Merge pull request #6466 from MicrosoftDocs/main

Publish to live, Sunday 4PM, 1/5

docs/external-id/customers/concept-multifactor-authentication-customers.md

@@ -73,10 +73,10 @@ SMS is an add-on feature and requires a [linked subscription](../external-identi
 
 |Tier                               |Countries/Regions  |
 |-----------------------------------|-------------------|
-|Phone Authentication Low Cost      |Australia, Brazil, Brunei, Canada, Chile, China, Colombia, Cyprus, North Macedonia, Poland, Portugal, South Korea, Thailand, Turkey, United States         |
-|Phone Authentication Mid Low Cost  |Greenland, Albania, American Samoa, Austria, Bahamas, Bahrain, Bosnia & Herzegovina, Botswana, Costa Rica, Czech Republic, Denmark, Estonia, Faroe Islands, Finland, France, Greece, Hong Kong, Hungary, Iceland, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Macao, Malta, Mexico, Micronesia, Moldova, Namibia, New Zealand, Nicaragua, Norway, Romania, São Tomé and Príncipe, Seychelles Republic, Singapore, Slovakia, Solomon Islands, Spain, Sweden, Switzerland, Taiwan, United Kingdom, United States Virgin Islands, Uruguay         |
-|Phone Authentication Mid High Cost |Andorra, Angola, Anguilla, Antarctica, Antigua and Barbuda, Argentina, Armenia, Aruba, Ascension, Barbados, Belgium, Benin, Bolivia, British Virgin Islands, Bulgaria, Burkina Faso, Cameroon, Cayman Islands, Central African Republic, Cook Islands, Croatia, Diego Garcia, Djibouti, Dominican Republic, Dominican Republic, Dominican Republic, East Timor, Ecuador, El Salvador, Eritrea, Falkland Islands, Fiji, French Guiana, French Polynesia, Gambia, Georgia, Germany, Gibraltar, Grenada, Guadeloupe, Guam, Guinea, Guyana, Honduras, India, Ivory Coast, Kenya, Kiribati, Laos, Liberia, Malaysia, Marshall Islands, Martinique, Mauritius, Monaco, Montenegro, Montserrat, Netherlands, Netherlands Antilles, New Caledonia, Niue, Oman, Palau, Panama, Paraguay, Peru, Puerto Rico, Puerto Rico, Réunion, Rwanda, Saint Helena, Saint Kitts & Nevis, Saint Lucia, Saint Pierre & Miquelon, Saint Vincent and the Grenadines, Saipan, Samoa, San Marino, Saudi Arabia, Sint Maarten, Slovenia, South Africa, South Sudan, Suriname, Swaziland (New Name is Kingdom of Eswatini), Tokelau, Tonga, Turks & Caicos, Tuvalu, United Arab Emirates, Vanuatu, Venezuela, Vietnam, Wallis and Futuna         |
-|Phone Authentication High Cost     |Liechtenstein, Bermuda, Cambodia, Cape Verde, Democratic Republic of Congo, Dominica, Egypt, Equatorial Guinea, Ghana, Guatemala, Guinea-Bissau, Israel, Jamaica, Jamaica, Kosovo, Lesotho, Maldives, Mali, Mauritania, Morocco, Mozambique, Papua New Guinea, Philippines, Qatar, Sierra Leone, Trinidad & Tobago, Ukraine, Zimbabwe, Afghanistan, Algeria, Azerbaijan, Bangladesh, Belarus, Belize, Bhutan, Burundi, Chad, Comoros, Congo, Ethiopia, Gabonese Republic, Haiti, Indonesia, Iraq, Jordan, Kuwait, Kyrgyzstan, Lebanon, Libya, Madagascar, Malawi, Mongolia, Myanmar, Nauru, Nepal, Niger, Nigeria, Pakistan, Palestinian National Authority, Russia, Senegal, Serbia, Somalia, Sri Lanka, Sudan, Tajikistan, Tanzania, Togolese Republic, Tunisia, Turkmenistan, Uganda, Uzbekistan, Yemen, Zambia         |
+|Phone Authentication Low Cost      |Australia, Brazil, Brunei, Canada, Chile, China, Colombia, Cyprus, North Macedonia, Poland, Portugal, South Korea, Thailand, Türkiye, United States         |
+|Phone Authentication Mid Low Cost  |Greenland, Albania, American Samoa, Austria, Bahamas, Bahrain, Bosnia & Herzegovina, Botswana, Costa Rica, Czech Republic, Denmark, Estonia, Faroe Islands, Finland, France, Greece, Hong Kong SAR, Hungary, Iceland, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Macao SAR, Malta, Mexico, Micronesia, Moldova, Namibia, New Zealand, Nicaragua, Norway, Romania, São Tomé and Príncipe, Seychelles Republic, Singapore, Slovakia, Solomon Islands, Spain, Sweden, Switzerland, Taiwan, United Kingdom, United States Virgin Islands, Uruguay         |
+|Phone Authentication Mid High Cost |Andorra, Angola, Anguilla, Antarctica, Antigua and Barbuda, Argentina, Armenia, Aruba, Barbados, Belgium, Benin, Bolivia, Bonaire, Curaçao, Saba, Sint Eustatius and Sint Maarten, British Virgin Islands, Bulgaria, Burkina Faso, Cameroon, Cayman Islands, Central African Republic, Cook Islands, Côte d’Ivoire, Croatia, Diego Garcia, Djibouti, Dominican Republic, Dominican Republic, Dominican Republic, Ecuador, El Salvador, Eritrea, Falkland Islands, Fiji, French Guiana, French Polynesia, Gambia, Georgia, Germany, Gibraltar, Grenada, Guadeloupe, Guam, Guinea, Guyana, Honduras, India, Kenya, Kiribati, Laos, Liberia, Malaysia, Marshall Islands, Martinique, Mauritius, Monaco, Montenegro, Montserrat, Netherlands, New Caledonia, Niue, Oman, Palau, Panama, Paraguay, Peru, Puerto Rico, Puerto Rico, Réunion, Rwanda, Saint Helena, Ascension and Tristan de Cunha, Saint Kitts & Nevis, Saint Lucia, Saint Pierre & Miquelon, Saint Vincent and the Grenadines, Saipan, Samoa, San Marino, Saudi Arabia, Sint Maarten, Slovenia, South Africa, South Sudan, Suriname, Swaziland (New Name is Kingdom of Eswatini), Timor-Leste, Tokelau, Tonga, Turks & Caicos, Tuvalu, United Arab Emirates, Vanuatu, Venezuela, Vietnam, Wallis and Futuna         |
+|Phone Authentication High Cost     |Liechtenstein, Bermuda, Cabo Verde, Cambodia, Democratic Republic of Congo, Dominica, Egypt, Equatorial Guinea, Ghana, Guatemala, Guinea-Bissau, Israel, Jamaica, Jamaica, Kosovo, Lesotho, Maldives, Mali, Mauritania, Morocco, Mozambique, Papua New Guinea, Philippines, Qatar, Sierra Leone, Trinidad & Tobago, Ukraine, Zimbabwe, Afghanistan, Algeria, Azerbaijan, Bangladesh, Belarus, Belize, Bhutan, Burundi, Chad, Comoros, Congo, Ethiopia, Gabonese Republic, Haiti, Indonesia, Iraq, Jordan, Kuwait, Kyrgyzstan, Lebanon, Libya, Madagascar, Malawi, Mongolia, Myanmar, Nauru, Nepal, Niger, Nigeria, Pakistan, Palestinian National Authority, Russia, Senegal, Serbia, Somalia, Sri Lanka, Sudan, Tajikistan, Tanzania, Togolese Republic, Tunisia, Turkmenistan, Uganda, Uzbekistan, Yemen, Zambia         |
 
 ### Opt-in regions for SMS
 

docs/external-id/customers/how-to-region-code-opt-in.md

@@ -50,9 +50,9 @@ Starting January 2025, the following country codes will be deactivated by defaul
 | 359 | Bulgaria |
 | 226 | Burkina Faso |
 | 257 | Burundi |
+| 238 | Cabo Verde |
 | 855 | Cambodia |
 | 237 | Cameroon |
-| 238 | Cape Verde |
 | 235 | Central African Republic |
 | 269 | Comoros |
 | 243 | Congo (Democratic Republic of the) |
@@ -164,7 +164,7 @@ Use the `OnPhoneMethodLoadStartExternalUsersAuthHandler` event policy to activat
 
 ### How to activate telecom for regions
 
-To enable telephony traffic from currently deactivated country codes, use the Microsoft Graph API to set the `includeAdditionalRegions` property in the `onPhoneMethodLoadStart` event policy for one or more applications. Include the relevant country codes in the `includeAdditionalRegions` property of the API request body for the regions you want to activate. For example, to send SMS requests in South Asia, activate the numeric country codes for the five countries within that region.
+To enable telephony traffic from currently deactivated country codes, use the Microsoft Graph API to set the `includeAdditionalRegions` property in the `onPhoneMethodLoadStart` event policy for one or more applications. Include the relevant country codes in the `includeAdditionalRegions` property of the API request body for the regions you want to activate. For example, to send SMS requests in South Asia, activate the numeric country codes for the specific countries within that region.
 
 #### Example REST APIs
 

docs/fundamentals/data-storage-eu.md

@@ -36,7 +36,7 @@ For some components of a service, work is in progress to be included in the EU D
 - **Reason for customer data egress** - A few of the tenants are stored outside of the EU location due one of the following reasons:
 
    - The tenants were initially created with a country code that is NOT in Europe and later the tenant country code was changed to the one in Europe. The Microsoft Entra directory data location is decided during the tenant creation time and not changed when the country code for the tenant is updated. Starting March 2019 Microsoft has blocked updating the country code on a tenant to avoid such confusion.
-   - There are 13 country codes (Countries include: Azerbaijan, Bahrain, Israel, Jordan, Kazakhstan, Kuwait, Lebanon, Oman, Pakistan, Qatar, Saudi Arabia, Turkey, UAE) that were mapped to Asia region until 2013 and later mapped to Europe. Tenants that were created before July 2013 from this country code are provisioned in Asia instead of Europe.
+   - There are 13 country codes (Countries include: Azerbaijan, Bahrain, Israel, Jordan, Kazakhstan, Kuwait, Lebanon, Oman, Pakistan, Qatar, Saudi Arabia, Türkiye, UAE) that were mapped to Asia region until 2013 and later mapped to Europe. Tenants that were created before July 2013 from this country code are provisioned in Asia instead of Europe.
    - There are seven country codes (Countries include: Armenia, Georgia, Iraq, Kyrgyzstan, Tajikistan, Turkmenistan, Uzbekistan) that were mapped to Asia region until 2017 and later mapped to Europe. Tenants that were created before February 2017 from this country code are provisioned in Asia instead of Europe.
 - **Types of customer data being egressed** - User and device account data, and service configuration (application, policy, and group).
 - **Customer data location at rest** - US and Asia/Pacific.

docs/id-protection/concept-identity-protection-risks.md

@@ -145,7 +145,7 @@ Calculated offline. A password spray attack is where multiple identities are att
 
 #### Suspicious browser	 
 
-Calculated offline. Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser. 
+Calculated offline. Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries/regions in the same browser. 
 
 [Tips for investigating suspicious browser detections.](howto-identity-protection-investigate-risk.md#investigating-suspicious-browser-detections)
 

docs/identity-platform/reference-msa-server-side-api.md

@@ -30,7 +30,7 @@ These are passed to `login.microsoftonline.com` or `login.live.com` as URL param
 | `LoginHint` | username | Prepopulates the username during sign-in, unless already provided (for example, via a refresh token). Users can modify this prepopulated username if needed. |
 | `cobrandid` | cobranding GUID | This parameter applies cobranding to the sign-in user experience. Cobranding enables customization of elements like the app logo, background image, subtitle text, description text, and button colors. If you’re integrating an application with Microsoft account sign-in and wish to customize the sign-in screen, reach out to Microsoft support.|
 | `client_flight` | String | `client_flight` is a passthrough parameter that is returned to the application upon completion of the sign-in process. The value of this parameter is logged to the telemetry stream and is utilized by applications to tie together their authentication requests. This can be beneficial for correlating sign-in requests, even if not all applications have access to this telemetry stream. Applications such as Office Union, Teams, and others are notable users of this parameter. |
-| `lw` | 0/1 | **Note: This feature is deprecated.** Enables Lightweight Signup. If enabled, users signing up through the authentication flow aren't required to enter their first name, last name, country, and date of birth, unless mandated by laws applicable to the user’s region. |
+| `lw` | 0/1 | **Note: This feature is deprecated.** Enables Lightweight Signup. If enabled, users signing up through the authentication flow aren't required to enter their first name, last name, country/region, and date of birth, unless mandated by laws applicable to the user’s region. |
 | `fl` | `phone2`,<br/> `email`,<br/> `wld`,<br/> `wld2`,<br/> `easi`,<br/> `easi2` | **Note: This feature is deprecated.** This parameter controls the username options provided during the sign-up process:<br/> `phone` – Restricts username to phone number,<br/>`phone2` – Defaults to phone number, but allows other options,<br/>`email` – Restricts username to email (Outlook or EASI),<br/>`wld` – Restricts username to Outlook,<br/>`wld2` – Defaults to Outlook, but allows other options, including phone,<br/>`easi` – Restricts username to EASI,<br/>`easi2` – Defaults to EASI, but allows other options, including phone. |
 | `nopa` | 0/1/2 | **Note: This feature is deprecated.** Enables passwordless signup. A value of 1 allows signup without a password, but enforces password creation after 30 days. A value of 2 allows signup without a password indefinitely. To use value 2, apps must be added to an allowlist through a manual process. |
 | `coa` | 0/1 | **Note: This feature is deprecated.** Enables passwordless sign-in by sending a code to the user’s phone number. To use value 1, apps must be added to an allowlist through a manual process. |
@@ -67,4 +67,4 @@ These are passed to `login.microsoftonline.com` or `login.live.com` as URL param
 ## See also
 
 - [MSAL Overview](msal-overview.md)
-- [Microsoft Entra ID Windows Account Manager (WAM) API Reference](reference-entra-id-wam-api.md)
+- [Microsoft Entra ID Windows Account Manager (WAM) API Reference](reference-entra-id-wam-api.md)

docs/identity/authentication/howto-mfa-mfasettings.md

@@ -222,7 +222,7 @@ In the United States, if you haven't configured MFA caller ID, voice calls from
 
 Default number: *+1 (855) 330-8653*
 
-The following table lists more numbers for different countries.
+The following table lists more numbers for different countries/regions.
 
 | Country/Region       | Number(s)       |
 |:---------------------|:----------------|

docs/identity/conditional-access/concept-assignment-network.md

@@ -14,7 +14,7 @@ ms.reviewer: lhuangnorth, inbarc
 ---
 # Conditional Access: Network assignment
 
-Administrators can create policies that target specific network locations as a signal along with other conditions in their decision making process. They can include or exclude these network locations as part of their policy configuration. These network locations might include public IPv4 or IPv6 network information, countries, unknown areas that don't map to specific countries, or [Global Secure Access' compliant network](../../global-secure-access/how-to-compliant-network.md).
+Administrators can create policies that target specific network locations as a signal along with other conditions in their decision making process. They can include or exclude these network locations as part of their policy configuration. These network locations might include public IPv4 or IPv6 network information, countries/regions, unknown areas that don't map to specific countries/regions, or [Global Secure Access' compliant network](../../global-secure-access/how-to-compliant-network.md).
 
 :::image type="content" source="media/common-conditional-access-media/conditional-access-signal-decision-enforcement.png" alt-text="Diagram showing concept of Conditional Access signals plus decision to enforce organizational policy." lightbox="media/common-conditional-access-media/conditional-access-signal-decision-enforcement.png":::
 
@@ -104,9 +104,9 @@ Locations marked as trusted can't be deleted without first removing the trusted
 
 ### Countries
 
-Organizations can determine a geographic country location by IP address or GPS coordinates.
+Organizations can determine a geographic country or region location by IP address or GPS coordinates.
 
-To define a named location by country, you must: 
+To define a named location by country or region, you must: 
 
 - Provide a **Name** for the location.
 - Choose to determine location by IP address or GPS coordinates.

docs/identity/role-based-access-control/admin-units-restricted-management.md

@@ -25,7 +25,7 @@ Restricted management administrative units allow you to protect specific objects
 Here are some reasons why you might use restricted management administrative units to help manage access in your tenant.
 
 - You want to protect your C-level executive accounts and their devices from Helpdesk Administrators who would otherwise be able to reset their passwords or access BitLocker recovery keys. You can add your C-level user accounts in a restricted management administrative unit and enable a specific trusted set of administrators who can reset their passwords and access BitLocker recovery keys when needed.
-- You're implementing a compliance control to ensure that certain resources can only be managed by administrators in a specific country. You can add those resources in a restricted management administrative unit and assign local administrators to manage those objects. Even Global Administrators won't be allowed to modify the objects unless they assign themselves explicitly to a role scoped to the restricted management administrative unit (which is an auditable event).
+- You're implementing a compliance control to ensure that certain resources can only be managed by administrators in a specific country/region. You can add those resources in a restricted management administrative unit and assign local administrators to manage those objects. Even Global Administrators won't be allowed to modify the objects unless they assign themselves explicitly to a role scoped to the restricted management administrative unit (which is an auditable event).
 - You're using security groups to control access to sensitive applications in your organization, and you don't want to allow your tenant-scoped administrators who can modify groups to be able to control who can access the applications. You can add those security groups to a restricted management administrative unit and then be sure that only the specific administrators you assign can manage them.
 
 > [!NOTE]

docs/identity/saas-apps/amazon-business-provisioning-tutorial.md

@@ -115,7 +115,7 @@ This section guides you through the steps to configure the Microsoft Entra provi
 
    For **Tenant URL** and **Authorization endpoint** values please use the table below
 
-   |Country|Tenant URL|Authorization endpoint
+   |Country/region|Tenant URL|Authorization endpoint
    |---|---|---|
    |Canada|https://na.business-api.amazon.com/scim/v2/|https://www.amazon.ca/b2b/abws/oauth?state=1&redirect_uri=https://portal.azure.com/TokenAuthorize&applicationId=amzn1.sp.solution.ee27ec8c-1ee9-4c6b-9e68-26bdc37479d3|
    |Germany|https://eu.business-api.amazon.com/scim/v2/|https://www.amazon.de/b2b/abws/oauth?state=1&redirect_uri=https://portal.azure.com/TokenAuthorize&applicationId=amzn1.sp.solution.ee27ec8c-1ee9-4c6b-9e68-26bdc37479d3|

docs/identity/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md

@@ -256,7 +256,7 @@ Now that you have a list of all the users obtained from SAP Cloud Identity Servi
 Before enabling automatic user provisioning, you must decide which users in Microsoft Entra ID need access to SAP Cloud Identity Services, and then you need to check to make sure that those users have the necessary attributes in Microsoft Entra ID, and those attributes are mapped to the expected schema of SAP Cloud Identity Services.
 
 * By default, the value of the Microsoft Entra user `userPrincipalName` attribute is mapped to both the `userName` and `emails[type eq "work"].value` attributes of SAP Cloud Identity Services. If user's email addresses are different from their user principal names, then you may need to change this mapping.
-* SAP Cloud Identity Services may ignore values of the `postalCode` attribute if the format of Company ZIP/postal code does not match company country.
+* SAP Cloud Identity Services may ignore values of the `postalCode` attribute if the format of Company ZIP/postal code does not match the company country or region.
 * By default, the Microsoft Entra attribute `department` is mapped to the SAP Cloud Identity Services `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department` attribute. If Microsoft Entra users have values of the `department` attribute, those values must match those departments already configured in SAP Cloud Identity Services, otherwise creation, or update, of the user will fail. If the `department` values in your Microsoft Entra users are not consistent with those in your SAP environment, then remove the mapping prior to assigning users.
 * SAP Cloud Identity Services's SCIM endpoint requires certain attributes to be of specific format. You can know more about these attributes and their specific format [here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/b10fc6a9a37c488a82ce7489b1fab64c.html#).