From 2420fd3ad8e89c705ef9bd01ec7e64214da2d9b3 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 7 Sep 2022 13:42:39 -0400
Subject: [PATCH] minor updates to federated auth doc

---
 .../windows/edu-federated-authentication.md   | 37 ++++++++++---------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/education/windows/edu-federated-authentication.md b/education/windows/edu-federated-authentication.md
index a8b344c4fa..9a2c96d7e9 100644
--- a/education/windows/edu-federated-authentication.md
+++ b/education/windows/edu-federated-authentication.md
@@ -15,24 +15,25 @@ appliesto:
 - ✅ <b>Windows 11 SE 22H2</b>
 ---
 
+<!-- MAXADO-6286399 -->
 # Configure federated authentication for Windows 11 SE
 
 Starting in **Windows 11 SE, version 22H2**, you can configure federated authentication, enabling your users to sign in using a third-party identity provider (IdP).
-
-With federated authentication, the sign-in experience on Windows SE devices can be simplified based on the options offered by the IdP. For example, rather than logging in with a traditional username and password, students and educators can use picture passwords or QR badges.
+The sign-in experience on Windows SE devices can be simplified based on the options offered by the IdP. For example, rather than logging in with a traditional username and password, students and educators can use picture passwords or QR code badges.
 
 ## Benefits of federated authentication
 
-With federated authentication, you can have faster starts to class. Features like QR code scanning allow students to log in in less time, and with less friction.
-With fewer credentials for students to remember and a simplified log-in processes, students are more engaged and focused on learning.
+With federated authentication, students can sign-in in less time, and with less friction.
+Fewer credentials to remember and a simplified sign-in process, enable students to be more engaged and focused on learning.
 
 ## Prerequisites
 
 To implement federated authentication, the following prerequisites must be met:
-1. You must have an Azure Active Directory (Azure AD) tenant, with one or multiple domains federated to a third-party IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
+
+1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1]
 1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
-1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These account are usually created through automation using a provisioning process offered by the IdP
-1. Licenses assigned to the Azure AD accounts. It is recommended to assign licenses to a dynamic group, so that when new users are provisioned in Azure AD, the licenses are automatically assigned to the users member of the group
+1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automation, with a provisioning process offered by the IdP
+1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
 1. Enable federated authentication on the Windows devices that the users will be using
     > [!IMPORTANT]
     > This feature is exclusively available for Windows 11 SE, version 22H2.
@@ -41,7 +42,7 @@ To implement federated authentication, the following prerequisites must be met:
 
 Can be done in Intune or with a provisioning package.
 
-IT administrators can configure federated authentication on Windows devices using Microsoft Intune, through a [custom profile][MEM-1]:
+To configure federated authentication using Microsoft Intune, use a [custom profile][MEM-1]:
 
 1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank">Microsoft Endpoint Manager admin center</a>
 1. Select **Devices** > **Configuration profiles** > **Create profile**
@@ -58,12 +59,12 @@ IT administrators can configure federated authentication on Windows devices usin
     | Name | OMA-URI | Data type | Value |
     |-|-|-|-|
     | `EnableWebSignInForPrimaryUser` | `./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser` | Integer | 1|
-    | `ConfigureWebSignInAllowedUrls` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` | String | Semicolon separated list of domains, for example `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
+    | `ConfigureWebSignInAllowedUrls` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` | String | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
     | `IsEducationEnvironment` | `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment` | Integer | 1|
-    | `ConfigureWebCamAccessDomainNames` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames` | String |This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example `clever.com`|
-    
+    | `ConfigureWebCamAccessDomainNames` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames` | String |This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
+
    :::image type="content" source="images/edu-federated-authentication-settings.png" alt-text="Custom policy showing the settings to be configured to enable federated authentication" lightbox="edu-federated-authentication-settings.png" border="true":::
-    
+
 1. Select **Review + Save**
 1. Select **Next**
 1. In **Scope tags**, assign any applicable tags (optional)
@@ -77,17 +78,17 @@ IT administrators can configure federated authentication on Windows devices usin
 
 Once the devices are configured, a new sign-in experience becomes available.
 
-:::image type="content" source="./images/federated-auth.gif" alt-text="Windows 11 SE login using federated authentication through Clever and QR badge." border="true":::
-
+:::image type="content" source="./images/federated-auth.gif" alt-text="Windows 11 SE sign-in using federated authentication through Clever and QR code badge." border="true":::
 
 ## Known issues
-- Network and Accessibility menus are not available in the Web Sign-In flow.  They can be accessed on the standard Windows Logon page. While in the federated sign-in, press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> and the classic Windows Logon UI will be shown, along with the buttons that launch those menus.  
-- This feature will not work without access to network, as the authentication is done via a 3rd party provider over the network. Always make sure that there is a valid network connection, before trying to launch the federated sign-in flow.
+- Network and Accessibility menus aren't available in the web sign-in flow.  They can be accessed on the standard Windows sign-in page. While in the web sign-in flow, press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> and the classic Windows sign-in UI will be shown, along with the buttons that launch those menus.  
+- This feature won't work without access to network, as the authentication is done via a third-party provider over the network. Always make sure that there's a valid network connection, before trying to launch the web sign-in flow.
 
 ## Troubleshooting
-- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows Logon screen.
+- The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
 - The *Other User* button can be pressed, and standard username/password credentials can be used to log into the device.
 
 [MEM-1]: /mem/intune/configuration/custom-settings-configure
 
-[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
\ No newline at end of file
+[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
+[AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign
\ No newline at end of file