diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index c225f81f97..1b0a463815 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1081,6 +1081,16 @@
       "source_path_from_root": "/docs/identity/saas-apps/ghae-provisioning-tutorial.md",
       "redirect_url": "/entra/identity/saas-apps/tutorial-list",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/docs/identity-platform/quickstart-v2-uwp.md",
+      "redirect_url": "/entra/identity-platform/quickstart-desktop-app-wpf-sign-in",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/docs/identity-platform/tutorial-v2-windows-uwp.md",
+      "redirect_url": "/entra/identity-platform/quickstart-desktop-app-wpf-sign-in",
+      "redirect_document_id": false
     }
   ]
 }
\ No newline at end of file
diff --git a/docs/architecture/secure-resource-management.md b/docs/architecture/secure-resource-management.md
index b4c829702c..b40ef54670 100644
--- a/docs/architecture/secure-resource-management.md
+++ b/docs/architecture/secure-resource-management.md
@@ -6,7 +6,7 @@ manager: martinco
 ms.service: entra
 ms.subservice: architecture
 ms.topic: conceptual
-ms.date: 10/03/2023
+ms.date: 10/15/2024
 ms.author: justinha
 ms.reviewer: justinha
 ---
@@ -167,7 +167,7 @@ Microsoft Entra Domain Services provides a managed domain to facilitate authenti
 
 An Azure AD B2C tenant is linked to an Azure subscription for billing and communication purposes. Azure AD B2C tenants have a self-contained role structure in the directory, which is independent from the Azure RBAC privileged roles of the Azure subscription.
 
-When the Azure AD B2C tenant is initially provisioned, the user creating the B2C tenant must have contributor or owner permissions in the subscription. They can later create other accounts and assign them to directory roles. For more information, see [Overview of role-based access control in Microsoft Entra ID](/identity/role-based-access-control/custom-overview).
+When the Azure AD B2C tenant is initially provisioned, the user creating the B2C tenant must have contributor or owner permissions in the subscription. They can later create other accounts and assign them to directory roles. For more information, see [Overview of role-based access control in Microsoft Entra ID](~/identity/role-based-access-control/custom-overview.md).
 
 It's important to note that the owners and contributors of the linked Microsoft Entra subscription can remove the link between the subscription and the directory, which will affect the ongoing billing of the Azure AD B2C usage.
 
diff --git a/docs/id-governance/scenarios/deploy-sap-netweaver.md b/docs/id-governance/scenarios/deploy-sap-netweaver.md
index 1d068b11f4..779fabe2b7 100644
--- a/docs/id-governance/scenarios/deploy-sap-netweaver.md
+++ b/docs/id-governance/scenarios/deploy-sap-netweaver.md
@@ -197,7 +197,7 @@ Follow the steps below to configure the Web Service.
 :::image type="content" source="media/deploy-sap-netweaver/sap-35.png" alt-text="Screenshot of save." lightbox="media/deploy-sap-netweaver/sap-35.png":::
  
  13. Find a WSDL URL for Service under WSDL Generation section and copy that link. 
- Example: http://vhcalnplci.dummy.nodomain:8000/sap/bc/srt/wsdl/flv\_10002A1011D1/bndg\_url/sap/bc/srt/rfc/sap/zsapconnectorwebservice/001/zsapconnectorws/zsapconnectorws?sapclient\=001 
+ Example: `http://vhcalnplci.dummy.nodomain:8000/sap/bc/srt/wsdl/flv\_10002A1011D1/bndg\_url/sap/bc/srt/rfc/sap/zsapconnectorwebservice/001/zsapconnectorws/zsapconnectorws?sapclient\=001`
 
 :::image type="content" source="media/deploy-sap-netweaver/sap-36.png" alt-text="Screenshot of WSDL URL." lightbox="media/deploy-sap-netweaver/sap-36.png":::
  
diff --git a/docs/identity-platform/TOC.yml b/docs/identity-platform/TOC.yml
index c88d4223c0..05d594b82e 100644
--- a/docs/identity-platform/TOC.yml
+++ b/docs/identity-platform/TOC.yml
@@ -302,16 +302,12 @@
       items:
         - name: Node.js Electron
           href: quickstart-desktop-app-nodejs-electron-sign-in.md
-        - name: Universal Windows Platform (UWP)
-          href: quickstart-desktop-app-uwp-sign-in.md
         - name: Windows Presentation Foundation (WPF)
           href: quickstart-desktop-app-wpf-sign-in.md
     - name: Tutorials
       items:
         - name: Node.js Electron
           href: tutorial-v2-nodejs-desktop.md
-        - name: Universal Windows Platform (UWP)
-          href: tutorial-v2-windows-uwp.md
         - name: Windows Presentation Foundation (WPF)
           href: tutorial-v2-windows-desktop.md
     - name: Samples
diff --git a/docs/identity-platform/quickstart-v2-uwp.md b/docs/identity-platform/quickstart-v2-uwp.md
deleted file mode 100644
index 43a86f8fa0..0000000000
--- a/docs/identity-platform/quickstart-v2-uwp.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-title: "Quickstart: Sign in users and call Microsoft Graph in a Universal Windows Platform app"
-description: In this quickstart, learn how a Universal Windows Platform (UWP) application can get an access token and call an API protected by Microsoft identity platform.
-ROBOTS: NOINDEX
-author: OwenRichards1
-manager: CelesteDG
-ms.author: owenrichards
-ms.custom: scenarios:getting-started, "languages:UWP", mode-api
-ms.date: 01/14/2022
-ms.reviewer: jmprieur
-ms.service: identity-platform
-
-ms.topic: quickstart
-#Customer intent: As an application developer, I want to learn how my Universal Windows Platform (XAML) application can get an access token and call an API that's protected by the Microsoft identity platform.
----
-
-# Quickstart: Call the Microsoft Graph API from a Universal Windows Platform (UWP) application
-
-
-> [!div renderon="docs"]
-> Welcome! This probably isn't the page you were expecting. While we work on a fix, this link should take you to the right article:
->
-> > [Quickstart: Sign in users and call Microsoft Graph in a Universal Windows Platform app](quickstart-desktop-app-uwp-sign-in.md)
-> 
-> We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
-
-> [!div renderon="portal" class="sxs-lookup"]
-> In this quickstart, you download and run a code sample that demonstrates how a Universal Windows Platform (UWP) application can sign in users and get an access token to call the Microsoft Graph API. 
-> 
-> See [How the sample works](#how-the-sample-works) for an illustration.
-> 
-> 
-> ## Prerequisites
-> 
-> * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-> * [Visual Studio 2019](https://visualstudio.microsoft.com/vs/)
-> 
-> #### Step 1: Configure the application
-> For the code sample in this quickstart to work, add a **Redirect URI** of `https://login.microsoftonline.com/common/oauth2/nativeclient`.
-> > [!div class="nextstepaction"]
-> > [Make this change for me]()
-> 
-> > [!div class="alert alert-info"]
-> > ![Already configured](media/quickstart-v2-uwp/green-check.png) Your application is configured with these attributes.
-> 
-> #### Step 2: Download the Visual Studio project
-> 
-> Run the project using Visual Studio 2019.
-> > [!div  class="nextstepaction"]
-> > [Download the code sample](https://github.com/Azure-Samples/active-directory-dotnet-native-uwp-v2/archive/msal3x.zip)
-> 
-> [!INCLUDE [active-directory-develop-path-length-tip](./includes/error-handling-and-tips/path-length-tip.md)]
-> 
-> 
-> #### Step 3: Your app is configured and ready to run
-> We have configured your project with values of your app's properties and it's ready to run.
-> #### Step 4: Run the application
-> 
-> To run the sample application on your local machine:
-> 
-> 1. In the Visual Studio toolbar, choose the right platform (probably **x64** or **x86**, not ARM). The target device should change from *Device* to *Local Machine*.
-> 1. Select **Debug** > **Start Without Debugging**.
->     
->     If you're prompted to do so, you might first need to enable **Developer Mode**, and then **Start Without Debugging** again to launch the app.
-> 
-> When the app's window appears, you can select the **Call Microsoft Graph API** button, enter your credentials, and consent to the permissions requested by the application. If successful, the application displays some token information and data obtained from the call to the Microsoft Graph API.
-> 
-> ## How the sample works
-> 
-> ![Shows how the sample app generated by this quickstart works](media/quickstart-v2-uwp/uwp-intro.svg)
-> 
-> ### MSAL.NET
-> 
-> MSAL ([Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)) is the library used to sign in users and request security tokens. The security tokens are used to access an API protected by the Microsoft Identity platform. You can install MSAL by running the following command in Visual Studio's *Package Manager Console*:
-> 
-> ```powershell
-> Install-Package Microsoft.Identity.Client
-> ```
-> 
-> ### MSAL initialization
-> 
-> You can add the reference for MSAL by adding the following code:
-> 
-> ```csharp
-> using Microsoft.Identity.Client;
-> ```
-> 
-> Then, MSAL is initialized using the following code:
-> 
-> ```csharp
-> public static IPublicClientApplication PublicClientApp;
-> PublicClientApp = PublicClientApplicationBuilder.Create(ClientId)
->                                                 .WithRedirectUri("https://login.microsoftonline.com/common/oauth2/> nativeclient")
->                                                     .Build();
-> ```
-> 
-> The value of `ClientId` is the **Application (client) ID** of the app you registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal.
-> 
-> ### Requesting tokens
-> 
-> MSAL has two methods for acquiring tokens in a UWP app: `AcquireTokenInteractive` and `AcquireTokenSilent`.
-> 
-> #### Get a user token interactively
-> 
-> Some situations require forcing users to interact with the Microsoft identity platform through a pop-up window to either validate their credentials or to give consent. Some examples include:
-> 
-> - The first-time users sign in to the application
-> - When users may need to reenter their credentials because the password has expired
-> - When your application is requesting access to a resource, that the user needs to consent to
-> - When two factor authentication is required
-> 
-> ```csharp
-> authResult = await App.PublicClientApp.AcquireTokenInteractive(scopes)
->                       .ExecuteAsync();
-> ```
-> 
-> The `scopes` parameter contains the scopes being requested, such as `{ "user.read" }` for Microsoft Graph or `{ "api://<Application ID>/access_as_user" }` for custom web APIs.
-> 
-> #### Get a user token silently
-> 
-> Use the `AcquireTokenSilent` method to obtain tokens to access protected resources after the initial `AcquireTokenInteractive` method. You don’t want to require the user to validate their credentials every time they need to access a resource. Most of the time you want token acquisitions and renewal without any user interaction
-> 
-> ```csharp
-> var accounts = await App.PublicClientApp.GetAccountsAsync();
-> var firstAccount = accounts.FirstOrDefault();
-> authResult = await App.PublicClientApp.AcquireTokenSilent(scopes, firstAccount)
->                                       .ExecuteAsync();
-> ```
-> 
-> * `scopes` contains the scopes being requested, such as `{ "user.read" }` for Microsoft Graph or `{ "api://<Application ID>/access_as_user" }` for custom web APIs.
-> * `firstAccount` specifies the first user account in the cache (MSAL supports multiple users in a single app).
-> 
-> [!INCLUDE [Help and support](./includes/error-handling-and-tips/help-support-include.md)]
-> 
-> ## Next steps
-> 
-> Try out the Windows desktop tutorial for a complete step-by-step guide on building applications and new features, including a full explanation of this quickstart.
-> 
-> > [!div class="nextstepaction"]
-> > [UWP - Call Graph API tutorial](tutorial-v2-windows-uwp.md)
diff --git a/docs/identity-platform/tutorial-v2-windows-uwp.md b/docs/identity-platform/tutorial-v2-windows-uwp.md
deleted file mode 100644
index ece6bd9d12..0000000000
--- a/docs/identity-platform/tutorial-v2-windows-uwp.md
+++ /dev/null
@@ -1,553 +0,0 @@
----
-title: "Tutorial: Create a Universal Windows Platform (UWP) app that uses the Microsoft identity platform for authentication"
-description: In this tutorial, you build a UWP application that uses the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API on their behalf.
-author: henrymbuguakiarie
-manager: CelesteDG
-ms.author: henrymbugua
-ms.custom: "devx-track-csharp"
-ms.date: 11/10/2023
-ms.reviewer: jmprieur
-ms.service: identity-platform
-
-ms.topic: tutorial
-#Customer intent: As a developer building a Universal Windows Platform (UWP) application, I want to learn how to call the Microsoft Graph API and obtain an access token, so that I can integrate Microsoft Graph functionality into my application and access protected resources.
----
-
-# Tutorial: Call the Microsoft Graph API from a Universal Windows Platform (UWP) application
-
-In this tutorial, you build a native Universal Windows Platform (UWP) app that signs in users and gets an access token to call the Microsoft Graph API. 
-
-At the end of this guide, your application calls a protected API by using personal accounts. Examples are outlook.com, live.com, and others. Your application also calls work and school accounts from any company or organization that has Microsoft Entra ID.
-
-In this tutorial:
-
-> [!div class="checklist"]
-> * Create a *Universal Windows Platform (UWP)* project in Visual Studio
-> * Register the application in the Azure portal
-> * Add code to support user sign-in and sign-out
-> * Add code to call Microsoft Graph API
-> * Test the app
-
-## Prerequisites
-
-* [Visual Studio 2019](https://visualstudio.microsoft.com/vs/) with the [Universal Windows Platform development](/windows/apps/windows-app-sdk/set-up-your-development-environment) workload installed
-
-## How this guide works
-
-![Shows how the sample app generated by this tutorial works](./media/tutorial-v2-windows-uwp/uwp-intro.svg)
-
-This guide creates a sample UWP application that queries the Microsoft Graph API. For this scenario, a token is added to HTTP requests by using the Authorization header. The Microsoft Authentication Library handles token acquisitions and renewals.
-
-> MSAL.NET versions 4.61.0 and above do not provide support for Universal Windows Platform (UWP), Xamarin Android, and Xamarin iOS. We recommend you migrate your UWP applications to modern frameworks like WINUI. Read more about the deprecation in [Announcing the Upcoming Deprecation of MSAL.NET for Xamarin and UWP](https://devblogs.microsoft.com/identity/uwp-xamarin-msal-net-deprecation/).
-
-## NuGet packages
-
-This guide uses the following NuGet package:
-
-|Library|Description|
-|---|---|
-|[Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)| Microsoft Authentication Library|
-|[Microsoft.Graph](https://www.nuget.org/packages/Microsoft.Graph)|Microsoft Graph Client Library|
-
-## Set up your project
-
-This section provides step-by-step instructions to integrate a Windows Desktop .NET application (XAML) with sign-in with Microsoft. Then the application can query web APIs that require a token, such as the Microsoft Graph API.
-
-This guide creates an application that displays a button that queries the Microsoft Graph API and a button to sign out. It also displays text boxes that contain the results of the calls.
-
-> [!Tip]
-> To see a completed version of the project you build in this tutorial, you can [download it from GitHub](https://github.com/Azure-Samples/active-directory-dotnet-native-uwp-v2/archive/msal3x.zip).
-
-### Create your application
-
-1. Open Visual Studio, and select **Create a new project**.
-1. In **Create a new project**, choose **Blank App (Universal Windows)** for C# and select **Next**.
-1. In **Configure your new project**, name the app, and select **Create**.
-1. If prompted, in **New Universal Windows Platform Project**, select any version for **Target** and **Minimum** versions, and select **OK**.
-
-   ![Minimum and Target versions](./media/tutorial-v2-windows-uwp/select-uwp-target-minimum.png)
-
-### Add the Microsoft Authentication Library to your project
-
-1. In Visual Studio, select **Tools** > **NuGet Package Manager** > **Package Manager Console**.
-1. Copy and paste the following commands in the **Package Manager Console** window:
-
-    ```powershell
-    Install-Package Microsoft.Identity.Client
-    Install-Package Microsoft.Graph
-    ```
-
-   > [!NOTE]
-   > The first command installs the [Microsoft Authentication Library (MSAL.NET)](https://aka.ms/msal-net). MSAL.NET acquires, caches, and refreshes user tokens that access APIs that are protected by the Microsoft identity platform. The second command installs [Microsoft Graph .NET Client Library](https://github.com/microsoftgraph/msgraph-sdk-dotnet) to authenticate requests to Microsoft Graph and make calls to the service.
-
-### Create your application's UI
-
-Visual Studio creates *MainPage.xaml* as a part of your project template. Open this file, and then replace your application's **Grid** node with the following code:
-
-```xml
-<Grid>
-    <StackPanel Background="Azure">
-        <StackPanel Orientation="Horizontal" HorizontalAlignment="Right">
-            <Button x:Name="CallGraphButton" Content="Call Microsoft Graph API" HorizontalAlignment="Right" Padding="5" Click="CallGraphButton_Click" Margin="5" FontFamily="Segoe Ui"/>
-            <Button x:Name="SignOutButton" Content="Sign-Out" HorizontalAlignment="Right" Padding="5" Click="SignOutButton_Click" Margin="5" Visibility="Collapsed" FontFamily="Segoe Ui"/>
-        </StackPanel>
-        <TextBlock Text="API Call Results" Margin="2,0,0,-5" FontFamily="Segoe Ui" />
-        <TextBox x:Name="ResultText" TextWrapping="Wrap" MinHeight="120" Margin="5" FontFamily="Segoe Ui"/>
-        <TextBlock Text="Token Info" Margin="2,0,0,-5" FontFamily="Segoe Ui" />
-        <TextBox x:Name="TokenInfoText" TextWrapping="Wrap" MinHeight="70" Margin="5" FontFamily="Segoe Ui"/>
-    </StackPanel>
-</Grid>
-```
-
-### Use the Microsoft Authentication Library to get a token for the Microsoft Graph API
-
-This section shows how to use the Microsoft Authentication Library to get a token for the Microsoft Graph API. Make changes to the *MainPage.xaml.cs* file.
-
-1. In *MainPage.xaml.cs*, add the following references:
-
-    ```csharp
-    using Microsoft.Identity.Client;
-    using Microsoft.Graph;
-    using Microsoft.Graph.Models;
-    using System.Diagnostics;
-    using System.Threading.Tasks;
-    using System.Net.Http.Headers;
-    ```
-
-1. Replace your `MainPage` class with the following code:
-
-    ```csharp
-    public sealed partial class MainPage : Page
-    {
-
-        //Set the scope for API call to user.read
-        private string[] scopes = new string[] { "user.read" };
-
-        // Below are the clientId (Application Id) of your app registration and the tenant information.
-        // You have to replace:
-        // - the content of ClientID with the Application Id for your app registration
-        private const string ClientId = "[Application Id pasted from the application registration portal]";
-
-        private const string Tenant = "common"; // Alternatively "[Enter your tenant, as obtained from the Azure portal, e.g. kko365.onmicrosoft.com]"
-        private const string Authority = "https://login.microsoftonline.com/" + Tenant;
-
-        // The MSAL Public client app
-        private static IPublicClientApplication PublicClientApp;
-
-        private static string MSGraphURL = "https://graph.microsoft.com/v1.0/";
-        private static AuthenticationResult authResult;
-
-        public MainPage()
-        {
-            this.InitializeComponent();
-        }
-
-        /// <summary>
-        /// Call AcquireTokenAsync - to acquire a token requiring user to sign in
-        /// </summary>
-        private async void CallGraphButton_Click(object sender, RoutedEventArgs e)
-        {
-            try
-            {
-                // Sign in user using MSAL and obtain an access token for Microsoft Graph
-                GraphServiceClient graphClient = await SignInAndInitializeGraphServiceClient(scopes);
-
-                // Call the /me endpoint of Graph
-                User graphUser = await graphClient.Me.GetAsync();
-
-                // Go back to the UI thread to make changes to the UI
-                await Dispatcher.RunAsync(Windows.UI.Core.CoreDispatcherPriority.Normal, () =>
-                {
-                    ResultText.Text = "Display Name: " + graphUser.DisplayName + "\nBusiness Phone: " + graphUser.BusinessPhones.FirstOrDefault()
-                                      + "\nGiven Name: " + graphUser.GivenName + "\nid: " + graphUser.Id
-                                      + "\nUser Principal Name: " + graphUser.UserPrincipalName;
-                    DisplayBasicTokenInfo(authResult);
-                    this.SignOutButton.Visibility = Visibility.Visible;
-                });
-            }
-            catch (MsalException msalEx)
-            {
-                await DisplayMessageAsync($"Error Acquiring Token:{System.Environment.NewLine}{msalEx}");
-            }
-            catch (Exception ex)
-            {
-                await DisplayMessageAsync($"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}");
-                return;
-            }
-        }
-                /// <summary>
-        /// Signs in the user and obtains an access token for Microsoft Graph
-        /// </summary>
-        /// <param name="scopes"></param>
-        /// <returns> Access Token</returns>
-        private static async Task<string> SignInUserAndGetTokenUsingMSAL(string[] scopes)
-        {
-            // Initialize the MSAL library by building a public client application
-            PublicClientApp = PublicClientApplicationBuilder.Create(ClientId)
-                .WithAuthority(Authority)
-                .WithUseCorporateNetwork(false)
-                .WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
-                 .WithLogging((level, message, containsPii) =>
-                 {
-                     Debug.WriteLine($"MSAL: {level} {message} ");
-                 }, LogLevel.Warning, enablePiiLogging: false, enableDefaultPlatformLogging: true)
-                .Build();
-
-            // It's good practice to not do work on the UI thread, so use ConfigureAwait(false) whenever possible.
-            IEnumerable<IAccount> accounts = await PublicClientApp.GetAccountsAsync().ConfigureAwait(false);
-            IAccount firstAccount = accounts.FirstOrDefault();
-
-            try
-            {
-                authResult = await PublicClientApp.AcquireTokenSilent(scopes, firstAccount)
-                                                  .ExecuteAsync();
-            }
-            catch (MsalUiRequiredException ex)
-            {
-                // A MsalUiRequiredException happened on AcquireTokenSilentAsync. This indicates you need to call AcquireTokenAsync to acquire a token
-                Debug.WriteLine($"MsalUiRequiredException: {ex.Message}");
-
-                authResult = await PublicClientApp.AcquireTokenInteractive(scopes)
-                                                  .ExecuteAsync()
-                                                  .ConfigureAwait(false);
-
-            }
-            return authResult.AccessToken;
-        }
-    }
-    ```
-
-#### Get a user token interactively<a name="more-information"></a>
-
-The `AcquireTokenInteractive` method results in a window that prompts users to sign in. Applications usually require users to sign in interactively the first time to access a protected resource. They might also need to sign in when a silent operation to acquire a token fails. An example is when a user's password has expired.
-
-#### Get a user token silently
-
-The `AcquireTokenSilent` method handles token acquisitions and renewals without any user interaction. After `AcquireTokenInteractive` runs for the first time and prompts the user for credentials, use the `AcquireTokenSilent` method to request tokens for later calls. That method acquires tokens silently. The Microsoft Authentication Library handles token cache and renewal.
-
-Eventually, the `AcquireTokenSilent` method fails. Reasons for failure include a user that signed out or changed their password on another device. When the Microsoft Authentication Library detects that the issue requires an interactive action, it throws an `MsalUiRequiredException` exception. Your application can handle this exception in two ways:
-
-* Your application calls `AcquireTokenInteractive` immediately. This call results in prompting the user to sign in. Normally, use this approach for online applications where there's no available offline content for the user. The sample generated by this guided setup follows the pattern. You see it in action the first time you run the sample.
-
-   Because no user has used the application, `accounts.FirstOrDefault()` contains a null value, and throws an `MsalUiRequiredException` exception.
-
-   The code in the sample then handles the exception by calling `AcquireTokenInteractive`. This call results in prompting the user to sign in.
-
-* Your application presents a visual indication to users that they need to sign in. Then they can select the right time to sign in. The application can retry `AcquireTokenSilent` later. Use this approach when users can use other application functionality without disruption. An example is when offline content is available in the application. In this case, users can decide when they want to sign in. The application can retry `AcquireTokenSilent` after the network was temporarily unavailable.
-
-### Instantiate the Microsoft Graph Service Client by obtaining the token from the SignInUserAndGetTokenUsingMSAL method
-
-In the project, create a new file named *TokenProvider.cs*: right-click on the project, select **Add** > **New Item** > **Blank Page**.
-
-Add to the newly created file the following code:
-
-```csharp
-using Microsoft.Kiota.Abstractions.Authentication;
-using System;
-using System.Collections.Generic;
-using System.Threading;
-using System.Threading.Tasks;
-
-namespace UWP_app_MSGraph {
-    public class TokenProvider : IAccessTokenProvider {
-        private Func<string[], Task<string>> getTokenDelegate;
-        private string[] scopes;
-
-        public TokenProvider(Func<string[], Task<string>> getTokenDelegate, string[] scopes) {
-            this.getTokenDelegate = getTokenDelegate;
-            this.scopes = scopes;
-        }
-
-        public Task<string> GetAuthorizationTokenAsync(Uri uri, Dictionary<string, object> additionalAuthenticationContext = default,
-            CancellationToken cancellationToken = default) {
-            return getTokenDelegate(scopes);
-        }
-
-        public AllowedHostsValidator AllowedHostsValidator { get; }
-    }
-}
-```
-
-> [!TIP]
-> After pasting the code, make sure that the namespace in the *TokenProvider.cs* file matches the namespace of your project. This will allow you to more easily reference the `TokenProvider` class in your project.
-
-The `TokenProvider` class defines a custom access token provider that executes the specified delegate method to get and return an access token.
-
-Add the following new method to *MainPage.xaml.cs*:
-
-```csharp
-      /// <summary>
-     /// Sign in user using MSAL and obtain a token for Microsoft Graph
-     /// </summary>
-     /// <returns>GraphServiceClient</returns>
-     private async static Task<GraphServiceClient> SignInAndInitializeGraphServiceClient(string[] scopes)
-     {
-         var tokenProvider = new TokenProvider(SignInUserAndGetTokenUsingMSAL, scopes);
-         var authProvider = new BaseBearerTokenAuthenticationProvider(tokenProvider);
-         var graphClient = new GraphServiceClient(authProvider, MSGraphURL);
-
-         return await Task.FromResult(graphClient);
-     }
-```
-
-In this method, you're using the custom access token provider `TokenProvider` to connect the `SignInUserAndGetTokenUsingMSAL` method to the Microsoft Graph .NET SDK and create an authenticated client.
-
-To use the `BaseBearerTokenAuthenticationProvider`, in the *MainPage.xaml.cs* file, add the following reference:
-
-```cs
-using Microsoft.Kiota.Abstractions.Authentication;
-```
-
-#### More information on making a REST call against a protected API
-
-In this sample application, the `GetGraphServiceClient` method instantiates `GraphServiceClient` by using an access token. Then, `GraphServiceClient` is used to get the user's profile information from the **me** endpoint.
-
-### Add a method to sign out the user
-
-To sign out the user, add the following method to *MainPage.xaml.cs*:
-
-```csharp
-/// <summary>
-/// Sign out the current user
-/// </summary>
-private async void SignOutButton_Click(object sender, RoutedEventArgs e)
-{
-    IEnumerable<IAccount> accounts = await PublicClientApp.GetAccountsAsync().ConfigureAwait(false);
-    IAccount firstAccount = accounts.FirstOrDefault();
-
-    try
-    {
-        await PublicClientApp.RemoveAsync(firstAccount).ConfigureAwait(false);
-        await Dispatcher.RunAsync(Windows.UI.Core.CoreDispatcherPriority.Normal, () =>
-        {
-            ResultText.Text = "User has signed out";
-            this.CallGraphButton.Visibility = Visibility.Visible;
-                this.SignOutButton.Visibility = Visibility.Collapsed;
-            });
-        }
-        catch (MsalException ex)
-        {
-            ResultText.Text = $"Error signing out user: {ex.Message}";
-        }
-    }
-```
-
-MSAL.NET uses asynchronous methods to acquire tokens or manipulate accounts. As such, support UI actions in the UI thread. This is the reason for the `Dispatcher.RunAsync` call and the precautions to call `ConfigureAwait(false)`.
-
-#### More information about signing out<a name="more-information-on-sign-out"></a>
-
-The `SignOutButton_Click` method removes the user from the Microsoft Authentication Library user cache. This method effectively tells the Microsoft Authentication Library to forget the current user. A future request to acquire a token succeeds only if it's interactive.
-
-The application in this sample supports a single user. The Microsoft Authentication Library supports scenarios where the user can sign in on more than one account. An example is an email application where a user has several accounts.
-
-### Display basic token information
-
-Add the following method to *MainPage.xaml.cs* to display basic information about the token:
-
-```csharp
-/// <summary>
-/// Display basic information contained in the token. Needs to be called from the UI thread.
-/// </summary>
-private void DisplayBasicTokenInfo(AuthenticationResult authResult)
-{
-    TokenInfoText.Text = "";
-    if (authResult != null)
-    {
-        TokenInfoText.Text += $"User Name: {authResult.Account.Username}" + Environment.NewLine;
-        TokenInfoText.Text += $"Token Expires: {authResult.ExpiresOn.ToLocalTime()}" + Environment.NewLine;
-    }
-}
-```
-
-#### More information<a name="more-information-1"></a>
-
-ID tokens acquired by using **OpenID Connect** also contain a small subset of information pertinent to the user. `DisplayBasicTokenInfo` displays basic information contained in the token. This information includes the user's display name and ID. It also includes the expiration date of the token and the string that represents the access token itself. If you select the **Call Microsoft Graph API** button several times, you'll see that the same token was reused for later requests. You can also see the expiration date extended when the Microsoft Authentication Library decides it's time to renew the token.
-
-### Display message
-
-Add the following new method to *MainPage.xaml.cs*:
-
-```csharp
-/// <summary>
-/// Displays a message in the ResultText. Can be called from any thread.
-/// </summary>
-private async Task DisplayMessageAsync(string message)
-{
-     await Dispatcher.RunAsync(Windows.UI.Core.CoreDispatcherPriority.Normal,
-         () =>
-         {
-             ResultText.Text = message;
-         });
-     }
-```
-
-## Register your application
-
-[!INCLUDE [portal updates](~/includes/portal-update.md)]
-
-Now, register your application:
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](~/identity/role-based-access-control/permissions-reference.md#application-developer).
-1. If you have access to multiple tenants, use the **Settings** icon :::image type="icon" source="./media/common/admin-center-settings-icon.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application from the **Directories + subscriptions** menu.
-1. Browse to **Identity** > **Applications** > **App registrations**.
-1. Select **New registration**.
-1. Enter a **Name** for your application, for example `UWP-App-calling-MSGraph`. Users of your app might see this name, and you can change it later.
-1. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. 
-1. Select **Register**.
-1. On the overview page, find the **Application (client) ID** value and copy it. Go back to Visual Studio, open *MainPage.xaml.cs*, and replace the value of `ClientId` with this value.
-
-Configure authentication for your application:
-
-1. In to the Microsoft Entra admin center, select **Authentication** > **Add a platform**, and then select **Mobile and desktop applications**.
-1. In the **Redirect URIs** section, enter `https://login.microsoftonline.com/common/oauth2/nativeclient`.
-1. Select **Configure**.
-
-Configure API permissions for your application:
-
-1. Select **API permissions** > **Add a permission**.
-1. Select **Microsoft Graph**.
-1. Select **Delegated permissions**, search for *User.Read*, and verify that **User.Read** is selected.
-1. If you made any changes, select **Add permissions** to save them.
-
-## Enable integrated authentication on federated domains (optional)
-
-To enable integrated Windows authentication when it's used with a federated Microsoft Entra domain, the application manifest must enable additional capabilities. Go back to your application in Visual Studio.
-
-1. Open *Package.appxmanifest*.
-1. Select **Capabilities**, and enable the following settings:
-
-   * **Enterprise Authentication**
-   * **Private Networks (Client & Server)**
-   * **Shared User Certificates**
-
-> [!IMPORTANT]
-> [Integrated Windows authentication](https://aka.ms/msal-net-iwa) isn't configured by default for this sample. Applications that request `Enterprise Authentication` or `Shared User Certificates` capabilities require a higher level of verification by the Windows Store. Also, not all developers want to perform the higher level of verification. Enable this setting only if you need integrated Windows authentication with a federated Microsoft Entra domain.
-
-## Alternate approach to using WithDefaultRedirectURI()
-
-In the current sample, the `WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")` method is used. To use `WithDefaultRedirectURI()`, complete these steps:
-
-1. In *MainPage.XAML.cs*, replace `WithRedirectUri` with `WithDefaultRedirectUri`:
-
-   **Current code**
-
-   ```csharp
-
-   PublicClientApp = PublicClientApplicationBuilder.Create(ClientId)
-       .WithAuthority(Authority)
-       .WithUseCorporateNetwork(false)
-       .WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
-       .WithLogging((level, message, containsPii) =>
-        {
-            Debug.WriteLine($"MSAL: {level} {message} ");
-        }, LogLevel.Warning, enablePiiLogging: false, enableDefaultPlatformLogging: true)
-       .Build();
-
-   ```
-
-   **Updated code**
-
-   ```csharp
-
-   PublicClientApp = PublicClientApplicationBuilder.Create(ClientId)
-       .WithAuthority("https://login.microsoftonline.com/common")
-       .WithUseCorporateNetwork(false)
-       .WithDefaultRedirectUri()
-       .WithLogging((level, message, containsPii) =>
-        {
-            Debug.WriteLine($"MSAL: {level} {message} ");
-        }, LogLevel.Warning, enablePiiLogging: false, enableDefaultPlatformLogging: true)
-       .Build();
-   ```
-
-2. Find the callback URI for your app by adding the `redirectURI` field in *MainPage.xaml.cs* and setting a breakpoint on it:
-
-    ```csharp
-
-    public sealed partial class MainPage : Page
-    {
-            ...
-
-            string redirectURI = Windows.Security.Authentication.Web.WebAuthenticationBroker
-                                .GetCurrentApplicationCallbackUri().ToString();
-            public MainPage()
-            {
-                ...
-            }
-           ...
-    }
-
-    ```
-
-    Run the app, and then copy the value of `redirectUri` when the breakpoint is hit. The value should look something similar to the following value:
-    `ms-app://s-1-15-2-1352796503-54529114-405753024-3540103335-3203256200-511895534-1429095407/`
-
-    You can then remove the line of code because it's required only once, to fetch the value.
-
-3. In the Microsoft Entra admin center, add the returned value in **RedirectUri** in the **Authentication** pane.
-
-## Test your code
-
-To test your application, select the **F5** key to run your project in Visual Studio. Your main window appears:
-
-![Application's user interface](./media/tutorial-v2-windows-uwp/testapp-ui-vs2019.png)
-
-When you're ready to test, select **Call Microsoft Graph API**. Then use a Microsoft Entra organizational account or a Microsoft account, such as live.com or outlook.com, to sign in. The first time a user runs this test, the application displays a window asking the user to sign in.
-
-### Consent
-
-The first time you sign in to your application, a consent screen appears similar to the following image. Select **Yes** to explicitly consent to access:
-
-![Access consent screen](./media/tutorial-v2-windows-uwp/consentscreen-vs2019.png)
-
-### Expected results
-
-You see user profile information returned by the Microsoft Graph API call on the **API Call Results** screen:
-
-![API Call Results screen](./media/tutorial-v2-windows-uwp/uwp-results-screen-vs2019.png)
-
-You also see basic information about the token acquired via `AcquireTokenInteractive` or `AcquireTokenSilent` in the **Token Info** box:
-
-|Property  |Format  |Description |
-|---------|---------|---------|
-|`Username` |`user@domain.com` |The username that identifies the user.|
-|`Token Expires` |`DateTime` |The time when the token expires. The Microsoft Authentication Library extends the expiration date by renewing the token as necessary.|
-
-### More information about scopes and delegated permissions
-
-The Microsoft Graph API requires the `user.read` scope to read a user's profile. This scope is added by default in every application that's registered in the Application Registration Portal. Other APIs for Microsoft Graph and custom APIs for your back-end server might require additional scopes. For instance, the Microsoft Graph API requires the `Calendars.Read` scope to list the user's calendars.
-
-To access the user's calendars in the context of an application, add the `Calendars.Read` delegated permission to the application registration information. Then add the `Calendars.Read` scope to the `acquireTokenSilent` call.
-
-Users might be prompted for additional consents as you increase the number of scopes.
-
-## Known issues
-
-### Issue 1
-
-You receive one of the following error messages when you sign in on your application on a federated Microsoft Entra domain:
-
-* "No valid client certificate found in the request."
-* "No valid certificates found in the user's certificate store."
-* "Try again choosing a different authentication method."
-
-**Cause:** Enterprise and certificate capabilities aren't enabled.
-
-**Solution:** Follow the steps in [Enable integrated authentication on federated domains (optional)](#enable-integrated-authentication-on-federated-domains-optional).
-
-### Issue 2
-
-You enable [integrated authentication on federated domains](#enable-integrated-authentication-on-federated-domains-optional) and try to use Windows Hello on a Windows 10 computer to sign in to an environment with multifactor authentication configured. The list of certificates appears. If you choose to use your PIN, the PIN window never appears.
-
-**Cause:** This issue is a known limitation of the web authentication broker in UWP applications that run on Windows 10 desktops. It works fine on Windows 10 Mobile.
-
-**Workaround:** Select **Sign in with other options**. Then select **Sign in with a username and password**. Select **Provide your password**. Then go through the phone authentication process.
-
-[!INCLUDE [Help and support](./includes/error-handling-and-tips/help-support-include.md)]
-
-## Next steps
-
-Learn more about using the Microsoft Authentication Library (MSAL) for authorization and authentication in .NET applications:
-
-> [!div class="nextstepaction"]
-> [Overview of the Microsoft Authentication Library (MSAL)](msal-overview.md)
diff --git a/docs/identity/app-proxy/application-proxy-ping-access-publishing-guide.md b/docs/identity/app-proxy/application-proxy-ping-access-publishing-guide.md
index 86c8592f23..fb54fa425d 100644
--- a/docs/identity/app-proxy/application-proxy-ping-access-publishing-guide.md
+++ b/docs/identity/app-proxy/application-proxy-ping-access-publishing-guide.md
@@ -78,7 +78,7 @@ To publish your own on-premises application:
    1. **Translate URL in Headers**: Choose **No**.
 
    > [!NOTE]
-   > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener you've configured in PingAccess. Learn more about [listeners in PingAccess](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_assigning_key_pairs_to_https_listeners).
+   > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener you've configured in PingAccess.
 
 1. Select **Add**. The overview page for the new application appears.
 
@@ -205,15 +205,13 @@ When you configure PingAccess in the following step, the Web Session you create
 
 ## Download PingAccess and configure your application
 
-The detailed steps for the PingAccess part of this scenario continue in the Ping Identity documentation. Follow the instructions in [Configuring PingAccess for Microsoft Entra ID](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_configuring_apps_for_azure) on the Ping Identity web site and download the [latest version of PingAccess](https://www.pingidentity.com/en/lp/azure-download.html).
+The detailed steps for the PingAccess part of this scenario continue in the Ping Identity documentation.
 
-The steps in the PingAccess article walk you through obtaining a PingAccess account. To create a Microsoft Entra ID OpenID Connect (OIDC) connection, set up a token provider with the **Directory (tenant) ID** value that you copied from the Microsoft Entra admin center. Create a web session on PingAccess. Use the `Application (client) ID` and `PingAccess key` values. Set up identity mapping and create a virtual host, site, and application.
+To create a Microsoft Entra ID OpenID Connect (OIDC) connection, set up a token provider with the **Directory (tenant) ID** value that you copied from the Microsoft Entra admin center. Create a web session on PingAccess. Use the `Application (client) ID` and `PingAccess key` values. Set up identity mapping and create a virtual host, site, and application.
 
 ### Test your application
 The application is up and running. To test it, open a browser and navigate to the external URL that you created when you published the application in Microsoft Entra. Sign in with the test account you assigned to the application.
 
 ## Next steps
-
-- [Configuring PingAccess to use Microsoft Entra ID as the token provider](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_configure_pa_to_use_azure_ad_as_the_token_provider)
 - [Single sign-on to applications in Microsoft Entra ID](~/identity/enterprise-apps/what-is-single-sign-on.md)
 - [Troubleshoot application proxy problems and error messages](application-proxy-troubleshoot.md)
diff --git a/docs/identity/domain-services/template-create-instance.md b/docs/identity/domain-services/template-create-instance.md
index 72c853c9b8..f0cc9bcec0 100644
--- a/docs/identity/domain-services/template-create-instance.md
+++ b/docs/identity/domain-services/template-create-instance.md
@@ -8,7 +8,7 @@ ms.service: entra-id
 ms.subservice: domain-services
 ms.custom: devx-track-arm-template, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
 ms.topic: sample
-ms.date: 10/07/2024
+ms.date: 10/15/2024
 ms.author: justinha
 ---
 
@@ -85,7 +85,7 @@ New-MgGroup -DisplayName "AAD DC Administrators" `
   -MailNickName "AADDCAdministrators"
 ```
 
-With the *AAD DC Administrators* group created, add a user to the group using the [New-MgGroupMember](/powershell/module/microsoft.graph.groups/new-mggroupmember) cmdlet. You first get the *AAD DC Administrators* group object ID using the [Get-MgGroup](/powershell/module/microsoft.graph.groups/get-mggroup) cmdlet, then the desired user's object ID using the [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser) cmdlet.
+With the *AAD DC Administrators* group created, add a user to the group using the [New-MgGroupMemberByRef](/powershell/module/microsoft.graph.groups/new-mggroupmemberbyref) cmdlet. You first get the *AAD DC Administrators* group object ID using the [Get-MgGroup](/powershell/module/microsoft.graph.groups/get-mggroup) cmdlet, then the desired user's object ID using the [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser) cmdlet.
 
 In the following example, the user object ID for the account with a UPN of `admin@contoso.onmicrosoft.com`. Replace this user account with the UPN of the user you wish to add to the *AAD DC Administrators* group:
 
diff --git a/docs/identity/role-based-access-control/best-practices.md b/docs/identity/role-based-access-control/best-practices.md
index 8b9d4aa5c1..2f1a3b5bd1 100644
--- a/docs/identity/role-based-access-control/best-practices.md
+++ b/docs/identity/role-based-access-control/best-practices.md
@@ -86,7 +86,7 @@ Some roles include privileged permissions, such as the ability to update credent
 
 If you have an external governance system that takes advantage of groups, then you should consider assigning roles to Microsoft Entra groups, instead of individual users. You can also manage role-assignable groups in PIM to ensure that there are no standing owners or members in these privileged groups. For more information, see [Privileged Identity Management (PIM) for Groups](~/id-governance/privileged-identity-management/concept-pim-for-groups.md).
 
-You can assign an owner to role-assignable groups. That owner decides who is added to or removed from the group, so indirectly, decides who gets the role assignment. In this way, a Global Administrator or Privileged Role Administrator can delegate role management on a per-role basis by using groups. For more information, see [Use Microsoft Entra groups to manage role assignments](groups-concept.md).
+You can assign an owner to role-assignable groups. That owner decides who is added to or removed from the group, so indirectly, decides who gets the role assignment. In this way, a Privileged Role Administrator can delegate role management on a per-role basis by using groups. For more information, see [Use Microsoft Entra groups to manage role assignments](groups-concept.md).
 
 ## 8. Activate multiple roles at once using PIM for Groups
 
diff --git a/docs/identity/role-based-access-control/delegate-app-roles.md b/docs/identity/role-based-access-control/delegate-app-roles.md
index bd62b99522..d73a047967 100644
--- a/docs/identity/role-based-access-control/delegate-app-roles.md
+++ b/docs/identity/role-based-access-control/delegate-app-roles.md
@@ -12,7 +12,7 @@ ms.author: rolyon
 ms.reviewer: vincesm
 ms.custom: it-pro
 
-#Customer intent: As a Microsoft Entra administrator, I want to reduce overusing the Global Administrator role by delegating app access management to lower-privilege roles.
+#Customer intent: As a Microsoft Entra administrator, I want to reduce overusing highly-privileged administrator roles by delegating app access management to lower-privilege roles.
 ---
 
 # Delegate app registration permissions in Microsoft Entra ID
@@ -24,7 +24,7 @@ This article describes how to use permissions granted by custom roles in Microso
 - [Assigning a built-in administrative role](#assign-built-in-application-administrator-roles) that grants access to manage configuration in Microsoft Entra ID for all applications. This is the recommended way to grant IT experts access to manage broad application configuration permissions without granting access to manage other parts of Microsoft Entra not related to application configuration.
 - [Creating a custom role](#create-and-assign-a-custom-role-preview) defining very specific permissions and assigning it to someone either to the scope of a single application as a limited owner, or at the directory scope (all applications) as a limited administrator.
 
-It's important to consider granting access using one of the above methods for two reasons. First, delegating the ability to perform administrative tasks reduces Global Administrator overhead. Second, using limited permissions improves your security posture and reduces the potential for unauthorized access. For guidelines about role security planning, see [Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID](security-planning.md).
+It's important to consider granting access using one of the above methods for two reasons. First, delegating the ability to perform administrative tasks reduces highly-privileged administrator overhead. Second, using limited permissions improves your security posture and reduces the potential for unauthorized access. For guidelines about role security planning, see [Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID](security-planning.md).
 
 ## Restrict who can create applications
 
diff --git a/docs/identity/role-based-access-control/my-staff-configure.md b/docs/identity/role-based-access-control/my-staff-configure.md
index 927c839067..571ef8d2b6 100644
--- a/docs/identity/role-based-access-control/my-staff-configure.md
+++ b/docs/identity/role-based-access-control/my-staff-configure.md
@@ -32,7 +32,7 @@ To complete this article, you need the following resources and privileges:
 * A Microsoft Entra tenant associated with your subscription.
 
   * If needed, [create a Microsoft Entra tenant](~/fundamentals/sign-up-organization.md) or [associate an Azure subscription with your account](~/fundamentals/how-subscriptions-associated-directory.yml).
-* You need *Global Administrator* privileges in your Microsoft Entra tenant to enable SMS-based authentication.
+* You need *Authentication Policy Administrator* privileges in your Microsoft Entra tenant to enable SMS-based authentication.
 * Each user who's enabled in the text message authentication method policy must be licensed, even if they don't use it. Each enabled user must have one of the following Microsoft Entra ID or Microsoft 365 licenses:
 
   * [Microsoft Entra ID P1 or P2](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing)
diff --git a/docs/identity/role-based-access-control/permissions-reference.md b/docs/identity/role-based-access-control/permissions-reference.md
index bfce4eaa46..a6b89ba7a6 100644
--- a/docs/identity/role-based-access-control/permissions-reference.md
+++ b/docs/identity/role-based-access-control/permissions-reference.md
@@ -138,7 +138,7 @@ This is a [privileged role](privileged-roles-permissions.md). Users in this role
 This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Azure AD Graph and Microsoft Graph.
 
 > [!IMPORTANT]
-> This exception means that you can still consent to application permissions for _other_ apps (for example, other Microsoft apps, 3rd-party apps, or apps that you have registered). You can still _request_ these permissions as part of the app registration, but _granting_ (that is, consenting to) these permissions requires a more privileged administrator, such as Global Administrator.
+> This exception means that you can still consent to application permissions for _other_ apps (for example, other Microsoft apps, 3rd-party apps, or apps that you have registered). You can still _request_ these permissions as part of the app registration, but _granting_ (that is, consenting to) these permissions requires a more privileged administrator, such as Privileged Role Administrator.
 >
 >This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.
 
@@ -562,7 +562,7 @@ This is a [privileged role](privileged-roles-permissions.md). Users in this role
 This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Azure AD Graph and Microsoft Graph.
 
 > [!IMPORTANT]
-> This exception means that you can still consent to application permissions for _other_ apps (for example, other Microsoft apps, 3rd-party apps, or apps that you have registered). You can still _request_ these permissions as part of the app registration, but _granting_ (that is, consenting to) these permissions requires a more privileged administrator, such as Global Administrator.
+> This exception means that you can still consent to application permissions for _other_ apps (for example, other Microsoft apps, 3rd-party apps, or apps that you have registered). You can still _request_ these permissions as part of the app registration, but _granting_ (that is, consenting to) these permissions requires a more privileged administrator, such as Privileged Role Administrator.
 >
 >This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application’s identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application’s identity.
 
@@ -2413,7 +2413,7 @@ In | Can do
 --- | ---
 [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal) | View security-related policies across Microsoft 365 services<br>View security threats and alerts<br>View reports
 [Microsoft Entra ID Protection](~/id-protection/overview-identity-protection.md) | View all ID Protection reports and Overview
-[Privileged Identity Management](~/id-governance/privileged-identity-management/pim-configure.md) | Has read-only access to all information surfaced in Microsoft Entra Privileged Identity Management: Policies and reports for Microsoft Entra role assignments and security reviews.<br>**Cannot** sign up for Microsoft Entra Privileged Identity Management or make any changes to it. In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Administrator or Privileged Role Administrator), if the user is eligible for them.
+[Privileged Identity Management](~/id-governance/privileged-identity-management/pim-configure.md) | Has read-only access to all information surfaced in Microsoft Entra Privileged Identity Management: Policies and reports for Microsoft Entra role assignments and security reviews.<br>**Cannot** sign up for Microsoft Entra Privileged Identity Management or make any changes to it. In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Privileged Role Administrator), if the user is eligible for them.
 [Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center) | View security policies<br>View and investigate security threats<br>View reports
 [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/prepare-deployment) | View and investigate alerts<br/>When you turn on role-based access control in Microsoft Defender for Endpoint, users with read-only permissions such as the Security Reader role lose access until they are assigned a Microsoft Defender for Endpoint role.
 [Intune](/mem/intune/fundamentals/role-based-access-control) | Views user, device, enrollment, configuration, and application information. Cannot make changes to Intune.
diff --git a/docs/identity/role-based-access-control/privileged-roles-permissions.md b/docs/identity/role-based-access-control/privileged-roles-permissions.md
index 317cb032c2..1d27cfb2a0 100644
--- a/docs/identity/role-based-access-control/privileged-roles-permissions.md
+++ b/docs/identity/role-based-access-control/privileged-roles-permissions.md
@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: entra-id
 ms.subservice: role-based-access-control
 ms.topic: conceptual
-ms.date: 07/30/2024
+ms.date: 10/15/2024
 ms.author: rolyon
 ms.custom: it-pro
 ---
@@ -54,36 +54,49 @@ Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "isPrivileged eq true" |
 
 ```Output
 AllowedPrincipalTypes   :
-Description             : Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
-DisplayName             : Global Administrator
-Id                      : 62e90394-69f5-4237-9190-012177145e10
+Description             : Can create and manage all aspects of app registrations and enterprise apps.
+DisplayName             : Application Administrator
+Id                      : 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
 InheritsPermissionsFrom : {88d8e3e3-8f55-4a1e-953a-9b9898b8876b}
 IsBuiltIn               : True
 IsEnabled               : True
 IsPrivileged            : True
 ResourceScopes          : {/}
 RolePermissions         : {Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRolePermission}
-TemplateId              : 62e90394-69f5-4237-9190-012177145e10
+TemplateId              : 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
 Version                 : 1
-AdditionalProperties    : {[inheritsPermissionsFrom@odata.context, https://graph.microsoft.com/beta/$metadata#roleManag
-                          ement/directory/roleDefinitions('62e90394-69f5-4237-9190-012177145e10')/inheritsPermissionsFr
-                          om]}
+AdditionalProperties    : {[assignmentMode, allowed], [categories, identity], [richDescription, Users in this role can
+                          add, manage, and configureenterprise applications, app registrations and manage on-premises
+                          like app proxy.], [inheritsPermissionsFrom@odata.context, https://graph.microsoft.com/beta/$m
+                          etadata#roleManagement/directory/roleDefinitions('9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3')/inhe
+                          ritsPermissionsFrom]}
+
 
 AllowedPrincipalTypes   :
-Description             : Can manage all aspects of users and groups, including resetting passwords for limited admins.
-DisplayName             : User Administrator
-Id                      : fe930be7-5e62-47db-91af-98c3a49a38b1
+Description             : Can reset passwords for non-administrators and Helpdesk Administrators.
+DisplayName             : Helpdesk Administrator
+Id                      : 729827e3-9c14-49f7-bb1b-9608f156bbb8
 InheritsPermissionsFrom : {88d8e3e3-8f55-4a1e-953a-9b9898b8876b}
 IsBuiltIn               : True
 IsEnabled               : True
 IsPrivileged            : True
 ResourceScopes          : {/}
 RolePermissions         : {Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphUnifiedRolePermission}
-TemplateId              : fe930be7-5e62-47db-91af-98c3a49a38b1
+TemplateId              : 729827e3-9c14-49f7-bb1b-9608f156bbb8
 Version                 : 1
-AdditionalProperties    : {[inheritsPermissionsFrom@odata.context, https://graph.microsoft.com/beta/$metadata#roleManag
-                          ement/directory/roleDefinitions('fe930be7-5e62-47db-91af-98c3a49a38b1')/inheritsPermissionsFr
-                          om]}
+AdditionalProperties    : {[assignmentMode, allowed], [categories, identity], [richDescription, Users with this role
+                          can change passwords, invalidate refresh tokens, manage service requests, and monitor
+                          service health. Invalidating a refresh token forces the user to sign in again. Helpdesk
+                          administrators can reset passwords and invalidate refresh tokens of other users who are
+                          non-administrators or assigned the following roles only:
+                          * Directory Readers
+                          * Guest Inviter
+                          * Helpdesk Administrator
+                          * Message Center Reader
+                          * Password Administrator
+                          * Reports Reader], [inheritsPermissionsFrom@odata.context, https://graph.microsoft.com/beta/$
+                          metadata#roleManagement/directory/roleDefinitions('729827e3-9c14-49f7-bb1b-9608f156bbb8')/inh
+                          eritsPermissionsFrom]}
 
 ...
 ```