrator) that are granted *device.LocalCredentials.Read.All*, you can use [Microsoft Entra custom roles](/entra/identity/role-based-access-control/custom-create) or administrative units to authorize local administrator password recovery. For example:
+Other than the built-in Microsoft Entra roles like [Cloud Device Administrator](../role-based-access-control/permissions-reference.md#cloud-device-administrator) and [Intune Administrator](../role-based-access-control/permissions-reference.md#intune-administrator) that are granted *device.LocalCredentials.Read.All*, you can use [Microsoft Entra custom roles](../role-based-access-control/custom-create.md) or administrative units to authorize local administrator password recovery. For example:
 
-- Custom roles must be assigned the *microsoft.directory/deviceLocalCredentials/password/read* permission to authorize local administrator password recovery. You can create a custom role and grant permissions using the [Microsoft Entra admin center](https://entra.microsoft.com), [Microsoft Graph API](/entra/identity/role-based-access-control/custom-create#create-a-role-with-the-microsoft-graph-api) or [PowerShell](/entra/identity/role-based-access-control/custom-create#create-a-role-using-powershell). Once you create a custom role, you can assign it to users.
+- Custom roles must be assigned the *microsoft.directory/deviceLocalCredentials/password/read* permission to authorize local administrator password recovery. You can [create a custom role](../role-based-access-control/custom-create.md) and grant permissions using the [Microsoft Entra admin center](https://entra.microsoft.com), Microsoft Graph API, or PowerShell. Once you create a custom role, you can assign it to users.
 
 - You can also create a Microsoft Entra ID [administrative unit](../role-based-access-control/administrative-units.md), add devices, and assign the Cloud Device Administrator role scoped to the administrative unit to authorize local administrator password recovery.
 
diff --git a/docs/identity/enterprise-apps/migrate-applications-from-secrets.md b/docs/identity/enterprise-apps/migrate-applications-from-secrets.md
index 46b8e773bb9..d2e696397fe 100644
--- a/docs/identity/enterprise-apps/migrate-applications-from-secrets.md
+++ b/docs/identity/enterprise-apps/migrate-applications-from-secrets.md
@@ -68,7 +68,7 @@ Identity federation allows you to access Microsoft Entra protected resources wit
 
 ### Create a least-privileged custom role to rotate application credentials
 
-Microsoft Entra roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege. A custom role can be created to rotate application credentials, ensuring that only the necessary permissions are granted to complete the task. To learn more, see [Create a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create).
+Microsoft Entra roles allow you to grant granular permissions to your admins, abiding by the principle of least privilege. A custom role can be created to rotate application credentials, ensuring that only the necessary permissions are granted to complete the task. To learn more, see [Create a custom role in Microsoft Entra ID](../role-based-access-control/custom-create.md).
 
 ### Ensure you have a process to triage and monitor applications 
 
diff --git a/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vm.md b/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vm.md
index 834b9c8752e..4036bfdc6d5 100644
--- a/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vm.md
+++ b/docs/identity/managed-identities-azure-resources/includes/qs-configure-portal-windows-vm.md
@@ -95,4 +95,4 @@ To remove a user-assigned identity from a VM, your account needs the [Virtual Ma
 
 ## Next steps
 
-- Using the Azure portal, give an Azure VM's managed identity [access to another Azure resource](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-assign-access-azure-resource?pivots=identity-mi-access-portal).
+- Using the Azure portal, give an Azure VM's managed identity [access to another Azure resource](../how-to-assign-access-azure-resource.md?pivots=identity-mi-access-portal).
\ No newline at end of file
diff --git a/docs/identity/role-based-access-control/admin-units-manage.md b/docs/identity/role-based-access-control/admin-units-manage.md
index 2297e30d034..897c5e705f2 100644
--- a/docs/identity/role-based-access-control/admin-units-manage.md
+++ b/docs/identity/role-based-access-control/admin-units-manage.md
@@ -181,5 +181,5 @@ DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-uni
 ## Next steps
 
 - [Add users, groups, or devices to an administrative unit](admin-units-members-add.md)
-- [Assign Microsoft Entra roles with administrative unit scope](admin-units-assign-roles.md)
+- [Assign Microsoft Entra roles with administrative unit scope](manage-roles-portal.md)
 - [Microsoft Entra administrative units: Troubleshooting and FAQ](admin-units-faq-troubleshoot.yml)
diff --git a/docs/identity/role-based-access-control/admin-units-members-add.md b/docs/identity/role-based-access-control/admin-units-members-add.md
index 568a28e0b9b..b2c0022784e 100644
--- a/docs/identity/role-based-access-control/admin-units-members-add.md
+++ b/docs/identity/role-based-access-control/admin-units-members-add.md
@@ -263,6 +263,6 @@ Body
 ## Next steps
 
 - [Administrative units in Microsoft Entra ID](administrative-units.md)
-- [Assign Microsoft Entra roles with administrative unit scope](admin-units-assign-roles.md)
+- [Assign Microsoft Entra roles with administrative unit scope](manage-roles-portal.md)
 - [Manage users or devices for an administrative unit with rules for dynamic membership groups](admin-units-members-dynamic.md)
 - [Remove users, groups, or devices from an administrative unit](admin-units-members-remove.md)
diff --git a/docs/identity/role-based-access-control/admin-units-members-dynamic.md b/docs/identity/role-based-access-control/admin-units-members-dynamic.md
index 22fd6d68f6b..da3c2442098 100644
--- a/docs/identity/role-based-access-control/admin-units-members-dynamic.md
+++ b/docs/identity/role-based-access-control/admin-units-members-dynamic.md
@@ -248,6 +248,6 @@ Body
 
 ## Next steps
 
-- [Assign Microsoft Entra roles with administrative unit scope](admin-units-assign-roles.md)
+- [Assign Microsoft Entra roles with administrative unit scope](manage-roles-portal.md)
 - [Add users or groups to an administrative unit](admin-units-members-add.md)
 - [Microsoft Entra administrative units: Troubleshooting and FAQ](admin-units-faq-troubleshoot.yml)
diff --git a/docs/identity/role-based-access-control/admin-units-members-list.md b/docs/identity/role-based-access-control/admin-units-members-list.md
index 0c230a2f5a9..19c24b1396e 100644
--- a/docs/identity/role-based-access-control/admin-units-members-list.md
+++ b/docs/identity/role-based-access-control/admin-units-members-list.md
@@ -221,4 +221,4 @@ Response
 ## Next steps
 
 - [Add users, groups, or devices to an administrative unit](admin-units-members-add.md)
-- [Assign Microsoft Entra roles with administrative unit scope](admin-units-assign-roles.md)
+- [Assign Microsoft Entra roles with administrative unit scope](manage-roles-portal.md)
diff --git a/docs/identity/role-based-access-control/admin-units-members-remove.md b/docs/identity/role-based-access-control/admin-units-members-remove.md
index 426162f9352..baf06c7879e 100644
--- a/docs/identity/role-based-access-control/admin-units-members-remove.md
+++ b/docs/identity/role-based-access-control/admin-units-members-remove.md
@@ -136,4 +136,4 @@ DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-uni
 ## Next steps
 
 - [Add users, groups, or devices to an administrative unit](admin-units-members-add.md)
-- [Assign Microsoft Entra roles with administrative unit scope](admin-units-assign-roles.md)
+- [Assign Microsoft Entra roles with administrative unit scope](manage-roles-portal.md)
diff --git a/docs/identity/role-based-access-control/admin-units-restricted-management.md b/docs/identity/role-based-access-control/admin-units-restricted-management.md
index 59798920c50..a319ba69758 100644
--- a/docs/identity/role-based-access-control/admin-units-restricted-management.md
+++ b/docs/identity/role-based-access-control/admin-units-restricted-management.md
@@ -96,4 +96,4 @@ Restricted management administrative units require a Microsoft Entra ID P1 licen
 
 - [Create, update, or delete administrative units](admin-units-manage.md)
 - [Add users or groups to an administrative unit](admin-units-members-add.md)
-- [Assign Microsoft Entra roles with administrative unit scope](admin-units-assign-roles.md)
+- [Assign Microsoft Entra roles with administrative unit scope](manage-roles-portal.md)
diff --git a/docs/identity/role-based-access-control/administrative-units.md b/docs/identity/role-based-access-control/administrative-units.md
index c9e9a87942d..a51a724113e 100644
--- a/docs/identity/role-based-access-control/administrative-units.md
+++ b/docs/identity/role-based-access-control/administrative-units.md
@@ -68,7 +68,7 @@ You can manage administrative units by using the Microsoft Entra admin center, P
 - [Create or delete administrative units](admin-units-manage.md)
 - [Add users, groups, or devices to an administrative unit](admin-units-members-add.md)
 - [Manage users or devices for an administrative unit with rules for dynamic membership groups](admin-units-members-dynamic.md)
-- [Assign Microsoft Entra roles with administrative unit scope](admin-units-assign-roles.md)
+- [Assign Microsoft Entra roles with administrative unit scope](manage-roles-portal.md)
 - [Work with administrative units](/powershell/azure/active-directory/working-with-administrative-units): Covers how to work with administrative units by using PowerShell.
 - [Administrative unit Graph support](/graph/api/resources/administrativeunit): Provides detailed documentation on Microsoft Graph for administrative units.
 
diff --git a/docs/identity/role-based-access-control/best-practices.md b/docs/identity/role-based-access-control/best-practices.md
index dcc61a2766b..ea926bf39ae 100644
--- a/docs/identity/role-based-access-control/best-practices.md
+++ b/docs/identity/role-based-access-control/best-practices.md
@@ -20,7 +20,7 @@ This article describes some of the best practices for using Microsoft Entra role
 
 ## 1. Apply principle of least privilege
 
-When planning your access control strategy, it's a best practice to manage to least privilege. Least privilege means you grant your administrators exactly the permission they need to do their job. There are three aspects to consider when you assign a role to your administrators: a specific set of permissions, over a specific scope, for a specific period of time. Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so. By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. Microsoft Entra RBAC supports over 65 [built-in roles](permissions-reference.md). There are Microsoft Entra roles to manage directory objects like users, groups, and applications, and also to manage Microsoft 365 services like Exchange, SharePoint, and Intune. To better understand Microsoft Entra built-in roles, see [Understand roles in Microsoft Entra ID](concept-understand-roles.md). If there isn't a built-in role that meets your need, you can create your own [custom roles](/entra/identity/role-based-access-control/custom-create).  
+When planning your access control strategy, it's a best practice to manage to least privilege. Least privilege means you grant your administrators exactly the permission they need to do their job. There are three aspects to consider when you assign a role to your administrators: a specific set of permissions, over a specific scope, for a specific period of time. Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so. By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. Microsoft Entra RBAC supports over 65 [built-in roles](permissions-reference.md). There are Microsoft Entra roles to manage directory objects like users, groups, and applications, and also to manage Microsoft 365 services like Exchange, SharePoint, and Intune. To better understand Microsoft Entra built-in roles, see [Understand roles in Microsoft Entra ID](concept-understand-roles.md). If there isn't a built-in role that meets your need, you can create your own [custom roles](custom-create.md).  
  
 ### Finding the right roles
 
diff --git a/docs/identity/role-based-access-control/concept-understand-roles.md b/docs/identity/role-based-access-control/concept-understand-roles.md
index 41fc92af822..3f8c33b1d64 100644
--- a/docs/identity/role-based-access-control/concept-understand-roles.md
+++ b/docs/identity/role-based-access-control/concept-understand-roles.md
@@ -70,5 +70,5 @@ The following table is offered as an aid to understanding these role categories.
 ## Next steps
 
 - [Overview of Microsoft Entra role-based access control](custom-overview.md)
-- [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
+- [Create a custom role in Microsoft Entra ID](custom-create.md)
 - [List role assignments](view-assignments.md)
diff --git a/docs/identity/role-based-access-control/custom-available-permissions.md b/docs/identity/role-based-access-control/custom-available-permissions.md
index 773aa97459d..da3a435c65f 100644
--- a/docs/identity/role-based-access-control/custom-available-permissions.md
+++ b/docs/identity/role-based-access-control/custom-available-permissions.md
@@ -167,5 +167,5 @@ Grants the same permissions as microsoft.directory/applications/permissions/upda
 
 ## Next steps
 
-- [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
+- [Create a custom role in Microsoft Entra ID](custom-create.md)
 - [List role assignments](view-assignments.md)
\ No newline at end of file
diff --git a/docs/identity/role-based-access-control/custom-consent-permissions.md b/docs/identity/role-based-access-control/custom-consent-permissions.md
index 57dbe8f2092..96b3f4cf1fe 100644
--- a/docs/identity/role-based-access-control/custom-consent-permissions.md
+++ b/docs/identity/role-based-access-control/custom-consent-permissions.md
@@ -26,7 +26,7 @@ This article contains the currently available app consent permissions for custom
 Use the permissions listed in this article to manage app consent policies, as well as the permission to grant consent to apps.
 
 > [!NOTE]
-> The Microsoft Entra admin center does not yet support adding the permissions listed in this article to a custom directory role definition. You must [use Microsoft Graph PowerShell to create a custom directory role](/entra/identity/role-based-access-control/custom-create#create-a-role-using-powershell) with the permissions listed in this article.
+> The Microsoft Entra admin center does not yet support adding the permissions listed in this article to a custom role definition. You must [use Microsoft Graph PowerShell to create a custom role](custom-create.md) with the permissions listed in this article.
 
 #### Granting delegated permissions to apps on behalf of self (user consent)
 
@@ -71,5 +71,5 @@ To delegate the creation, update and deletion of [app consent policies](~/identi
 
 ## Next steps
 
-- [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
-- [View the assignments for a custom role](~/identity/role-based-access-control/view-assignments.md)
+- [Create a custom role in Microsoft Entra ID](custom-create.md)
+- [List Microsoft Entra role assignments](view-assignments.md)
diff --git a/docs/identity/role-based-access-control/custom-create.md b/docs/identity/role-based-access-control/custom-create.md
index 538a8e990cc..3ede9cb7f34 100644
--- a/docs/identity/role-based-access-control/custom-create.md
+++ b/docs/identity/role-based-access-control/custom-create.md
@@ -166,6 +166,6 @@ Follow these steps:
 
 ## Related content
 
-- [Microsoft Entra administrative roles forum](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789)
+- [Assign Microsoft Entra roles](manage-roles-portal.md)
 - [Microsoft Entra built-in roles](permissions-reference.md)
 - [Comparison of default guest and member user permissions](~/fundamentals/users-default-permissions.md?context=azure/active-directory/roles/context/ugr-context)
diff --git a/docs/identity/role-based-access-control/custom-device-permissions.md b/docs/identity/role-based-access-control/custom-device-permissions.md
index ccfbe7625e6..c54fabd9aae 100644
--- a/docs/identity/role-based-access-control/custom-device-permissions.md
+++ b/docs/identity/role-based-access-control/custom-device-permissions.md
@@ -23,7 +23,7 @@ Device management permissions can be used in custom role definitions in Microsof
 - Read device registration policies
 - Update device registration policies
 
-This article lists the permissions you can use in your custom roles for different device management scenarios. For information about how to create custom roles, see [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create).
+This article lists the permissions you can use in your custom roles for different device management scenarios. For information about how to create custom roles, see [Create a custom role in Microsoft Entra ID](custom-create.md).
 
 ## Enable or disable devices
 
@@ -106,5 +106,5 @@ The following permission is available to update tenant-wide device registration
 
 ## Next steps
 
-- [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
+- [Create a custom role in Microsoft Entra ID](custom-create.md)
 - [List Microsoft Entra role assignments](view-assignments.md)
diff --git a/docs/identity/role-based-access-control/custom-enterprise-app-permissions.md b/docs/identity/role-based-access-control/custom-enterprise-app-permissions.md
index 090db9f22ce..6c83b7a5d0a 100644
--- a/docs/identity/role-based-access-control/custom-enterprise-app-permissions.md
+++ b/docs/identity/role-based-access-control/custom-enterprise-app-permissions.md
@@ -224,5 +224,5 @@ To delegate create, read, update, and delete (CRUD) permissions for updating the
 
 ## Next steps
 
-- [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
-- [List role assignments](view-assignments.md)
+- [Create a custom role in Microsoft Entra ID](custom-create.md)
+- [List Microsoft Entra role assignments](view-assignments.md)
diff --git a/docs/identity/role-based-access-control/custom-enterprise-apps.md b/docs/identity/role-based-access-control/custom-enterprise-apps.md
index 1ed7780529d..f23a23754d3 100644
--- a/docs/identity/role-based-access-control/custom-enterprise-apps.md
+++ b/docs/identity/role-based-access-control/custom-enterprise-apps.md
@@ -96,7 +96,7 @@ In the Microsoft Entra Admin Center, you can create and manage custom roles to c
 
 # [PowerShell](#tab/ms-powershell)
 
-For more detail, see [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create) and [Assign custom roles with resource scope using PowerShell](custom-assign-powershell.md).
+For more detail, see [Create a custom role in Microsoft Entra ID](custom-create.md) and [Assign Microsoft Entra roles](manage-roles-portal.md).
 
 ### Create a custom role
 
@@ -138,7 +138,7 @@ $roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId
 
 # [Graph API](#tab/ms-graph)
 
-Use the [Create unifiedRoleDefinition](/graph/api/rbacapplication-post-roledefinitions) API to create a custom role. For more information, see [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create) and [Assign custom admin roles using the Microsoft Graph API](custom-assign-graph.md).
+Use the [Create unifiedRoleDefinition](/graph/api/rbacapplication-post-roledefinitions) API to create a custom role. For more information, see [Create a custom role in Microsoft Entra ID](custom-create.md) and [Assign Microsoft Entra roles](manage-roles-portal.md).
 
 ```http
 POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
diff --git a/docs/identity/role-based-access-control/custom-group-permissions.md b/docs/identity/role-based-access-control/custom-group-permissions.md
index 15c516ad4aa..2de27c8e381 100644
--- a/docs/identity/role-based-access-control/custom-group-permissions.md
+++ b/docs/identity/role-based-access-control/custom-group-permissions.md
@@ -22,7 +22,7 @@ Group management permissions can be used in custom role definitions in Microsoft
 - Read audit logs
 - Manage a specific type of group
 
-This article lists the permissions you can use in your custom roles for different group management scenarios. For information about how to create custom roles, see [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create).
+This article lists the permissions you can use in your custom roles for different group management scenarios. For information about how to create custom roles, see [Create a custom role in Microsoft Entra ID](custom-create.md).
 
 ## License requirements
 
@@ -142,5 +142,5 @@ The following permissions are available to delete groups.
 
 ## Next steps
 
-- [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
+- [Create a custom role in Microsoft Entra ID](custom-create.md)
 - [List Microsoft Entra role assignments](view-assignments.md)
diff --git a/docs/identity/role-based-access-control/custom-overview.md b/docs/identity/role-based-access-control/custom-overview.md
index 96da4cc0a4f..ff08b78f731 100644
--- a/docs/identity/role-based-access-control/custom-overview.md
+++ b/docs/identity/role-based-access-control/custom-overview.md
@@ -31,9 +31,9 @@ Both systems contain similarly used role definitions and role assignments. Howev
 Microsoft Entra ID supports two types of roles definitions:
 
 * [Built-in roles](./permissions-reference.md)
-* [Custom roles](/entra/identity/role-based-access-control/custom-create)
+* [Custom roles](custom-create.md)
 
-Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified. There are many [built-in roles](./permissions-reference.md) that Microsoft Entra ID supports, and the list is growing. To round off the edges and meet your sophisticated requirements, Microsoft Entra ID also supports [custom roles](/entra/identity/role-based-access-control/custom-create). Granting permission using custom Microsoft Entra roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.  
+Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified. There are many [built-in roles](./permissions-reference.md) that Microsoft Entra ID supports, and the list is growing. To round off the edges and meet your sophisticated requirements, Microsoft Entra ID also supports [custom roles](custom-create.md). Granting permission using custom Microsoft Entra roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.  
 
 Once you’ve created your custom role definition (or using a built-in role), you can assign it to a user by creating a role assignment. A role assignment grants the user the permissions in a role definition at a specified scope. This two-step process allows you to create a single role definition and assign it many times at different scopes. A scope defines the set of Microsoft Entra resources the role member has access to. The most common scope is organization-wide (org-wide) scope. A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. The same role can be assigned to one user over all applications in the organization and then to another user with a scope of only the Contoso Expense Reports app.  
 
@@ -59,7 +59,7 @@ A role assignment is a Microsoft Entra resource that attaches a *role definition
 - Role definition - A collection of permissions. 
 - Scope - A way to constrain where those permissions are applicable.
 
-You can [create role assignments](/entra/identity/role-based-access-control/manage-roles-portal) and [list the role assignments](view-assignments.md) using the Microsoft Entra admin center, [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview), or Microsoft Graph API. Azure CLI is not supported for Microsoft Entra role assignments.
+You can [create role assignments](manage-roles-portal.md) and [list the role assignments](view-assignments.md) using the Microsoft Entra admin center, [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview), or Microsoft Graph API. Azure CLI is not supported for Microsoft Entra role assignments.
 
 The following diagram shows an example of a role assignment. In this example, Chris has been assigned the App Registration Administrator custom role at the scope of the Contoso Widget Builder app registration. The assignment grants Chris the permissions of the App Registration Administrator role for only this specific app registration.
 
@@ -94,14 +94,14 @@ If you specify a Microsoft Entra resource as a scope, it can be one of the follo
 
 When a role is assigned over a container scope, such as the Tenant or an Administrative Unit, it grants permissions over the objects they contain but not on the container itself. On the contrary, when a role is assigned over a resource scope, it grants permissions over the resource itself but it does not extend beyond (in particular, it does not extend to the members of a Microsoft Entra group).
 
-For more information, see [Assign Microsoft Entra roles at different scopes](assign-roles-different-scopes.md).
+For more information, see [Assign Microsoft Entra roles](manage-roles-portal.md).
 
 ## Role assignment options
 
 Microsoft Entra ID provides multiple options for assigning roles:
 
-- You can assign roles to users directly, which is the default way to assign roles. Both built-in and custom Microsoft Entra roles can be assigned to users, based on access requirements. For more information, see [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal).
-- With Microsoft Entra ID P1, you can create role-assignable groups and assign roles to these groups. Assigning roles to a group instead of individuals allows for easy addition or removal of users from a role and creates consistent permissions for all members of the group. For more information, see [Assign Microsoft Entra roles to groups](groups-assign-role.md).
+- You can assign roles to users directly, which is the default way to assign roles. Both built-in and custom Microsoft Entra roles can be assigned to users, based on access requirements. For more information, see [Assign Microsoft Entra roles](manage-roles-portal.md).
+- With Microsoft Entra ID P1, you can create role-assignable groups and assign roles to these groups. Assigning roles to a group instead of individuals allows for easy addition or removal of users from a role and creates consistent permissions for all members of the group. For more information, see [Assign Microsoft Entra roles](manage-roles-portal.md).
 - With Microsoft Entra ID P2, you can use Microsoft Entra Privileged Identity Management (Microsoft Entra PIM) to provide just-in-time access to roles. This feature allows you to grant time-limited access to a role to users who require it, rather than granting permanent access. It also provides detailed reporting and auditing capabilities. For more information, see [Assign Microsoft Entra roles in Privileged Identity Management](~/id-governance/privileged-identity-management/pim-how-to-add-role-to-user.md).
 
 ## License requirements
@@ -111,5 +111,5 @@ Using built-in roles in Microsoft Entra ID is free. Using custom roles require a
 ## Next steps
 
 - [Understand Microsoft Entra roles](concept-understand-roles.md)
-- [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal)
-- [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
+- [Assign Microsoft Entra roles](manage-roles-portal.md)
+- [Microsoft Entra forum](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789)
diff --git a/docs/identity/role-based-access-control/custom-user-permissions.md b/docs/identity/role-based-access-control/custom-user-permissions.md
index 996c28fa32a..d6379dafe27 100644
--- a/docs/identity/role-based-access-control/custom-user-permissions.md
+++ b/docs/identity/role-based-access-control/custom-user-permissions.md
@@ -29,7 +29,7 @@ User management permissions can be used in custom role definitions in Microsoft
 - Update password policies of users
 - Read assignments and memberships of users
 
-This article lists the permissions you can use in your custom roles for different user management scenarios. For information about how to create custom roles, see [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create).
+This article lists the permissions you can use in your custom roles for different user management scenarios. For information about how to create custom roles, see [Create a custom role in Microsoft Entra ID](custom-create.md).
 
 ## License requirements
 
@@ -181,5 +181,5 @@ The following permissions are available to read assignments and memberships of u
 
 ## Next steps
 
-- [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
+- [Create a custom role in Microsoft Entra ID](custom-create.md)
 - [List Microsoft Entra role assignments](view-assignments.md)
diff --git a/docs/identity/role-based-access-control/delegate-app-roles.md b/docs/identity/role-based-access-control/delegate-app-roles.md
index 5924fdc7dcd..82622f756b5 100644
--- a/docs/identity/role-based-access-control/delegate-app-roles.md
+++ b/docs/identity/role-based-access-control/delegate-app-roles.md
@@ -75,8 +75,8 @@ Follow the instructions in the [Assign roles to users with Microsoft Entra ID](~
 
 Creating custom roles and assigning custom roles are separate steps:
 
-- [Create a custom *role definition*](/entra/identity/role-based-access-control/custom-create) and [add permissions to it from a preset list](custom-available-permissions.md). These are the same permissions used in the built-in roles.
-- [Create a *role assignment*](custom-assign-powershell.md) to assign the custom role.
+- [Create a custom *role definition*](custom-create.md) and [add permissions to it from a preset list](custom-available-permissions.md). These are the same permissions used in the built-in roles.
+- [Create a *role assignment*](manage-roles-portal.md) to assign the custom role.
 
 This separation allows you to create a single role definition and then assign it many times at different *scopes*. A custom role can be assigned at organization-wide scope, or it can be assigned at the scope of a single Microsoft Entra object. An example of an object scope is a single app registration. Using different scopes, the same role definition can be assigned to Sally over all app registrations in the organization and then to Naveen over only the Contoso Expense Reports app registration.
 
@@ -85,7 +85,7 @@ Tips when creating and using custom roles for delegating application management:
 - Custom roles do not grant access to the Microsoft Entra admin center when the [Restrict access to Microsoft Entra administration portal](~/fundamentals/users-default-permissions.md) user setting is set to **Yes**.
 - App registrations the user has access to using role assignments only show up in the ‘All applications’ tab on the App registration page. They do not show up in the ‘Owned applications’ tab.
 
-For more information on the basics of custom roles, see the [custom roles overview](custom-overview.md), as well as how to [create a custom role](/entra/identity/role-based-access-control/custom-create) and how to [assign a role](custom-assign-powershell.md).
+For more information on the basics of custom roles, see the [custom roles overview](custom-overview.md), as well as how to [create a custom role](custom-create.md) and how to [assign a role](manage-roles-portal.md).
 
 ## Troubleshoot
 
diff --git a/docs/identity/role-based-access-control/delegate-by-task.md b/docs/identity/role-based-access-control/delegate-by-task.md
index 27303c367a9..4d054ad6522 100644
--- a/docs/identity/role-based-access-control/delegate-by-task.md
+++ b/docs/identity/role-based-access-control/delegate-by-task.md
@@ -17,7 +17,7 @@ ms.custom: it-pro
 
 In this article, you can find the information needed to restrict a user's administrator permissions by assigning least privileged roles in Microsoft Entra ID. You will find tasks organized by feature area and the least privileged role required to perform each task, along with additional non-Global Administrator roles that can perform the task.
 
-You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see [Assign Microsoft Entra roles at different scopes](assign-roles-different-scopes.md) or [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create).
+You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see [Assign Microsoft Entra roles](manage-roles-portal.md) or [Create a custom role in Microsoft Entra ID](custom-create.md).
 
 ## Application proxy
 
@@ -450,7 +450,6 @@ You can further restrict permissions by assigning roles at smaller scopes or by
 
 ## Next steps
 
-- [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal)
-- [Assign Microsoft Entra roles at different scopes](assign-roles-different-scopes.md)
-- [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)
+- [Assign Microsoft Entra roles](manage-roles-portal.md)
+- [Create a custom role in Microsoft Entra ID](custom-create.md)
 - [Microsoft Entra built-in roles](permissions-reference.md)
diff --git a/docs/identity/role-based-access-control/groups-create-eligible.md b/docs/identity/role-based-access-control/groups-create-eligible.md
index 40b70a7118c..10cf42f0334 100644
--- a/docs/identity/role-based-access-control/groups-create-eligible.md
+++ b/docs/identity/role-based-access-control/groups-create-eligible.md
@@ -130,6 +130,6 @@ For this type of group, `isPublic` is always false and `isSecurityEnabled` is al
 
 ## Next steps
 
-- [Assign Microsoft Entra roles to groups](groups-assign-role.md)
+- [Assign Microsoft Entra roles](manage-roles-portal.md)
 - [Use Microsoft Entra groups to manage role assignments](groups-concept.md)
 - [Troubleshoot Microsoft Entra roles assigned to groups](groups-faq-troubleshooting.yml)
diff --git a/docs/identity/role-based-access-control/m365-workload-docs.md b/docs/identity/role-based-access-control/m365-workload-docs.md
index b2b56580aab..4c92a07200a 100644
--- a/docs/identity/role-based-access-control/m365-workload-docs.md
+++ b/docs/identity/role-based-access-control/m365-workload-docs.md
@@ -282,5 +282,5 @@ In addition to the previously mentioned RBAC systems, elevated permissions can b
 
 ## Next steps
 
-* [How to assign or remove Microsoft Entra administrator roles](/entra/identity/role-based-access-control/manage-roles-portal)
+* [Assign Microsoft Entra roles](manage-roles-portal.md)
 * [Microsoft Entra built-in roles](permissions-reference.md)
diff --git a/docs/identity/role-based-access-control/permissions-reference.md b/docs/identity/role-based-access-control/permissions-reference.md
index 57be9e289ca..d33ea40c0c0 100644
--- a/docs/identity/role-based-access-control/permissions-reference.md
+++ b/docs/identity/role-based-access-control/permissions-reference.md
@@ -17,7 +17,7 @@ ms.custom: generated, it-pro, fasttrack-edit, has-azure-ad-ps-ref, azure-ad-ref-
 
 In Microsoft Entra ID, if another administrator or non-administrator needs to manage Microsoft Entra resources, you assign them a Microsoft Entra role that provides the permissions they need. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names.
 
-This article lists the Microsoft Entra built-in roles you can assign to allow management of Microsoft Entra resources. For information about how to assign roles, see [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal). If you are looking for roles to manage Azure resources, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles).
+This article lists the Microsoft Entra built-in roles you can assign to allow management of Microsoft Entra resources. For information about how to assign roles, see [Assign Microsoft Entra roles](manage-roles-portal.md). If you are looking for roles to manage Azure resources, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles).
 
 ## All roles
 
@@ -3062,6 +3062,6 @@ Not every role returned by PowerShell or MS Graph API is visible in Azure portal
 
 ## Next steps
 
-- [Assign Microsoft Entra roles to groups](groups-assign-role.md)
+- [Assign Microsoft Entra roles](manage-roles-portal.md)
 - [Understand the different roles](/azure/role-based-access-control/rbac-and-directory-admin-roles)
 - [Assign a user as an administrator of an Azure subscription](/azure/role-based-access-control/role-assignments-portal-subscription-admin)
diff --git a/docs/identity/role-based-access-control/privileged-roles-permissions.md b/docs/identity/role-based-access-control/privileged-roles-permissions.md
index 1d27cfb2a0f..60d05d60e32 100644
--- a/docs/identity/role-based-access-control/privileged-roles-permissions.md
+++ b/docs/identity/role-based-access-control/privileged-roles-permissions.md
@@ -455,7 +455,7 @@ For example:
 
 In the following table, the columns list the roles that can reset passwords and invalidate refresh tokens. The rows list the roles for which their password can be reset. For example, a Password Administrator can reset the password for Directory Readers, Guest Inviter, Password Administrator, and users with no administrator role. If a user is assigned any other role, the Password Administrator cannot reset their password.
 
-The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, [further restrictions apply](admin-units-assign-roles.md#roles-that-can-be-assigned-with-administrative-unit-scope).
+The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, [further restrictions apply](manage-roles-portal.md#roles-that-can-be-assigned-with-administrative-unit-scope).
 
 | Role that password can be reset | Password Admin | Helpdesk Admin | Auth Admin | User Admin | Privileged Auth Admin | Global Admin |
 | ------ | ------ | ------ | ------ | ------ | ------ | ------ |
@@ -503,7 +503,7 @@ Some administrators can perform the following sensitive actions for some users.
 
 In the following table, the columns list the roles that can perform sensitive actions. The rows list the roles for which the sensitive action can be performed upon.
 
-The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, [further restrictions apply](admin-units-assign-roles.md#roles-that-can-be-assigned-with-administrative-unit-scope).
+The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, [further restrictions apply](manage-roles-portal.md#roles-that-can-be-assigned-with-administrative-unit-scope).
 
 | Role that sensitive action can be performed upon | Auth Admin | User Admin | Privileged Auth Admin | Global Admin |
 | ------ | ------ | ------ | ------ | ------ |
diff --git a/docs/identity/role-based-access-control/role-definitions-list.md b/docs/identity/role-based-access-control/role-definitions-list.md
index 27f05745458..0551c188651 100644
--- a/docs/identity/role-based-access-control/role-definitions-list.md
+++ b/docs/identity/role-based-access-control/role-definitions-list.md
@@ -145,5 +145,5 @@ Follow these instructions to list Microsoft Entra roles using the Microsoft Grap
 ## Next steps
 
 * [List Microsoft Entra role assignments](view-assignments.md)
-* [Assign Microsoft Entra roles to users](/entra/identity/role-based-access-control/manage-roles-portal)
+* [Assign Microsoft Entra roles](manage-roles-portal.md)
 * [Microsoft Entra built-in roles](permissions-reference.md)
diff --git a/docs/includes/entra-service-limits-include.md b/docs/includes/entra-service-limits-include.md
index a9d05476aca..301b7f7b023 100644
--- a/docs/includes/entra-service-limits-include.md
+++ b/docs/includes/entra-service-limits-include.md
@@ -24,7 +24,7 @@ Here are the usage constraints and other service limits for the Microsoft Entra
 | Access Panel |There's no limit to the number of applications per user that can be displayed in the Access Panel, regardless of the number of assigned licenses.  |
 | Reports | A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated. |
 | Administrative units | <ul><li>A Microsoft Entra resource can be a member of no more than 30 administrative units.</li><li>A maximum of 100 restricted management administrative units in a tenant.</li><li>A Microsoft Entra organization can have a maximum of 15,000 dynamic membership groups and dynamic administrative units combined.</li></ul> |
-| Microsoft Entra roles and permissions | <ul><li>A maximum of 100 [Microsoft Entra custom roles](/azure/active-directory//users-groups-roles/roles-custom-overview?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) can be created in a Microsoft Entra organization.</li><li>A maximum of 150 Microsoft Entra custom role assignments for a single principal at any scope.</li><li>A maximum of 100 Microsoft Entra built-in role assignments for a single principal at non-tenant scope (such as an administrative unit or Microsoft Entra object). There's no limit to Microsoft Entra built-in role assignments at tenant scope. For more information, see [Assign Microsoft Entra roles at different scopes](~/identity/role-based-access-control/assign-roles-different-scopes.md).</li><li>A group can't be added as a [group owner](~/fundamentals/users-default-permissions.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context#object-ownership).</li><li>A user's ability to read other users' tenant information can be restricted only by the Microsoft Entra organization-wide switch to disable all non-admin users' access to all tenant information (not recommended). For more information, see [To restrict the default permissions for member users](~/fundamentals/users-default-permissions.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context#restrict-member-users-default-permissions).</li><li>It might take up to 15 minutes or you might have to sign out and sign back in before admin role membership additions and revocations take effect.</li></ul> |
+| Microsoft Entra roles and permissions | <ul><li>A maximum of 100 [Microsoft Entra custom roles](/azure/active-directory//users-groups-roles/roles-custom-overview?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) can be created in a Microsoft Entra organization.</li><li>A maximum of 150 Microsoft Entra custom role assignments for a single principal at any scope.</li><li>A maximum of 100 Microsoft Entra built-in role assignments for a single principal at non-tenant scope (such as an administrative unit or Microsoft Entra object). There's no limit to Microsoft Entra built-in role assignments at tenant scope. For more information, see [Assign Microsoft Entra roles](../identity/role-based-access-control/manage-roles-portal.md).</li><li>A group can't be added as a [group owner](~/fundamentals/users-default-permissions.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context#object-ownership).</li><li>A user's ability to read other users' tenant information can be restricted only by the Microsoft Entra organization-wide switch to disable all non-admin users' access to all tenant information (not recommended). For more information, see [To restrict the default permissions for member users](~/fundamentals/users-default-permissions.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context#restrict-member-users-default-permissions).</li><li>It might take up to 15 minutes or you might have to sign out and sign back in before admin role membership additions and revocations take effect.</li></ul> |
 |Conditional Access Policies|A maximum of 195 policies can be created in a single Microsoft Entra organization (tenant).|
 |Terms of use|You can add no more than 40 terms to a single Microsoft Entra organization (tenant).|
 | Multitenant organizations | <ul><li>A maximum of 100 active tenants, including the owner tenant. The owner tenant can add more than 100 pending tenants, but they won't be able to join the multitenant organization if the limit is exceeded. This limit is applied at the time a pending tenant joins a multitenant organization.</li>This limit is specific to the number of tenants in a multitenant organization. It doesn't apply to cross-tenant synchronization by itself.</ul> |
diff --git a/docs/standards/configure-cmmc-level-1-controls.md b/docs/standards/configure-cmmc-level-1-controls.md
index 085163935b0..213d313bf95 100644
--- a/docs/standards/configure-cmmc-level-1-controls.md
+++ b/docs/standards/configure-cmmc-level-1-controls.md
@@ -34,7 +34,7 @@ The following table provides a list of practice statement and objectives, and Mi
 | CMMC practice statement and objectives | Microsoft Entra guidance and recommendations |
 | - | - |
 | AC.L1-3.1.1<br><br>**Practice statement:** Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).<br><br>**Objectives:**<br>Determine if:<br>[a.] authorized users are identified;<br>[b.] processes acting on behalf of authorized users are identified;<br>[c.] devices (and other systems) authorized to connect to the system are identified;<br>[d.] system access is limited to authorized users;<br>[e.] system access is limited to processes acting on behalf of authorized users; and<br>[f.] system access is limited to authorized devices (including other systems). | You're responsible for setting up Microsoft Entra accounts, which is accomplished from external HR systems, on-premises Active Directory, or directly in the cloud. You configure Conditional Access to only grant access from a known (Registered/Managed) device. In addition, apply the concept of least privilege when granting application permissions. Where possible, use delegated permission. <br><br>Set up users<br><li>[Plan cloud HR application to Microsoft Entra user provisioning](~/identity/app-provisioning/plan-cloud-hr-provision.md) <li>[Microsoft Entra Connect Sync: Understand and customize synchronization](~/identity/hybrid/connect/how-to-connect-sync-whatis.md)<li>[Add or delete users – Microsoft Entra ID](~/fundamentals/add-users.md)<br><br>Set up devices<li>[What is device identity in Microsoft Entra ID](~/identity/devices/overview.md)<br><br>Configure applications<li>[QuickStart: Register an app in the Microsoft identity platform](~/identity-platform/quickstart-register-app.md)<li>[Microsoft identity platform scopes, permissions, & consent](~/identity-platform/permissions-consent-overview.md)<li>[Securing service principals in Microsoft Entra ID](~/architecture/service-accounts-principal.md)<br><br>Conditional Access<li>[What is Conditional Access in Microsoft Entra ID](~/identity/conditional-access/overview.md)<li>[Conditional Access require managed device](~/identity/conditional-access/concept-conditional-access-grant.md) |
-| AC.L1-3.1.2<br><br>**Practice statement:** Limit information system access to the types of transactions and functions that authorized users are permitted to execute.<br><br>**Objectives:**<br>Determine if:<br>[a.] the types of transactions and functions that authorized users are permitted to execute are defined; and<br>[b.] system access is limited to the defined types of transactions and functions for authorized users. | You're responsible for configuring access controls such as Role Based Access Controls (RBAC) with built-in or custom roles. Use role assignable groups to manage role assignments for multiple users requiring same access. Configure Attribute Based Access Controls (ABAC) with default or custom security attributes. The objective is to granularly control access to resources protected with Microsoft Entra ID.<br><br>Set up RBAC<li>[Overview of role-based access control in Active Directory](~/identity/role-based-access-control/custom-overview.md)[Microsoft Entra built-in roles](~/identity/role-based-access-control/permissions-reference.md)<li>[Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create)<br><br>Set up ABAC<li>[What is Azure attribute-based access control (Azure ABAC)](/azure/role-based-access-control/conditions-overview)<li>[What are custom security attributes in Microsoft Entra ID?](~/fundamentals/custom-security-attributes-overview.md)<br><br>Configure groups for role assignment<li>[Use Microsoft Entra groups to manage role assignments](~/identity/role-based-access-control/groups-concept.md) |
+| AC.L1-3.1.2<br><br>**Practice statement:** Limit information system access to the types of transactions and functions that authorized users are permitted to execute.<br><br>**Objectives:**<br>Determine if:<br>[a.] the types of transactions and functions that authorized users are permitted to execute are defined; and<br>[b.] system access is limited to the defined types of transactions and functions for authorized users. | You're responsible for configuring access controls such as Role Based Access Controls (RBAC) with built-in or custom roles. Use role assignable groups to manage role assignments for multiple users requiring same access. Configure Attribute Based Access Controls (ABAC) with default or custom security attributes. The objective is to granularly control access to resources protected with Microsoft Entra ID.<br><br>Set up RBAC<li>[Overview of role-based access control in Active Directory](~/identity/role-based-access-control/custom-overview.md)[Microsoft Entra built-in roles](~/identity/role-based-access-control/permissions-reference.md)<li>[Create a custom role in Microsoft Entra ID](../identity/role-based-access-control/custom-create.md)<br><br>Set up ABAC<li>[What is Azure attribute-based access control (Azure ABAC)](/azure/role-based-access-control/conditions-overview)<li>[What are custom security attributes in Microsoft Entra ID?](~/fundamentals/custom-security-attributes-overview.md)<br><br>Configure groups for role assignment<li>[Use Microsoft Entra groups to manage role assignments](~/identity/role-based-access-control/groups-concept.md) |
 | AC.L1-3.1.20<br><br>**Practice statement:** Verify and control/limit connections to and use of external information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] connections to external systems are identified;<br>[b.] the use of external systems is identified;<br>[c.] connections to external systems are verified;<br>[d.] the use of external systems is verified;<br>[e.]	connections to external systems are controlled and or limited; and<br>[f.] the use of external systems is controlled and or limited. | You're responsible for configuring Conditional Access policies using device controls and or network locations to control and or limit connections and use of external systems. Configure Terms of Use (TOU) for recorded user acknowledgment of terms and conditions for use of external systems for access.<br><br>Set up Conditional Access as required<li>[What is Conditional Access?](~/identity/conditional-access/overview.md)<li>[Require managed devices for cloud app access with Conditional Access](~/identity/conditional-access/concept-conditional-access-grant.md)<li>[Require device to be marked as compliant](~/identity/conditional-access/concept-conditional-access-grant.md)<li>[Conditional Access: Filter for devices](~/identity/conditional-access/concept-condition-filters-for-devices.md)<br><br>Use Conditional Access to block access<li>[Conditional Access - Block access by location](~/identity/conditional-access/policy-block-by-location.md)<br><br>Configure terms of use<li>[Terms of use](~/identity/conditional-access/terms-of-use.md)<li>[Conditional Access require terms of use](~/identity/conditional-access/policy-all-users-require-terms-of-use.md) |
 | AC.L1-3.1.22<br><br>**Practice statement:** Control information posted or processed on publicly accessible information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] individuals authorized to post or process information on publicly accessible systems are identified;<br>[b.] procedures to ensure FCI isn't posted or processed on publicly accessible systems are identified;<br>[c.] a review process is in place prior to posting of any content to publicly accessible systems; and<br>[d.] content on publicly accessible systems is reviewed to ensure that it doesn't include federal contract information (FCI). | You're responsible for configuring Privileged Identity Management (PIM) to manage access to systems where posted information is publicly accessible. Require approvals with justification prior to role assignment in PIM. Configure Terms of Use (TOU) for systems where posted information is publicly accessible for recorded acknowledgment of terms and conditions for posting of publicly accessible information.<br><br>Plan PIM deployment<li>[What is Privileged Identity Management?](~/id-governance/privileged-identity-management/pim-configure.md)<li>[Plan a Privileged Identity Management deployment](~/id-governance/privileged-identity-management/pim-deployment-plan.md)<br><br>Configure terms of use<li>[Terms of use](~/identity/conditional-access/terms-of-use.md)<li>[Conditional Access require terms of use](~/identity/conditional-access/policy-all-users-require-terms-of-use.md)<li>[Configure Microsoft Entra role settings in PIM - Require Justification](~/id-governance/privileged-identity-management/pim-how-to-change-default-settings.md) |
 
diff --git a/docs/standards/hipaa-access-controls.md b/docs/standards/hipaa-access-controls.md
index 630abf28107..12ebcef9b96 100644
--- a/docs/standards/hipaa-access-controls.md
+++ b/docs/standards/hipaa-access-controls.md
@@ -79,7 +79,7 @@ The following table has HIPAA guidance for access control safeguards for authori
 | - | - |
 Enable multi-factor authentication (MFA) | [MFA in Microsoft Entra ID](~/identity/authentication/concept-mfa-howitworks.md) protects identities by adding another layer of security. The extra layer authentication is effective in helping prevent unauthorized access. Using an MFA approach enables you to require more validation of sign in credentials during the authentication process. Examples include setting up the [Authenticator app](https://support.microsoft.com/account-billing/set-up-an-authenticator-app-as-a-two-step-verification-method-2db39828-15e1-4614-b825-6e2b524e7c95) for one-click verification, or enabling [passwordless authentication](~/identity/authentication/concept-authentication-passwordless.md). |
 | Enable Conditional Access policies | [Conditional Access](~/identity/conditional-access/concept-conditional-access-policies.md) policies help organizations restrict access to approved applications. Microsoft Entra analyses signals from either the user, device, or the location to automate decisions and enforce organizational policies for access to resources and data. |
-| Enable role-based access control (RBAC) | [RBAC](~/identity/role-based-access-control/custom-overview.md) provides security on an enterprise level with the concept of separation of duties. RBAC enables you to adjust and review permissions to protect confidentiality, privacy and access management to resources and sensitive data along with the systems.</br>Microsoft Entra ID provides support for [built-in roles](~/identity/role-based-access-control/permissions-reference.md), which is a fixed set of permissions that can't be modified. You can also create your own [custom roles](/entra/identity/role-based-access-control/custom-create) where you can add a preset list. |
+| Enable role-based access control (RBAC) | [RBAC](~/identity/role-based-access-control/custom-overview.md) provides security on an enterprise level with the concept of separation of duties. RBAC enables you to adjust and review permissions to protect confidentiality, privacy and access management to resources and sensitive data along with the systems.</br>Microsoft Entra ID provides support for [built-in roles](~/identity/role-based-access-control/permissions-reference.md), which is a fixed set of permissions that can't be modified. You can also create your own [custom roles](../identity/role-based-access-control/custom-create.md) where you can add a preset list. |
 | Enable attribute-based access control (ABAC) | [ABAC](/azure/role-based-access-control/conditions-overview) defines access based on attributes associated with security principles, resources, and environment. It provides fine-grained access control and reduces the number of role assignments. The use of ABAC can be scoped to the content within the dedicated Azure storage. |
 | Configure user groups access in SharePoint | [SharePoint groups](/sharepoint/dev/general-development/authorization-users-groups-and-the-object-model-in-sharepoint) are a collection of users. The permissions are scoped to the site collection level for access to the content. Application of this constraint can be scoped to service accounts that require data flow access between applications. |
 
diff --git a/docs/standards/hipaa-other-controls.md b/docs/standards/hipaa-other-controls.md
index 14d17d5d42d..c0a6610cde4 100644
--- a/docs/standards/hipaa-other-controls.md
+++ b/docs/standards/hipaa-other-controls.md
@@ -68,7 +68,7 @@ Ensure that users and devices that access ePHI data are authorized. You must ens
 |Enable multifactor authentication | [Microsoft Entra multifactor authentication](~/identity/authentication/concept-mfa-howitworks.md) protects identities by adding an extra layer of security. The extra layer provides an effective way to prevent unauthorized access. MFA enables the requirement of more validation of sign in credentials during the authentication process. Setting up the [Authenticator app](https://support.microsoft.com/account-billing/set-up-an-authenticator-app-as-a-two-step-verification-method-2db39828-15e1-4614-b825-6e2b524e7c95) provides one-click verification, or you can configure [Microsoft Entra passwordless configuration](~/identity/authentication/concept-authentication-passwordless.md). |
 | Enable Conditional Access policies | [Conditional Access](~/identity/conditional-access/concept-conditional-access-policies.md) policies help to restrict access to only approved applications. Microsoft Entra analyses signals from either the user, device, or the location to automate decisions and enforce organizational policies for access to resources and data. |
 | Set up device based Conditional Access Policy | [Conditional Access with Microsoft Intune](/mem/intune/protect/conditional-access) for device management and Microsoft Entra policies can use device status to either grant deny access to your services and data. By deploying device compliance policies, it determines if it meets security requirements to make decisions to either allow access to the resources or deny them. |
-| Use role-based access control (RBAC) | [RBAC in Microsoft Entra ID](~/identity/role-based-access-control/custom-overview.md) provides security on an enterprise level, with separation of duties. Adjust and review permissions to protect confidentiality, privacy and access management to resources and sensitive data, with the systems.</br>Microsoft Entra ID provides support for [built-in roles](~/identity/role-based-access-control/permissions-reference.md), which is a fixed set of permissions that can't be modified. You can also create your own [custom roles](/entra/identity/role-based-access-control/custom-create) where you can add a preset list. |
+| Use role-based access control (RBAC) | [RBAC in Microsoft Entra ID](~/identity/role-based-access-control/custom-overview.md) provides security on an enterprise level, with separation of duties. Adjust and review permissions to protect confidentiality, privacy and access management to resources and sensitive data, with the systems.</br>Microsoft Entra ID provides support for [built-in roles](~/identity/role-based-access-control/permissions-reference.md), which is a fixed set of permissions that can't be modified. You can also create your own [custom roles](../identity/role-based-access-control/custom-create.md) where you can add a preset list. |
 
 ## Transmission security safeguard guidance
 
diff --git a/docs/standards/pci-requirement-7.md b/docs/standards/pci-requirement-7.md
index 54d9d1d267d..b91eef1d490 100644
--- a/docs/standards/pci-requirement-7.md
+++ b/docs/standards/pci-requirement-7.md
@@ -23,7 +23,7 @@ ms.collection:
 |PCI-DSS Defined approach requirements|Microsoft Entra guidance and recommendations|
 |-|-|
 |**7.1.1** All security policies and operational procedures that are identified in Requirement 7 are: </br> Documented </br> Kept up to date </br> In use </br> Known to all affected parties|Integrate access to cardholder data environment (CDE) applications with Microsoft Entra ID for authentication and authorization. </br> Document Conditional Access policies for remote access technologies. Automate with Microsoft Graph API and PowerShell. [Conditional Access: Programmatic access](~/identity/conditional-access/howto-conditional-access-apis.md) </br> Archive the Microsoft Entra audit logs to record security policy changes and Microsoft Entra tenant configuration. To record usage, archive Microsoft Entra sign-in logs in a security information and event management (SIEM) system. [Microsoft Entra activity logs in Azure Monitor](~/identity/monitoring-health/concept-log-monitoring-integration-options-considerations.md)|
-|**7.1.2** Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.|Integrate access to CDE applications with Microsoft Entra ID for authentication and authorization. </br> - Assign users roles to applications or with group membership </br> - Use Microsoft Graph to list application assignments </br> - Use Microsoft Entra audit logs to track assignment changes. </br> [List appRoleAssignments granted to a user](/graph/api/user-list-approleassignments?view=graph-rest-1.0&tabs=http&preserve-view=true) </br> [Get-MgServicePrincipalAppRoleAssignedTo](/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignedto?view=graph-powershell-1.0&preserve-view=true) </br></br> **Privileged access** </br> Use Microsoft Entra audit logs to track directory role assignments. Administrator roles relevant to this PCI requirement: </br> - Global </br> - Application </br> - Authentication </br> - Authentication Policy </br> - Hybrid Identity </br> To implement least privilege access, use Microsoft Entra ID to create custom directory roles. </br> If you build portions of CDE in Azure, document privileged role assignments such as Owner, Contributor, user Access Administrator, etc., and subscription custom roles where CDE resources are deployed. </br> Microsoft recommends you enable Just-In-Time (JIT) access to roles using Privileged Identity Management (PIM). PIM enables JIT access to Microsoft Entra security groups for scenarios when group membership represents privileged access to CDE applications or resources. [Microsoft Entra built-in roles](~/identity/role-based-access-control/permissions-reference.md) </br> [Microsoft Entra identity and access management operations reference guide](~/architecture/ops-guide-iam.md) </br> [Create and assign a custom role in Microsoft Entra ID](/entra/identity/role-based-access-control/custom-create) </br> [Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID](~/identity/role-based-access-control/security-planning.md) </br> [What is Microsoft Entra Privileged Identity Management?](~/id-governance/privileged-identity-management/pim-configure.md) </br> [Best practices for all isolation architectures]() </br> [PIM for Groups](~/architecture/secure-best-practices.md)|
+|**7.1.2** Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.|Integrate access to CDE applications with Microsoft Entra ID for authentication and authorization. </br> - Assign users roles to applications or with group membership </br> - Use Microsoft Graph to list application assignments </br> - Use Microsoft Entra audit logs to track assignment changes. </br> [List appRoleAssignments granted to a user](/graph/api/user-list-approleassignments?view=graph-rest-1.0&tabs=http&preserve-view=true) </br> [Get-MgServicePrincipalAppRoleAssignedTo](/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignedto?view=graph-powershell-1.0&preserve-view=true) </br></br> **Privileged access** </br> Use Microsoft Entra audit logs to track directory role assignments. Administrator roles relevant to this PCI requirement: </br> - Global </br> - Application </br> - Authentication </br> - Authentication Policy </br> - Hybrid Identity </br> To implement least privilege access, use Microsoft Entra ID to create custom directory roles. </br> If you build portions of CDE in Azure, document privileged role assignments such as Owner, Contributor, user Access Administrator, etc., and subscription custom roles where CDE resources are deployed. </br> Microsoft recommends you enable Just-In-Time (JIT) access to roles using Privileged Identity Management (PIM). PIM enables JIT access to Microsoft Entra security groups for scenarios when group membership represents privileged access to CDE applications or resources. [Microsoft Entra built-in roles](~/identity/role-based-access-control/permissions-reference.md) </br> [Microsoft Entra identity and access management operations reference guide](~/architecture/ops-guide-iam.md) </br> [Create a custom role in Microsoft Entra ID](../identity/role-based-access-control/custom-create.md) </br> [Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID](~/identity/role-based-access-control/security-planning.md) </br> [What is Microsoft Entra Privileged Identity Management?](~/id-governance/privileged-identity-management/pim-configure.md) </br> [Best practices for all isolation architectures]() </br> [PIM for Groups](~/architecture/secure-best-practices.md)|
 
 ## 7.2 Access to system components and data is appropriately defined and assigned.