diff --git a/education/windows/edu-federated-authentication.md b/education/windows/edu-federated-authentication.md
index a8b344c4fa..9a2c96d7e9 100644
--- a/education/windows/edu-federated-authentication.md
+++ b/education/windows/edu-federated-authentication.md
@@ -15,24 +15,25 @@ appliesto:
- ✅ Windows 11 SE 22H2
---
+
# Configure federated authentication for Windows 11 SE
Starting in **Windows 11 SE, version 22H2**, you can configure federated authentication, enabling your users to sign in using a third-party identity provider (IdP).
-
-With federated authentication, the sign-in experience on Windows SE devices can be simplified based on the options offered by the IdP. For example, rather than logging in with a traditional username and password, students and educators can use picture passwords or QR badges.
+The sign-in experience on Windows SE devices can be simplified based on the options offered by the IdP. For example, rather than logging in with a traditional username and password, students and educators can use picture passwords or QR code badges.
## Benefits of federated authentication
-With federated authentication, you can have faster starts to class. Features like QR code scanning allow students to log in in less time, and with less friction.
-With fewer credentials for students to remember and a simplified log-in processes, students are more engaged and focused on learning.
+With federated authentication, students can sign-in in less time, and with less friction.
+Fewer credentials to remember and a simplified sign-in process, enable students to be more engaged and focused on learning.
## Prerequisites
To implement federated authentication, the following prerequisites must be met:
-1. You must have an Azure Active Directory (Azure AD) tenant, with one or multiple domains federated to a third-party IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
+
+1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
-1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These account are usually created through automation using a provisioning process offered by the IdP
-1. Licenses assigned to the Azure AD accounts. It is recommended to assign licenses to a dynamic group, so that when new users are provisioned in Azure AD, the licenses are automatically assigned to the users member of the group
+1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automation, with a provisioning process offered by the IdP
+1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
1. Enable federated authentication on the Windows devices that the users will be using
> [!IMPORTANT]
> This feature is exclusively available for Windows 11 SE, version 22H2.
@@ -41,7 +42,7 @@ To implement federated authentication, the following prerequisites must be met:
Can be done in Intune or with a provisioning package.
-IT administrators can configure federated authentication on Windows devices using Microsoft Intune, through a [custom profile][MEM-1]:
+To configure federated authentication using Microsoft Intune, use a [custom profile][MEM-1]:
1. Sign in to the Microsoft Endpoint Manager admin center
1. Select **Devices** > **Configuration profiles** > **Create profile**
@@ -58,12 +59,12 @@ IT administrators can configure federated authentication on Windows devices usin
| Name | OMA-URI | Data type | Value |
|-|-|-|-|
| `EnableWebSignInForPrimaryUser` | `./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser` | Integer | 1|
- | `ConfigureWebSignInAllowedUrls` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` | String | Semicolon separated list of domains, for example `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
+ | `ConfigureWebSignInAllowedUrls` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` | String | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
| `IsEducationEnvironment` | `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment` | Integer | 1|
- | `ConfigureWebCamAccessDomainNames` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames` | String |This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example `clever.com`|
-
+ | `ConfigureWebCamAccessDomainNames` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames` | String |This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
+
:::image type="content" source="images/edu-federated-authentication-settings.png" alt-text="Custom policy showing the settings to be configured to enable federated authentication" lightbox="edu-federated-authentication-settings.png" border="true":::
-
+
1. Select **Review + Save**
1. Select **Next**
1. In **Scope tags**, assign any applicable tags (optional)
@@ -77,17 +78,17 @@ IT administrators can configure federated authentication on Windows devices usin
Once the devices are configured, a new sign-in experience becomes available.
-:::image type="content" source="./images/federated-auth.gif" alt-text="Windows 11 SE login using federated authentication through Clever and QR badge." border="true":::
-
+:::image type="content" source="./images/federated-auth.gif" alt-text="Windows 11 SE sign-in using federated authentication through Clever and QR code badge." border="true":::
## Known issues
-- Network and Accessibility menus are not available in the Web Sign-In flow. They can be accessed on the standard Windows Logon page. While in the federated sign-in, press Ctrl+Alt+Delete and the classic Windows Logon UI will be shown, along with the buttons that launch those menus.
-- This feature will not work without access to network, as the authentication is done via a 3rd party provider over the network. Always make sure that there is a valid network connection, before trying to launch the federated sign-in flow.
+- Network and Accessibility menus aren't available in the web sign-in flow. They can be accessed on the standard Windows sign-in page. While in the web sign-in flow, press Ctrl+Alt+Delete and the classic Windows sign-in UI will be shown, along with the buttons that launch those menus.
+- This feature won't work without access to network, as the authentication is done via a third-party provider over the network. Always make sure that there's a valid network connection, before trying to launch the web sign-in flow.
## Troubleshooting
-- The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows Logon screen.
+- The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen.
- The *Other User* button can be pressed, and standard username/password credentials can be used to log into the device.
[MEM-1]: /mem/intune/configuration/custom-settings-configure
-[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
\ No newline at end of file
+[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
+[AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign
\ No newline at end of file