diff --git a/docs/architecture/gsa-deployment-guide-internet-access.md b/docs/architecture/gsa-deployment-guide-internet-access.md
index dd6f538f3a2..c8136a09ad2 100644
--- a/docs/architecture/gsa-deployment-guide-internet-access.md
+++ b/docs/architecture/gsa-deployment-guide-internet-access.md
@@ -29,6 +29,9 @@ Before you enable Microsoft Entra Internet Access, plan for what you want it to
 - Prevent specific users and groups from using managed devices to access websites by category (such as Alcohol and Tobacco or Social Media). Microsoft Entra Internet Access provides more than 60 categories from which you can choose.
 - Prevent users and groups from using managed devices to access specific fully qualified domain names (FQDN).
 - Configure override policies to allow groups of users to access sites that your web filtering rules would otherwise block.
+- Extend the capabilities of Microsoft Entra Internet Access to entire networks, including devices that are not running the Global Secure Access client
+   - [Simulate remote network connectivity using a remote virtual wide-area network (vWAN)](../global-secure-access/how-to-create-remote-network-vwan.md)
+   - [Simulate remote network connectivity using an Azure virtual network gateway (VNG)](../global-secure-access/how-to-simulate-remote-network.md)
 
 After you understand the capabilities you require in your use cases, create an inventory to associate your users and groups with these capabilities. Understand which users and groups to block or allow access to which web categories and FQDNs. Include rule prioritization for each user group.
 
@@ -47,6 +50,7 @@ At this point, you completed initiate and plan stages of your Secure Access Serv
 1. Create a roll-back plan that defines the circumstances and procedures for when you remove Global Secure Access client from a user device or disable the traffic forwarding profile.
 1. Send end user communications.
 1. Deploy the [Global Secure Access client for Windows](../global-secure-access/how-to-install-windows-client.md) on devices for your pilot group to test.
+1. Configure remote networks using [vWAN](../global-secure-access/how-to-create-remote-network-vwan.md) or [VNG](../global-secure-access/how-to-simulate-remote-network.md) if in scope.
 
 1. Configure [web content filtering policies](../global-secure-access/how-to-configure-web-content-filtering.md#create-a-web-content-filtering-policy) to allow or block categories or FQDNs based on the use cases that you defined during planning.
 
diff --git a/docs/architecture/gsa-deployment-guide-intro.md b/docs/architecture/gsa-deployment-guide-intro.md
index 9d94c9e29ed..c7c48d38261 100644
--- a/docs/architecture/gsa-deployment-guide-intro.md
+++ b/docs/architecture/gsa-deployment-guide-intro.md
@@ -23,7 +23,7 @@ This Deployment Guide helps you to plan and deploy Microsoft Global Secure Acces
 
 ## Perform a Proof of Concept
 
-Perform a Proof of Concept (PoC) to ensure that the solution you choose provides the features and connectivity that you require.
+Perform a [Proof of Concept](https://aka.ms/globalsecureaccesscommunity) (PoC) to ensure that the solution you choose provides the features and connectivity that you require.
 
 Depending on which capabilities you plan to deploy in a PoC for Microsoft Global Secure Access, you need up to seven hours.
 
diff --git a/docs/external-id/customers/toc.yml b/docs/external-id/customers/toc.yml
index 06021a75d99..e071c2e104b 100644
--- a/docs/external-id/customers/toc.yml
+++ b/docs/external-id/customers/toc.yml
@@ -449,6 +449,8 @@ items:
         href: how-to-use-app-roles-customers.md
       - name: Web Application Firewall partners
         items: 
+        - name: Azure Web Application Firewall
+          href: tutorial-configure-external-id-web-app-firewall.md
         - name: Cloudflare
           href: tutorial-configure-cloudflare-integration.md
     - name: Manage users
diff --git a/docs/external-id/customers/tutorial-configure-external-id-web-app-firewall.md b/docs/external-id/customers/tutorial-configure-external-id-web-app-firewall.md
new file mode 100644
index 00000000000..9b3b5d6d5e8
--- /dev/null
+++ b/docs/external-id/customers/tutorial-configure-external-id-web-app-firewall.md
@@ -0,0 +1,117 @@
+---
+title: Configure Microsoft Entra External ID with Azure Web Application Firewall
+description: Learn how to configure Microsoft Entra External ID with Azure Web Application Firewall.
+author: gargi-sinha
+manager: martinco
+ms.author: gasinh
+ms.reviewer: kengaderdus
+ms.service: entra-external-id
+ms.subservice: external
+ms.topic: how-to
+ms.custom: it-pro
+ms.date: 01/09/2025
+
+#CustomerIntent: As an IT administrator, I want to learn how to enable the Azure Web Application Firewall (WAF) service for a Microsoft Entra External ID tenant with an Azure WAF so that I can protects web applications from common exploits and vulnerabilities.
+---
+# Configure Microsoft Entra External ID with Azure Web Application Firewall
+
+In this article, you learn how to enable the [Azure Web Application Firewall](/azure/web-application-firewall/ag/ag-overview) (WAF) service for a Microsoft Entra External ID tenant. Azure WAF protects web applications from common exploits and vulnerabilities such as cross-site scripting, Distributed Denial-of-Service (DDoS) attacks, and malicious bot activity.
+
+## Prerequisites
+
+- **An Azure subscription**. If you don’t have one, [get an Azure account](https://azure.microsoft.com/free/) for free.
+- **A Microsoft Entra External ID tenant**. Authorization server that verifies user credentials with user flows in the tenant, also known as the identity provider (IdP). Learn how to [create an external tenant](how-to-create-external-tenant-portal.md).
+- **Azure Front Door Premium**. [Azure Front Door](/azure/frontdoor/) enables custom domains for the Microsoft Entra External ID tenant with security optimization and access to WAF managed rule sets.
+- **Azure Web Application Firewall** (requires Premium SKU). [Azure WAF](https://azure.microsoft.com/services/web-application-firewall/) manages traffic that the authorization server receives.
+- **A custom domain**. Use with the custom domain features in Azure Front Door. Learn how to [enable custom URL domains for apps in external tenants](how-to-custom-url-domain.md).
+
+> [!IMPORTANT]
+> After you configure the custom domain, [test your custom domain](how-to-custom-url-domain.md#test-your-custom-url-domains) before you use it.
+
+## Enable Azure Web Application Firewall
+
+To enable WAF for protection, configure a WAF policy and associate it with Azure Front Door Premium. Microsoft optimizes Azure Front Door premium for security and manages the rule sets provided by the WAF to protect against common vulnerabilities including cross-site scripting and Java exploits. Additionally, Azure WAF provides rule sets that help protect against malicious bot activity and provide layer 7 DDoS protection for your application.
+
+### Create Azure Web Application Firewall policy
+
+Use the following steps to create the WAF policy.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Under **Azure services**, select **Create a resource**.
+1. In the search bar, type **Azure WAF**, then select **Azure Service Web Application Firewall (WAF) from Microsoft**.
+1. Select **Create**.
+1. Go to **Create a WAF policy**.
+1. Select **Basics**.
+   - For **Policy for**, select **Global WAF (Front Door)**.
+   - For **Front Door SKU**, select the Premium SKU.
+   - For **Subscription**, select your Front Door subscription name.
+   - For **Resource group**, select your Front Door resource group name.
+   - For **Policy name**, enter a unique name for your WAF policy.
+   - For **Policy state**, select **Enabled**.
+   - For **Policy mode**, select **Detection**.
+1. Go to **Create a WAF policy** > **Association**.
+1. Select **+ Associate a Front Door profile**.
+1. **Front Door**: Select the Front Door name that you associated with your Microsoft Entra External ID custom domain.
+1. **Domains**: Select the Microsoft Entra External ID custom domains to which to associate the WAF policy.
+1. Select **Add**.
+1. Select **Review + create**.
+1. Select **Create**.
+
+## Configure default rule set
+
+After you create a new WAF policy, Azure Front Door automatically deploys with the latest version of the [Azure-managed default rule set](/azure/web-application-firewall/afds/waf-front-door-drs) (DRS). This rule set protects web applications from common vulnerabilities and exploits. Azure-managed rule sets protect against common security threats. Azure manages and updates these rule sets as needed to protect against new attack signatures. The DRS includes the [Microsoft Threat Intelligence Collection rules](/azure/web-application-firewall/afds/waf-front-door-drs#microsoft-threat-intelligence-collection-rules) that provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
+
+## Configure bot manager rule set
+
+By default, the Azure Front Door WAF deploys with the latest version of the Azure-managed [bot manager rule set](/azure/web-application-firewall/afds/afds-overview#bot-protection-rule-set). This rule set categorizes bot traffic into good, bad, and unknown bots. The WAF platform manages and dynamically updates the bot signatures behind this rule set.
+
+## Configure rate limiting
+
+[Rate limiting for Azure Front Door](/azure/web-application-firewall/afds/waf-front-door-rate-limit) enables you to detect and block abnormally high traffic from any socket IP address. Use Azure WAF in Azure Front Door to mitigate some types of denial-of-service attacks. Rate limiting protects clients accidentally misconfigured to send large volumes of requests in a short time. You must use custom rules to [manually configure rate limiting on the WAF](/azure/web-application-firewall/afds/waf-front-door-rate-limit-configure).
+
+## Configure detection and prevention modes
+
+After you create a WAF policy, Azure starts the policy in **Detection mode**. Leave the WAF policy in **Detection mode** while you tune the WAF for your traffic. In **Detection mode**, the WAF doesn’t block requests. Instead, the WAF logs requests that match the WAF rules after you [enable logging](/azure/web-application-firewall/afds/waf-front-door-monitor#logs-and-diagnostics).
+
+After you enable logging and your WAF receives request traffic, look through your logs and [tune your WAF](/azure/web-application-firewall/afds/waf-front-door-tuning).
+
+The following query shows the requests that an example WAF policy blocked in the previous 24 hours. The details include rule name, request data, action that the policy took, and policy mode.
+
+```kusto
+AzureDiagnostics
+| where TimeGenerated >= ago(24h)
+| where Category == "FrontdoorWebApplicationFirewallLog"
+| where action_s == "Block"
+| project RuleID=ruleName_s, DetailMsg=details_msg_s, Action=action_s, Mode=policyMode_s, DetailData=details_data_s
+```
+
+|RuleID|DetailMsg|Action|Mode|DetailData|
+|---|---|---|---|---|
+|DefaultRuleSet-1.0-SQLI-942430|Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)|Block|Detection|Matched Data: CfDJ8KQ8bY6D|
+
+Review the WAF logs to determine if your WAF's rules caused any false positives. Then use exclusions to mitigate those WAF false positives. [Configure web application firewall exclusion lists](/azure/web-application-firewall/afds/waf-front-door-exclusion-configure). Configure [Web Application Firewall with Azure Front Door exclusion lists](/azure/web-application-firewall/afds/waf-front-door-exclusion).
+
+After you set up logging and your WAF receives traffic, you can assess the effectiveness of your bot manager rules in handling bot traffic. The following query shows the actions that the example bot manager rule set took categorized by bot type. While in **Detection mode**, the WAF only logs bot traffic actions. After you switch to **Prevention mode**, the WAF begins actively blocking unwanted bot traffic.
+
+```kusto
+AzureDiagnostics
+| where Category == "FrontDoorWebApplicationFirewallLog"
+| where action_s in ("Log", "Allow", "Block", "JSChallenge", "Redirect") and ruleName_s contains "BotManager"
+| extend RuleGroup = extract("Microsoft_BotManagerRuleSet-[\\d\\.]+-(.*?)-Bot\\d+", 1, ruleName_s)
+| extend RuleGroupAction = strcat(RuleGroup, " - ", action_s)
+| summarize Hits = count() by RuleGroupAction, bin(TimeGenerated, 30m)
+| project TimeGenerated, RuleGroupAction, Hits
+| render columnchart kind=stacked
+```
+
+## Switch from Detection mode to Prevention mode
+
+To observe activity on requested traffic, select **Switch to Prevention mode** from your WAF policy's **Overview** page in the Azure portal. This selection changes the mode from **Detection mode** to **Prevention mode**. The WAF blocks requests that match the rules in WAF policy and logs them in the WAF logs. The WAF takes the prescribed action when a request matches one or more rules and logs the results. By default, the DRS sets to [anomaly scoring mode](/azure/web-application-firewall/afds/waf-front-door-drs#anomaly-scoring-mode); the WAF doesn’t take action on a request unless it meets the anomaly score threshold.
+
+To revert to **Detection mode**, select **Switch to Detection mode** from the **Overview** page.
+
+## Related content
+
+- [Best practices for Azure Web Application Firewall in Azure Front Door](/azure//web-application-firewall/afds/waf-front-door-best-practices)
+- [Manage Web Application Firewall policies](/azure/firewall-manager/manage-web-application-firewall-policies)
+- [Tune Azure Web Application Firewall for Azure Front Door](/azure/web-application-firewall/afds/waf-front-door-tuning)
diff --git a/docs/id-governance/custom-entitlement-report-with-adx-and-entra-id.md b/docs/id-governance/custom-entitlement-report-with-adx-and-entra-id.md
index 1e4d7e9f7f2..70f99382a40 100644
--- a/docs/id-governance/custom-entitlement-report-with-adx-and-entra-id.md
+++ b/docs/id-governance/custom-entitlement-report-with-adx-and-entra-id.md
@@ -1,6 +1,6 @@
 ---
 title: 'Custom reports using Microsoft Entra and application data'
-description: Tutorial that describes how to create customized reports in Azure Data Explorer using data from Microsoft Entra ID.
+description: Tutorial that describes how to create customized reports in Azure Data Explorer using data from Microsoft Entra.
 author: billmath
 manager: amycolannino
 ms.service: entra-id-governance
@@ -9,7 +9,7 @@ ms.date: 12/30/2024
 ms.author: billmath
 ---
 
-# Tutorial: Customized reports in Azure Data Explorer using data from Microsoft Entra ID
+# Tutorial: Customized reports in Azure Data Explorer using data from Microsoft Entra
 
 In this tutorial, you learn how to create customized reports in [Azure Data Explorer (ADX)](/azure/data-explorer/data-explorer-overview) using data from Microsoft Entra ID and Microsoft Entra ID Governance services. This tutorial complements other reporting options such as [Archive & report with Azure Monitor and entitlement management](entitlement-management-logs-and-reporting.md), which focuses on exporting the audit log into Azure Monitor for retention and analysis. By comparison, exporting Microsoft Entra ID data to Azure Data Explorer provides flexibility for creating custom reports on Microsoft Entra objects, including historical and deleted objects. In addition, use of Azure Data Explorer enables data aggregation from additional sources, with massive scalability, flexible schema, and retention policies. Azure Data Explorer is especially helpful when you need to retain access data for years, perform ad-hoc investigations, or need to run custom queries on user access data.
 
@@ -17,10 +17,12 @@ This article illustrates how to show configuration, users, and access rights exp
 
 Use the following steps to create these reports: 
 
- 1. [Set up Azure Data Explorer](#1-setup-azure-data-explorer) in an Azure subscription, or create a free cluster. 
- 2. [Extract data from Microsoft Entra](#2-connect-to-microsoft-graph-and-extract-entra-data-with-powershell) using PowerShell scripts and Microsoft Graph. 
- 3. [Import the data into Azure Data Explorer](#3-import-json-file-data-into-azure-data-explorer), a fast and scalable data analytics service. 
- 4. [Build a custom query](#4-use-azure-data-explorer-to-build-custom-reports) using Kusto Query Language. 
+ 1. [Set up Azure Data Explorer](#1-setup-azure-data-explorer) in an Azure subscription, or create a free cluster.
+ 2. [Extract data from Microsoft Entra ID](#2-extract-microsoft-entra-id-data-with-powershell) using PowerShell scripts and Microsoft Graph.
+ 3. [Import that data from Microsoft Entra ID into Azure Data Explorer](#3-import-json-files-with-data-from-microsoft-entra-id-into-azure-data-explorer).
+ 1. [Extract data from Microsoft Entra ID Governance](#4-extract-microsoft-entra-id-governance-data-with-powershell).
+ 1. [Import that data from Microsoft Entra ID Governance into Azure Data Explorer](#5-import-json-files-with-data-from-microsoft-entra-id-governance-into-azure-data-explorer).
+ 1. [Build a custom query](#6-use-azure-data-explorer-to-build-custom-reports) using Kusto Query Language.
 
 By the end of this tutorial, you'll be able to develop customized views of the access rights and permissions of users. These views span across different applications using Microsoft supported tools. You can also bring in data from third-party databases or applications to report on those as well.
 
@@ -37,20 +39,20 @@ Determine what data you want to include in your reports. The scripts in this art
 - Microsoft Graph PowerShell must be consented to allow for retrieval of Microsoft Entra objects via Microsoft Graph. The examples in this tutorial require the delegated User.Read.All, Group.Read.All, Application.Read.All, and Directory.Read.All permissions. If you're planning on retrieving data using automation without a signed-in user, then consent to the corresponding application permissions instead. See [Microsoft Graph permissions reference](/graph/permissions-reference) for additional information. If you haven't already consented Microsoft Graph PowerShell to those permissions, you need to be a Global Administrator to perform this consent operation.
 - This tutorial does not illustrate custom security attributes. By default, Global Administrator and other administrator roles don't include permissions to read custom security attributes from Microsoft Entra users. If you're planning on retrieving custom security attributes, then more roles and permissions may be required.
 - On the computer where Microsoft Graph PowerShell is installed, ensure you have write access to the file system directory. This is where you install the required Microsoft Graph PowerShell modules and where the exported Microsoft Entra data is saved. 
-- Ensure you have permissions to retrieve data from other data sources beyond Microsoft Entra.
+- Ensure you have permissions to retrieve data from other data sources beyond Microsoft Entra, if you wish to incorporate that data into Azure Data Explorer as well.
 
 ## 1: Setup Azure Data Explorer 
 
 If you haven’t previously used Azure Data Explorer, you need to set this up first. You can create a [free cluster without an Azure subscription or credit card](/azure/data-explorer/start-for-free) or a full cluster which requires an Azure subscription. See [Quickstart: Create an Azure Data Explorer cluster and database](/azure/data-explorer/create-cluster-and-database) to get started. 
 
-## 2: Connect to Microsoft Graph and Extract Entra data with PowerShell 
+## 2: Extract Microsoft Entra ID data with PowerShell 
 
-In this section, you [install Microsoft Graph PowerShell modules](/powershell/microsoftgraph/installation) and [Connect to Microsoft Graph](/powershell/module/microsoft.graph.authentication/connect-mggraph). 
+In this section, you [install Microsoft Graph PowerShell modules](/powershell/microsoftgraph/installation) and, in PowerShell, [connect to Microsoft Graph](/powershell/module/microsoft.graph.authentication/connect-mggraph) to extract Microsoft Entra ID data.
 
 The first time your organization uses these modules for this scenario, you need to be in a Global Administrator role to allow Microsoft Graph PowerShell to grant consent for use in your tenant. Subsequent interactions can use a lower-privileged role.
 
  1. Open PowerShell.
- 1. If you don't have all the [Microsoft Graph PowerShell modules](https://www.powershellgallery.com/packages/Microsoft.Graph) already installed, install the required Microsoft Graph modules. The following modules are required for this tutorial: `Microsoft.Graph.Authentication`, `Microsoft.Graph.Users`, `Microsoft.Graph.Groups`, `Microsoft.Graph.Applications`, `Microsoft.Graph.DirectoryObjects`. 
+ 1. If you don't have all the [Microsoft Graph PowerShell modules](https://www.powershellgallery.com/packages/Microsoft.Graph) already installed, install the required Microsoft Graph modules. The following modules are required for this section of the tutorial: `Microsoft.Graph.Authentication`, `Microsoft.Graph.Users`, `Microsoft.Graph.Groups`, `Microsoft.Graph.Applications`, `Microsoft.Graph.DirectoryObjects`. If you already have these modules installed, then continue at the next step.
 
 ```powershell
    $modules = @('Microsoft.Graph.Users', 'Microsoft.Graph.Groups', 'Microsoft.Graph.Applications', 'Microsoft.Graph.DirectoryObjects') 
@@ -66,18 +68,18 @@ The first time your organization uses these modules for this scenario, you need
    Import-Module -Name $module 
    } 
 ``` 
- 3. Connect to Microsoft Graph.
+ 3. Connect to Microsoft Graph. This section of the tutorial illustrates reading users, groups, and applications, so requires the `User.Read.All`, `Group.Read.All`, `Application.Read.All`, and `Directory.Read.All` permission scopes. For more information on permissions, see [Microsoft Graph permissions reference](/graph/permissions-reference).
  
 ```powershell
-  Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All", "Application.Read.All", "Directory.Read.All" -ContextScope Process
+  Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All", "Application.Read.All", "Directory.Read.All" -ContextScope Process -NoWelcome
 ``` 
 
  This command prompts you to sign in with your Microsoft Entra credentials. After signing in, you may need to consent to the required permissions if it's your first time connecting, or if new permissions are required.
   
 
-### PowerShell Queries to extract data needed to build custom reports in Azure Data Explorer
+### PowerShell Queries to extract Microsoft Entra ID data needed to build custom reports in Azure Data Explorer
 
-The following queries extract Microsoft Entra data from Microsoft Graph using PowerShell and export the data to JSON files which are imported into Azure Data Explorer in the subsequent section 3. There may be multiple scenarios for generating reports with this type of data: 
+The following queries extract Microsoft Entra ID data from Microsoft Graph using PowerShell and export the data to JSON files which are imported into Azure Data Explorer in the subsequent section 3. There may be multiple scenarios for generating reports with this type of data, including:
 
  - An auditor would like to see a report that lists the group members for 10 groups, organized by the members’ department. 
  - An auditor would like to see a report of all users who had access to an application between two dates. 
@@ -86,15 +88,15 @@ You can also bring in data to Azure Data Explorer from other sources beyond Micr
 
 - An admin would like to view all users added to an application from Microsoft Entra ID and their access rights in the application's own repository, such as SQL databases. 
 
-These types of reports aren't built in to Microsoft Entra ID. However, you can create these reports yourself by extracting data from Entra and combining them using custom queries in Azure Data Explorer. 
+These types of reports aren't built in to Microsoft Entra ID. However, you can create these reports yourself by extracting data from Entra and combining them using custom queries in Azure Data Explorer. This will be addressed later in the tutorial in [bring in data from other sources](#bring-in-data-from-other-sources) section.
 
-For this tutorial, we extract Microsoft Entra data from several areas: 
+For this tutorial, we extract Microsoft Entra ID data from several areas: 
 
  - User information such as display name, UPN, and job details 
- - Group information 
- - Application and role assignments 
+ - Group information including their memberships
+ - Application and application role assignments
 
-This data set enables us to perform a broad set of queries around who was given access to an application, role information, and the associated timeframe. Note that these are sample queries, and your data and specific requirements may vary from what is shown here. 
+This data set enables us to perform a broad set of queries around who was given access to an application, with their application role information, and the associated timeframe. Note that these are sample queries, and your data and specific requirements may vary from what is shown here.
 
 >[!NOTE]
 > Larger tenants may experience throttling / 429 errors that are handled by the Microsoft Graph module. Azure Data Explorer may also limit file upload sizes.
@@ -106,12 +108,12 @@ In these PowerShell scripts, we export selected properties from the Microsoft En
 We included a hard-coded **snapshot date** which identifies the data in the JSON file with a specific date and allows us to keep track of similar data sets over time in Azure Data Explorer. The snapshot date is also useful for comparing changes in data between two snapshot dates. 
 
 ```powershell
-$SnapshotDate = "2024-01-11"
+$SnapshotDate = Get-Date -AsUTC -Format "yyyy-MM-dd"
 ```
 
 ### Get Entra user data 
 
-This script exports selected properties from the Entra user object to a JSON file. We'll import this data into Azure Data Explorer in a [subsequent section of this tutorial](#3-import-json-file-data-into-azure-data-explorer). 
+This script exports selected properties from the Entra user object to a JSON file. We'll import this and additional data from other JSON files into Azure Data Explorer in a [subsequent section of this tutorial](#3-import-json-files-with-data-from-microsoft-entra-id-into-azure-data-explorer).
 
      
 ```powershell
@@ -192,7 +194,7 @@ Generate a JSON file with group membership which is used to create custom views
 
 ### Get Application and Service Principal data 
 
-Generates JSON file with all applications and the corresponding service principals in the tenant. We'll import this data into Azure Data Explorer in [a subsequent section of this tutorial](#3-import-json-file-data-into-azure-data-explorer) which allows us to generate custom reports related to applications based on this data. 
+Generates JSON file with all applications and the corresponding service principals in the tenant. We'll import this data into Azure Data Explorer in [a subsequent section of this tutorial](#3-import-json-files-with-data-from-microsoft-entra-id-into-azure-data-explorer) which allows us to generate custom reports related to applications based on this data. 
 ```powershell
     # Fetch applications and their corresponding service principals, then export to JSON 
     Get-MgApplication -All | ForEach-Object { 
@@ -259,28 +261,124 @@ Generate a JSON file of all app role assignments in the tenant.
     $result | ConvertTo-Json -Depth 10 | Out-File "AppRoleAssignments.json" 
 ``` 
 
-## 3: Import JSON file data into Azure Data Explorer 
+## 3: Import JSON files with data from Microsoft Entra ID into Azure Data Explorer
 
-In this section, we import the newly created JSON files for further analysis.
+In this section, we import the newly created JSON files for the Microsoft Entra ID services into Azure Data Explorer for further analysis.
 
-Once you have setup a database in your Azure Data Explorer cluster or free cluster, as described in the first section of this document, navigate to that database.
+Once you have setup a database in your Azure Data Explorer cluster or free cluster, as described in the first section of this article, navigate to that database.
 
  1. Sign-in to the [Azure Data Explorer web UI](https://dataexplorer.azure.com/home).
  1. From the left menu, select **Query**.
 
 Next, follow these steps for each exported JSON file, to get your exported data into that Azure Data Explorer database.
 
- 1. Right-select on the database name of the database where you want to ingest the data. Select **Get Data**.
+ 1. Right-select on the database name of the database where you want to ingest the data. Select **Get data**.
 
     :::image type="content" source="/azure/data-explorer/media/get-data-file/get-data.png" alt-text="Screenshot of query tab, with right-select on a database and the get options dialog open." lightbox="/azure/data-explorer/media/get-data-file/get-data.png":::
 
  2. Select the data source from the available list. In this tutorial, you're ingesting data from a **Local file**.
  1. Select **+ New table** and enter a table name, based on the name of the JSON file you're importing, For example, if you're importing EntraUsers.json, name the table **EntraUsers**. After the first import, the table already exists, and you can select it as the target table for a subsequent import.
  1. Select **Browse for files**, select the JSON file, and select **Next**.
- 1. Azure Data Explorer automatically detects the schema and provides a preview in the **Inspect** tab. Select **Finish** to create the table and import the data from that file.
- 1. Repeat each of the preceding steps for each of the JSON files that you generated in the first section.
+ 1. Azure Data Explorer automatically detects the schema and provides a preview in the **Inspect** tab. Select **Finish** to create the table and import the data from that file. Once the data is ingested, click **Close**.
+ 1. Repeat each of the preceding steps for each of the JSON files that you generated in the previous section.
 
-## 4: Use Azure Data Explorer to build custom reports 
+## 4: Extract Microsoft Entra ID Governance data with PowerShell
+
+In this section, you'll use PowerShell to extract data from Microsoft Entra ID Governance services. If you do not have Microsoft Entra ID Governance, Microsoft Entra ID P2 or Microsoft Entra Suite, then continue in section [use Azure Data Explorer to build custom reports](#6-use-azure-data-explorer-to-build-custom-reports).
+
+For this you may need to [install Microsoft Graph PowerShell modules](/powershell/microsoftgraph/installation) to extract Microsoft Entra ID Governance data. The first time your organization uses these modules for this scenario, you need to be in a Global Administrator role to allow Microsoft Graph PowerShell to grant consent for use in your tenant. Subsequent interactions can use a lower-privileged role.
+
+ 1. Open PowerShell.
+ 1. If you don't have all the [Microsoft Graph PowerShell modules](https://www.powershellgallery.com/packages/Microsoft.Graph) already installed, install the required Microsoft Graph modules. The following modules are required for this section of the tutorial: `Microsoft.Graph.Identity.Governance`. If you already have these modules installed, then continue at the next step.
+
+```powershell
+   $modules = @('Microsoft.Graph.Identity.Governance')
+   foreach ($module in $modules) {
+   Install-Module -Name $module -Scope CurrentUser -AllowClobber -Force
+   }
+```  
+ 2. Import the modules into the current PowerShell session. 
+ 
+ ```powershell
+   $modules = @('Microsoft.Graph.Identity.Governance')
+   foreach ($module in $modules) {
+   Import-Module -Name $module
+   } 
+``` 
+
+ 3. Connect to Microsoft Graph. This section of the tutorial illustrates retrieving data from entitlement management and access reviews, so requires the `AccessReview.Read.All` and `EntitlementManagement.Read.All` permission scopes. For other reporting use cases such as for PIM or lifecycle workflows, then update the `Scopes` parameter with the necessary permissions. For more information on permissions, see [Microsoft Graph permissions reference](/graph/permissions-reference).
+ 
+```powershell
+  Connect-MgGraph -Scopes "AccessReview.Read.All, EntitlementManagement.Read.All" -ContextScope Process -NoWelcome
+``` 
+
+ This command prompts you to sign in with your Microsoft Entra credentials. After signing in, you may need to consent to the required permissions if it's your first time connecting, or if new permissions are required.
+
+### PowerShell queries to extract Microsoft Entra ID Governance data needed to build custom reports in Azure Data Explorer
+
+You can use queries to extract Microsoft Entra ID Governance data from Microsoft Graph using PowerShell and export the data to JSON files, which are imported into Azure Data Explorer in the subsequent section. There may be multiple scenarios for generating reports with this type of data, including:
+
+ * reporting on historical access reviews
+ * reporting on assignments via entitlement management
+
+### Get Access review schedule definition data
+
+Generate a JSON file with access review definition names and IDs that are used to create custom views in Azure Data Explorer. The sample includes all access reviews, but additional filtering can be included if needed. For more information, see [use the filter query parameter](/graph/api/accessreviewset-list-definitions?view=graph-rest-1.0&tabs=http#use-the-filter-query-parameter).
+
+```powershell
+   $allsched = Get-MgIdentityGovernanceAccessReviewDefinition -All
+   $definitions = @()
+   # Iterate over each definition
+   foreach ($definition in $allsched) {
+      $definitions += [PSCustomObject]@{
+         Id = $definition.Id
+         DisplayName = $definition.DisplayName
+         SnapshotDate = $SnapshotDate
+      }
+   }
+   $definitions | ConvertTo-Json -Depth 10 | Set-Content "EntraAccessReviewDefinition.json"
+```
+
+### Get entitlement management access package data
+
+Generate a JSON file with access package names and IDs that are used to create custom views in Azure Data Explorer. The sample includes all access packages, but additional filtering can be included if needed.
+
+```powershell
+   $accesspackages1 = Get-MgEntitlementManagementAccessPackage -All
+   $accesspackages2 = @()
+   # Iterate over each access package
+   foreach ($accesspackage in $accesspackages1) {
+      $accesspackages2 += [PSCustomObject]@{
+         Id = $accesspackage.Id
+         DisplayName = $accesspackage.DisplayName
+         SnapshotDate = $SnapshotDate
+      }
+   }
+   $accesspackages2 | ConvertTo-Json -Depth 10 | Set-Content "EntraAccessPackage.json"
+```
+
+## 5: Import JSON files with data from Microsoft Entra ID Governance into Azure Data Explorer
+
+In this section, we import the newly created JSON files for the Microsoft Entra ID Governance services into Azure Data Explorer, alongside the data already imported for the Microsoft Entra ID services, for further analysis.
+
+In your Azure Data Explorer cluster or free cluster, navigate to the database which holds your Microsoft Entra ID data.
+
+ 1. Sign-in to the [Azure Data Explorer web UI](https://dataexplorer.azure.com/home).
+ 1. From the left menu, select **Query**.
+
+Next, follow these steps for each exported JSON file from the previous section, to get your exported data into that Azure Data Explorer database.
+
+ 1. Right-select on the database name of the database where you want to ingest the data. Select **Get data**.
+
+    :::image type="content" source="/azure/data-explorer/media/get-data-file/get-data.png" alt-text="Screenshot of query tab, with right-select on a database and the get options dialog open." lightbox="/azure/data-explorer/media/get-data-file/get-data.png":::
+
+ 2. Select the data source from the available list. In this tutorial, you're ingesting data from a **Local file**.
+ 1. Select **+ New table** and enter a table name, based on the name of the JSON file you're importing, After the first import, the table already exists, and you can select it as the target table for a subsequent import.
+ 1. Select **Browse for files**, select the JSON file, and select **Next**.
+ 1. Azure Data Explorer automatically detects the schema and provides a preview in the **Inspect** tab. Select **Finish** to create the table and import the data from that file. Once the data is ingested, click **Close**.
+ 1. Repeat each of the preceding steps for each of the JSON files that you generated in the previous section.
+
+## 6: Use Azure Data Explorer to build custom reports 
 
 With the data now available in Azure Data Explorer, you're ready to begin creating customized reports based on your business requirements. 
 
@@ -292,7 +390,7 @@ The following queries provide examples of common reports, but you can customize
 
 This report provides a view of who had what access and when to the target app and can be used for security audits, compliance verification, and understanding access patterns within the organization. 
 
-This query targets a specific application within Microsoft Entra AD and analyzes the role assignments as of a certain date. The query retrieves both direct and group-based role assignments, merging this data with user details from the EntraUsers table and role information from the AppRoles table. 
+This query targets a specific application within Microsoft Entra AD and analyzes the role assignments as of a certain date. The query retrieves both direct and group-based role assignments, merging this data with user details from the EntraUsers table and role information from the AppRoles table. In the query below, set the `targetSnapshotDate` to the `snapshotDate` value that was used when loading the data.
 
 ```kusto
 /// Define constants 
@@ -400,6 +498,12 @@ AppRoleAssignments
 | project UserPrincipalName, DisplayName, RoleDisplayName, CreatedDateTime, PrincipalId, Change = "Added" 
 ``` 
 
+## Set up ongoing imports
+
+This tutorial illustrates a one-time data extract, transform and load (ETL) process to populate Azure Data Explorer with a single snapshot for reporting purposes. For ongoing reporting or to compare changes over time, you can automate the process of populating Azure Data Explorer from Microsoft Entra, so that your database continues to have current data. 
+
+You can use [Azure Automation](/azure/automation/overview), an Azure cloud service, to host the PowerShell scripts needed to extract data from Microsoft Entra ID and Microsoft Entra ID Governance and import it into Azure Data Explorer. For more information, see [Automate Microsoft Entra ID Governance tasks with Azure Automation](identity-governance-automation.md).
+
 ## Bring in data from other sources
 
 You can also [create additional tables](/azure/data-explorer/create-table-wizard) in Azure Data Explorer to ingest data from other sources. If the data is in a JSON file, similar to the examples above, or a CSV file, then you can create the table at the time you first [get data from the file](/azure/data-explorer/get-data-file).
diff --git a/docs/workload-id/workload-identity-federation-create-trust-user-assigned-managed-identity.md b/docs/workload-id/workload-identity-federation-create-trust-user-assigned-managed-identity.md
index d0744081013..1f6c4a00179 100644
--- a/docs/workload-id/workload-identity-federation-create-trust-user-assigned-managed-identity.md
+++ b/docs/workload-id/workload-identity-federation-create-trust-user-assigned-managed-identity.md
@@ -43,7 +43,7 @@ To learn more about supported regions, time to propagate federated credential up
 
 ## Configure a federated identity credential on a user-assigned managed identity
 
-In the [Microsoft Entra admin center](https://entra.microsoft.com), navigate to the user-assigned managed identity you created.  Under **Settings** in the left nav bar, select **Federated credentials** and then **Add Credential**.
+In the [Microsoft Azure portal](https://portal.azure.com), navigate to the user-assigned managed identity you created.  Under **Settings** in the left nav bar, select **Federated credentials** and then **Add Credential**.
 
 In the **Federated credential scenario** dropdown box, select your scenario.
 
@@ -157,13 +157,13 @@ Select **Add** to configure the federated credential.
 
 ## List federated identity credentials on a user-assigned managed identity
 
-In the [Microsoft Entra admin center](https://entra.microsoft.com), navigate to the user-assigned managed identity you created.  Under **Settings** in the left nav bar and select **Federated credentials**.
+In the [Microsoft Azure portal](https://portal.azure.com), navigate to the user-assigned managed identity you created.  Under **Settings** in the left nav bar and select **Federated credentials**.
 
 The federated identity credentials configured on that user-assigned managed identity are listed.
 
 ## Delete a federated identity credential from a user-assigned managed identity
 
-In the [Microsoft Entra admin center](https://entra.microsoft.com), navigate to the user-assigned managed identity you created.  Under **Settings** in the left nav bar and select **Federated credentials**.
+In the [Microsoft Azure portal](https://portal.azure.com), navigate to the user-assigned managed identity you created.  Under **Settings** in the left nav bar and select **Federated credentials**.
 
 The federated identity credentials configured on that user-assigned managed identity are listed.