Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-7847341-bitlocker-refresh

browsers/internet-explorer/docfx.json

@@ -48,7 +48,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
     "externalReference": [],

education/docfx.json

@@ -66,7 +66,7 @@
         "garycentric",
         "v-stsavell",
         "beccarobins",
-        "v-stchambers"
+        "Stacyrch140"
       ]
     },
     "fileMetadata": {

store-for-business/app-inventory-management-microsoft-store-for-business.md

@@ -106,7 +106,7 @@ Employees can claim apps that admins added to the private store by doing the fol
 ### Get and remove private store apps
 **To claim an app from the private store**
 
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Microsoft Store app.
+1. Sign in to your computer with your Microsoft Entra credentials, and start the Microsoft Store app.
 2. Click the private store tab.
 3. Click the app you want to install, and then click **Install**.
 

store-for-business/apps-in-microsoft-store-for-business.md

@@ -62,7 +62,7 @@ If an employee makes an in-app purchase, they'll make it with their personal Mic
 Microsoft Store supports two options to license apps: online and offline.
 
 ### Online licensing
-Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user's Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
+Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user's Microsoft Entra identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
 
 Distribution options for online-licensed apps include the ability to:
 

store-for-business/configure-mdm-provider-microsoft-store-for-business.md

@@ -27,16 +27,16 @@ ms.date: 05/24/2023
 
 For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
 
-Your management tool needs to be installed and configured with Azure AD, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business
+Your management tool needs to be installed and configured with Microsoft Entra ID, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business
 
-**To configure a management tool in Azure AD**
+**To configure a management tool in Microsoft Entra ID**
 
 1. Sign in to the Azure Portal as an Administrator.
-2. Click **Azure Active Directory**, and then choose your directory.
+2. Click **Microsoft Entra ID**, and then choose your directory.
 4. Click **Mobility (MDM and MAM)**.  
 3. Click **+Add Applications**, find the application, and add it to your directory.
 
-After your management tool is added to your Azure AD directory, you can configure it to work with Microsoft Store. You can configure multiple management tools - just repeat the following procedure.
+After your management tool is added to your Microsoft Entra directory, you can configure it to work with Microsoft Store. You can configure multiple management tools - just repeat the following procedure.
 
 **To configure a management tool in Microsoft Store for Business**
 

store-for-business/distribute-apps-from-your-private-store.md

@@ -61,7 +61,7 @@ Employees can claim apps that admins added to the private store by doing the fol
 
 **To claim an app from the private store**
 
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start Microsoft Store app.
+1. Sign in to your computer with your Microsoft Entra credentials, and start Microsoft Store app.
 2. Click the **private store** tab.
 3. Click the app you want to install, and then click **Install**.
 

store-for-business/distribute-apps-with-management-tool.md

@@ -27,9 +27,9 @@ ms.date: 05/24/2023
 
 You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
 
-Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Microsoft Store.
+Your MDM tool needs to be installed and configured in Microsoft Entra ID, in the same Microsoft Entra directory used with Microsoft Store.
 
-In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business).
+In Microsoft Entra management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Microsoft Entra ID, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business).
 
 Microsoft Store services provide:
 
@@ -40,9 +40,9 @@ Microsoft Store services provide:
 
 MDM tool requirements:
 
--   Must be an Azure Active Directory (AD) application to authenticate against the Store for Business services.
+-   Must be a Microsoft Entra application to authenticate against the Store for Business services.
--   Must be configured in Azure AD, and Microsoft Store.
+-   Must be configured in Microsoft Entra ID, and Microsoft Store.
--   Azure AD identity is required to authorize Microsoft Store services.
+-   Microsoft Entra identity is required to authorize Microsoft Store services.
 
 ## Distribute offline-licensed apps
 

store-for-business/distribute-offline-apps.md

@@ -35,7 +35,7 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona
 
 - **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
 
-- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
+- **Your employees do not have Microsoft Entra accounts** - Microsoft Entra accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
 
 ## Distribution options for offline-licensed apps
 

store-for-business/docfx.json

@@ -67,7 +67,10 @@
         "v-dihans",        
         "garycentric",
         "v-stsavell",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
     "fileMetadata": {},

store-for-business/index.md

@@ -30,7 +30,7 @@ Welcome to the Microsoft Store for Business and Education! You can use Microsoft
 >
 > - As of April 14, 2021, all apps that charge a base price above free are no longer available to buy in the Microsoft Store for Business and Education. If you've already bought a paid app, you can still use it, but no new purchases are possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you can't buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use from the private store. Apps with a base price of "free" are still available. This change doesn't impact apps in the Microsoft Store on Windows 10.
 >
-> - Also as of April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education.
+> - Also as of April 14, 2021, you must sign in with your Microsoft Entra account before you browse Microsoft Store for Business and Education.
 
 ## In this section
 
@@ -40,5 +40,5 @@ Welcome to the Microsoft Store for Business and Education! You can use Microsoft
 | [Find and acquire apps](find-and-acquire-apps-overview.md) | Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. |
 | [Manage apps](manage-apps-microsoft-store-for-business-overview.md) | Manage settings and access to apps in Microsoft Store for Business and Education. |
 | [Device Guard signing portal](device-guard-signing-portal.md) | Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. |
-| [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) | You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant |
+| [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) | You can add users and groups, as well as update some of the settings associated with the Microsoft Entra tenant |
 | [Troubleshoot Microsoft Store for Business and Education](troubleshoot-microsoft-store-for-business.md) | Troubleshooting topics for Microsoft Store for Business and Education. |

store-for-business/manage-settings-microsoft-store-for-business.md

@@ -1,6 +1,6 @@
 ---
 title: Manage settings for Microsoft Store for Business and Microsoft Store for Education (Windows 10)
-description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
+description: You can add users and groups, as well as update some of the settings associated with the Microsoft Entra tenant.
 ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895
 ms.reviewer: 
 ms.mktglfcycl: manage
@@ -25,7 +25,7 @@ ms.date: 05/24/2023
 > - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 > - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed).
 
-You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
+You can add users and groups, as well as update some of the settings associated with the Microsoft Entra tenant.
 
 ## In this section
 
@@ -34,5 +34,3 @@ You can add users and groups, as well as update some of the settings associated
 | [Update Microsoft Store for Business and Education account settings](update-microsoft-store-for-business-account-settings.md) | **Billing - Account profile**  in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. |
 | [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. You can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md) and to groups.|
 | [Understand your invoice](billing-understand-your-invoice-msfb.md) | Information on invoices for products and services bought under the Microsoft Customer Agreement.|
-
-

store-for-business/manage-users-and-groups-microsoft-store-for-business.md

@@ -27,21 +27,25 @@ ms.date: 05/24/2023
 
 Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
 
-## Why Azure AD accounts?
+<a name='why-azure-ad-accounts'></a>
+
+## Why Microsoft Entra accounts?
 For organizations planning to use the private store feature with Store for Business, we recommend that you also configure cloud domain join. This provides a seamless integration between the identity your admin and employees will use to sign in to Windows and Microsoft Store for Business.
 
-Azure AD is an Azure service that provides identity and access management capabilities using the cloud. It is primarily designed to provide this service for cloud- or web-based applications that need to access your local Active Directory information. Azure AD identity and access management includes:
+Microsoft Entra ID is an Azure service that provides identity and access management capabilities using the cloud. It is primarily designed to provide this service for cloud- or web-based applications that need to access your local Active Directory information. Microsoft Entra identity and access management includes:
 
 - Single sign-on to any cloud and on-premises web app.
 - Works with multiple platforms and devices.
 - Integrate with on-premises Active Directory.
 
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
+For more information on Microsoft Entra ID, see [About Office 365 and Microsoft Entra ID](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
 
-## Add user accounts to your Azure AD directory
+<a name='add-user-accounts-to-your-azure-ad-directory'></a>
-If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-microsoft-store-for-business.md)
 
-You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://portal.azure.com/) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
+## Add user accounts to your Microsoft Entra directory
+If you created a new Microsoft Entra directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Microsoft Entra directory. However, adding user accounts to your Microsoft Entra directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-microsoft-store-for-business.md)
+
+You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://portal.azure.com/) to add user accounts to your Microsoft Entra directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
 
 For more information, see:
 - [Add user accounts using Office 365 admin dashboard](/microsoft-365/admin/add-users)

store-for-business/microsoft-store-for-business-education-powershell-module.md

@@ -36,7 +36,7 @@ You can use the PowerShell module to:
 - Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
 
 >[!NOTE]
->Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Azure Active Directory Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
+>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Microsoft Entra ID Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
 
 ## Requirements
 To use the Microsoft Store for Business and Education PowerShell module, you'll need:

store-for-business/microsoft-store-for-business-overview.md

@@ -36,7 +36,7 @@ Designed for organizations, Microsoft Store for Business and Microsoft Store for
 ## Features
 Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education:
 
-- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
+- **Scales to fit the size of your business** - For smaller businesses, with Microsoft Entra accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
 - **Bulk app acquisition** - Acquire apps in volume from Microsoft Store for Business.
 - **Centralized management** – Microsoft Store provides centralized management for inventory, billing, permissions, and order history. You can use Microsoft Store to view, manage and distribute items purchased from:
     - **Microsoft Store for Business** – Apps acquired from Microsoft Store for Business
@@ -63,21 +63,21 @@ You'll need this software to work with Store for Business and Education.
 - Admins working with Store for Business and Education need a browser compatible with Microsoft Store running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, or current versions of Microsoft Edge, Chrome or Firefox. JavaScript must be supported and enabled.
 - Employees using apps from Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device.
 
-Microsoft Azure Active Directory (AD) accounts for your employees:
+Microsoft Entra accounts for your employees:
 
-- Admins need Azure AD accounts to sign up for Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses. You can sign up for Azure AD accounts as part of signing up for Store for Business and Education.
+- Admins need Microsoft Entra accounts to sign up for Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses. You can sign up for Microsoft Entra accounts as part of signing up for Store for Business and Education.
-- Employees need Azure AD account when they access Store for Business content from Windows devices.
+- Employees need Microsoft Entra account when they access Store for Business content from Windows devices.
-- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
+- If you use a management tool to distribute and manage online-licensed apps, all employees will need a Microsoft Entra account
-- For offline-licensed apps, Azure AD accounts are not required for employees.
+- For offline-licensed apps, Microsoft Entra accounts are not required for employees.
 - Admins can add or remove user accounts in the Microsoft 365 admin center, even if you don't have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education. 
 
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
+For more information on Microsoft Entra ID, see [About Office 365 and Microsoft Entra ID](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
 
 ### Optional
 
 While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
 
-- Need to integrate with Windows 10 management framework and Azure AD.
+- Need to integrate with Windows 10 management framework and Microsoft Entra ID.
 - Need to sync with the Store for Business inventory to distribute apps.
 
 ## How does the Store for Business and Education work?
@@ -88,7 +88,7 @@ The first step for getting your organization started with Store for Business and
 
 ## Set up
 
-After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
+After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Microsoft Entra user Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
 
 | Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
 | ---------- | ---------------- | ------------ | --------------- | -------------------- |
@@ -100,7 +100,7 @@ After your admin signs up for the Store for Business and Education, they can ass
 > [!NOTE]
 > Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](/education/windows/education-scenarios-store-for-business?toc=%2fmicrosoft-store%2feducation%2ftoc.json#manage-domain-settings).
 
-In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md).
+In some cases, admins will need to add Microsoft Entra accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md).
 
 Also, if your organization plans to use a management tool, you'll need to configure your management tool to sync with Store for Business and Education.
 
@@ -130,7 +130,7 @@ App distribution is handled through two channels, either through the Microsoft S
 **Distribute with Store for Business and Education**:
 - Email link – After purchasing an app, Admins can send employees a link in an email message. Employees can click the link to install the app.
 - Curate private store for all employees – A private store can include content you've purchased from Microsoft Store for Business, and your line-of-business apps that you've submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
-- To use the options above users must be signed in with an Azure AD account on a Windows 10 device. Licenses are assigned as individuals install apps. 
+- To use the options above users must be signed in with a Microsoft Entra account on a Windows 10 device. Licenses are assigned as individuals install apps. 
 
 **Using a management tool** – For larger organizations that want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
 - Scoped content distribution – Ability to scope content distribution to specific groups of employees.
@@ -366,7 +366,7 @@ This table summarize what customers can purchase, depending on which Microsoft S
 
 ## Privacy notice
 
-Store for Business and Education services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
+Store for Business and Education services get names and email addresses of people in your organization from Microsoft Entra ID. This information is needed for these admin functions:
 - Granting and managing permissions
 - Managing app licenses 
 - Distributing apps to people (names appear in a list that admins can select from)

store-for-business/notifications-microsoft-store-business.md

@@ -32,7 +32,7 @@ Microsoft Store for Business and Microsoft Store for Education use a set of noti
 
 | Store area | Notification message | Customer impact |
 | ---------- | -------------------- | --------------- |
-| General | We're on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. |
+| General | We're on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Microsoft Entra outage. |
 | Manage | We're on it. Something happened on our end with management for apps and software. We're working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history.  |
 | Shop | We're on it. Something happened on our end with purchasing. We're working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. |
 | Private store | We're on it. Something happened on our end with your organization's private store. People in your organization can't download apps right now. We're working to fix the problem. | People in your organization might not be able to view the private store, or get apps. |

store-for-business/prerequisites-microsoft-store-for-business.md

@@ -42,18 +42,18 @@ You'll need this software to work with Microsoft Store for Business or Education
 -   IT Pros that are administering Microsoft Store for Business and Education need a browser compatible with Microsoft Store for Business and Education running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox. Javascript needs to be supported and enabled. 
 -   Employees using apps from Microsoft Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device.
 
-Microsoft Azure Active Directory (AD) or Office 365 accounts for your employees:
+Microsoft Entra ID or Office 365 accounts for your employees:
--   IT Pros need Azure AD or Office 365 accounts to sign up for Microsoft Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses.
+-   IT Pros need Microsoft Entra ID or Office 365 accounts to sign up for Microsoft Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses.
--   Employees need Azure AD accounts when they access Microsoft Store for Business or Education content from Windows-based devices.
+-   Employees need Microsoft Entra accounts when they access Microsoft Store for Business or Education content from Windows-based devices.
--   If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account.
+-   If you use a management tool to distribute and manage online-licensed apps, all employees will need a Microsoft Entra account.
 
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
+For more information on Microsoft Entra ID, see [About Office 365 and Microsoft Entra ID](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
 
 ### Optional
 
 While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. If you're considering using management tools, check with the management tool vendor to see if they support Microsoft Store for Business and Education. The management tool will need to:
 
--   Integrate with the Windows 10 management framework and Azure AD.
+-   Integrate with the Windows 10 management framework and Microsoft Entra ID.
 -   Sync with Microsoft Store for Business and Education inventory to distribute apps.
 
 ## Proxy configuration
@@ -73,4 +73,3 @@ If your organization restricts computers on your network from connecting to the
   starting with Windows 10, version 1607)
  
 Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.
-

store-for-business/roles-and-permissions-microsoft-store-for-business.md

@@ -1,6 +1,6 @@
 ---
 title: Roles and permissions in Microsoft Store for Business and Education (Windows 10)
-description: The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
+description: The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Microsoft Entra tenant. Once the Global Admin has signed in, they can give permissions to others employees.
 keywords: roles, permissions
 ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE
 ms.reviewer: 
@@ -29,9 +29,9 @@ ms.date: 05/24/2023
 > [!NOTE]
 > As of April 14th, 2021, only free apps are available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
 
-The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
+The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Microsoft Entra tenant. Once the Global Admin has signed in, they can give permissions to others employees.
 
-Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store.
+Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Microsoft Entra account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store.
 
 ## Global user account permissions in Microsoft Store
 
@@ -49,7 +49,7 @@ This table lists the global user accounts and the permissions they have in Micro
 
 ## Microsoft Store roles and permissions
 
-Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
+Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Microsoft Entra account to access Microsoft Store.
 
 This table lists the roles and their permissions.
 
@@ -100,4 +100,4 @@ These permissions allow people to:
 
     <!--- ![Image showing Assign roles to people box in Microsoft Store for Business.](images/wsfb-permissions-assignrole.png) -->
 
-4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
+4. If you don't find the name you want, you might need to add people to your Microsoft Entra directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).

store-for-business/settings-reference-microsoft-store-for-business.md

@@ -32,7 +32,7 @@ The Microsoft Store for Business and Education has a group of settings that admi
 | Allow users to shop  | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** |
 | Make everyone a Basic Purchaser  | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](/education/windows/education-scenarios-store-for-business#basic-purchaser-role). | **Settings - Shop** |
 | App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Shop** |
-| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
+| Management tools | Management tools that are synced with Microsoft Entra ID are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
 | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices**  |
 | Permissions   | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles**, **Permissions - Purchasing roles**, and **Permissions - Blocked basic purchasers** |
 | Line-of-business (LOB) publishers  | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** |

store-for-business/sign-up-microsoft-store-for-business-overview.md

@@ -36,5 +36,5 @@ IT admins can sign up for Microsoft Store for Business and Education, and get st
 | ----- | ----------- |
 | [Microsoft Store for Business and Education overview](./microsoft-store-for-business-overview.md) | Learn about Microsoft Store for Business. |
 | [Prerequisites for Microsoft Store for Business and Education](./prerequisites-microsoft-store-for-business.md) | There are a few prerequisites for using [Microsoft Store for Business and Education.](/microsoft-store/prerequisites-microsoft-store-for-business) |
-| [Roles and permissions in Microsoft Store for Business and Education](./roles-and-permissions-microsoft-store-for-business.md)| The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
+| [Roles and permissions in Microsoft Store for Business and Education](./roles-and-permissions-microsoft-store-for-business.md)| The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Microsoft Entra tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
 | [Settings reference: Microsoft Store for Business and Education](./settings-reference-microsoft-store-for-business.md) | Microsoft Store for Business and Education has a group of settings that admins use to manage the store. |

store-for-business/update-microsoft-store-for-business-account-settings.md

@@ -37,7 +37,7 @@ Before purchasing apps that have a fee, you need to add or update your organizat
 
 We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we'll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don't have an address, we'll ask you to enter it during your first purchase.
 
-We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization's Office 365 or Azure AD tenant that is used with Microsoft Store.
+We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization's Office 365 or Microsoft Entra tenant that is used with Microsoft Store.
 
 **To update billing account information**
 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com)

windows/application-management/docfx.json

@@ -60,7 +60,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },

windows/client-management/mdm/accounts-csp.md

@@ -46,7 +46,7 @@ Root node.
 Interior node for the account domain information.
 
 <a href="" id="domain-computername"></a>**Domain/ComputerName**
-This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
+This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Microsoft Entra ID and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
 
 Available naming macros:
 

windows/client-management/mdm/bitlocker-csp.md

@@ -236,7 +236,7 @@ The expected values for this policy are:
 
 1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed.
 
-0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Azure Active Directory joined devices.
+0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Microsoft Entra joined devices.
 
 Windows will attempt to silently enable BitLocker for value 0.
 <!-- Device-AllowWarningForOtherDiskEncryption-Description-End -->
@@ -244,12 +244,12 @@ Windows will attempt to silently enable BitLocker for value 0.
 <!-- Device-AllowWarningForOtherDiskEncryption-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Microsoft Entra account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
 >
 > The endpoint for a fixed data drive's backup is chosen in the following order:
 >
 > 1. The user's Windows Server Active Directory Domain Services account.
-> 2. The user's Azure Active Directory account.
+> 2. The user's Microsoft Entra account.
 > 3. The user's personal OneDrive (MDM/MAM only).
 >
 > Encryption will wait until one of these three locations backs up successfully.
@@ -270,7 +270,7 @@ Windows will attempt to silently enable BitLocker for value 0.
 
 | Value | Description |
 |:--|:--|
-| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. |
+| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Microsoft Entra joined devices. Windows will attempt to silently enable BitLocker for value 0. |
 | 1 (Default) | Warning prompt allowed. |
 <!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-End -->
 
@@ -312,9 +312,9 @@ Windows will attempt to silently enable BitLocker for value 0.
 
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
+Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and Hybrid domain joined devices.
 
-When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
+When not configured, Rotation is turned on by default for Microsoft Entra-only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
 
 For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
 
@@ -322,8 +322,8 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is
 
 Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
 
-1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
+1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value
-2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices.
+2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and Hybrid devices.
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-End -->
 
 <!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin -->
@@ -346,8 +346,8 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Refresh off (default). |
-| 1 | Refresh on for Azure AD-joined devices. |
+| 1 | Refresh on for Microsoft Entra joined devices. |
-| 2 | Refresh on for both Azure AD-joined and hybrid-joined devices. |
+| 2 | Refresh on for both Microsoft Entra joined and hybrid-joined devices. |
 <!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-End -->
 
 <!-- Device-ConfigureRecoveryPasswordRotation-Examples-Begin -->
@@ -1269,7 +1269,7 @@ Disabling the policy won't turn off the encryption on the storage card. But will
 
 <!-- Device-RotateRecoveryPasswords-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
+Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on a Microsoft Entra ID or hybrid-joined device.
 
 This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
 
@@ -1401,7 +1401,7 @@ This value represents a bitmask with each bit and the corresponding error code d
 | 8 |Recovery key backup failed.|
 | 9 |A fixed drive is unprotected.|
 | 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
-| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
+| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or if the device is joined to Microsoft Entra ID, the AllowStandardUserEncryption policy must be set to 1.|
 | 12 |Windows Recovery Environment (WinRE) isn't configured.|
 | 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
 | 14 |The TPM isn't ready for BitLocker.|

windows/client-management/mdm/dmclient-csp.md

@@ -272,7 +272,7 @@ This node contains the URI-encoded value of the bootstrapped device management a
 
 <!-- Device-Provider-{ProviderID}-AADDeviceID-Description-Begin -->
 <!-- Description-Source-DDF -->
-Device ID used for AAD device registration.
+Device ID used for Microsoft Entra device registration.
 <!-- Device-Provider-{ProviderID}-AADDeviceID-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-AADDeviceID-Editable-Begin -->
@@ -311,12 +311,12 @@ Device ID used for AAD device registration.
 
 <!-- Device-Provider-{ProviderID}-AADResourceID-Description-Begin -->
 <!-- Description-Source-DDF -->
-This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
+This is the ResourceID used when requesting the user token from the OMA DM session for Microsoft Entra enrollments (Microsoft Entra join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
 <!-- Device-Provider-{ProviderID}-AADResourceID-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-AADResourceID-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](../azure-active-directory-integration-with-mdm.md).
+For more information about Microsoft Entra enrollment, see [Microsoft Entra integration with MDM](../azure-active-directory-integration-with-mdm.md).
 <!-- Device-Provider-{ProviderID}-AADResourceID-Editable-End -->
 
 <!-- Device-Provider-{ProviderID}-AADResourceID-DFProperties-Begin -->
@@ -351,7 +351,7 @@ For more information about Azure AD enrollment, see [Azure Active Directory inte
 
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-Begin -->
 <!-- Description-Source-DDF -->
-For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
+For Microsoft Entra backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Editable-Begin -->
@@ -2016,8 +2016,8 @@ Device only. This node decides whether or not the MDM device progress page skips
 
 | Value | Description |
 |:--|:--|
-| false | Don't skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| false | Don't skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
-| true (Default) | Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| true (Default) | Skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-AllowedValues-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Examples-Begin -->
@@ -2065,8 +2065,8 @@ Device only. This node decides whether or not the MDM user progress page skips a
 
 | Value | Description |
 |:--|:--|
-| false | Don't skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| false | Don't skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
-| true (Default) | Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| true (Default) | Skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-AllowedValues-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Examples-Begin -->
@@ -2182,7 +2182,7 @@ Integer node determining if a Device was Successfully provisioned. 0 is failure,
 
 <!-- Device-Provider-{ProviderID}-ForceAadToken-Description-Begin -->
 <!-- Description-Source-DDF -->
-Force device to send device AAD token during check-in as a separate header.
+Force device to send device Microsoft Entra token during check-in as a separate header.
 <!-- Device-Provider-{ProviderID}-ForceAadToken-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-ForceAadToken-Editable-Begin -->
@@ -2204,9 +2204,9 @@ Force device to send device AAD token during check-in as a separate header.
 | Value | Description |
 |:--|:--|
 | 0 | ForceAadTokenNotDefined: the value isn't defined(default). |
-| 1 | AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during check-in as a separate header section(not as Bearer token). |
+| 1 | AlwaysSendAadDeviceTokenCheckIn: always send Microsoft Entra device token during check-in as a separate header section(not as Bearer token). |
-| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during check-in as a separate header section(not as Bearer token). |
+| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send Microsoft Entra user token during check-in as a separate header section(not as Bearer token). |
-| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token. |
+| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send Microsoft Entra Device token for auth as Bearer token. |
 | 8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. |
 <!-- Device-Provider-{ProviderID}-ForceAadToken-AllowedValues-End -->
 
@@ -2472,7 +2472,7 @@ This is an execution node and will trigger a silent Declared Configuration unenr
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-This is an execution node and will trigger a silent Declared Configuration enrollment, using the AAD device token pulled from the Azure AD-joined device. There is no user interaction needed. When the **DiscoveryEndpoint** is not set, the Enroll node will fail with `ERROR_FILE_NOT_FOUND (0x80070002)` and there is no scheduled task created for dual enrollment.
+This is an execution node and will trigger a silent Declared Configuration enrollment, using the Microsoft Entra device token pulled from the Microsoft Entra joined device. There is no user interaction needed. When the **DiscoveryEndpoint** is not set, the Enroll node will fail with `ERROR_FILE_NOT_FOUND (0x80070002)` and there is no scheduled task created for dual enrollment.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Editable-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-DFProperties-Begin -->
@@ -3735,7 +3735,7 @@ This node initiates a recovery action. The server can specify prerequisites befo
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Initiate MDM Recovery. |
-| 1 | Initiate Recovery if Keys aren't already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation. |
+| 1 | Initiate Recovery if Keys aren't already protected by the TPM, there is a TPM to put the keys into, Microsoft Entra ID keys are protected by TPM, and the TPM is ready for attestation. |
 <!-- Device-Provider-{ProviderID}-Recovery-InitiateRecovery-AllowedValues-End -->
 
 <!-- Device-Provider-{ProviderID}-Recovery-InitiateRecovery-Examples-Begin -->
@@ -3761,7 +3761,7 @@ This node initiates a recovery action. The server can specify prerequisites befo
 
 <!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM isn't available. 4 - Recovery has failed to start because AAD keys aren't protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM isn't ready for attestation. 7 - Recovery has failed because the client can't authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
+This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM isn't available. 4 - Recovery has failed to start because Microsoft Entra ID keys aren't protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM isn't ready for attestation. 7 - Recovery has failed because the client can't authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
 <!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Editable-Begin -->

windows/client-management/mdm/healthattestation-csp.md

@@ -726,7 +726,7 @@ If the attestation process is launched successfully, this node will return code
   - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
   - serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
   - nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks.
-  - aadToken: The Azure Active Directory token to be used for authentication against the Microsoft Azure Attestation service.
+  - aadToken: The Microsoft Entra token to be used for authentication against the Microsoft Azure Attestation service.
   - cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes.
 
 - Sample `<Data>`:

windows/client-management/mdm/laps-csp.md

@@ -23,7 +23,7 @@ ms.topic: reference
 The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
 
 > [!NOTE]
-> For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Azure Active Directory LAPS scenario, see [Windows LAPS availability and Azure AD LAPS public preview status](/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status).
+> For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Microsoft Entra LAPS scenario, see [Windows LAPS availability and Microsoft Entra LAPS public preview status](/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status).
 
 > [!TIP]
 > This article covers the specific technical details of the LAPS CSP.  For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
@@ -449,7 +449,7 @@ Use this setting to configure which directory the local admin account password i
 The allowable settings are:
 
 0=Disabled (password won't be backed up)
-1=Backup the password to Azure AD only
+1=Backup the password to Microsoft Entra-only
 2=Backup the password to Active Directory only.
 
 If not specified, this setting will default to 0.
@@ -475,7 +475,7 @@ If not specified, this setting will default to 0.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled (password won't be backed up). |
-| 1 | Backup the password to Azure AD only. |
+| 1 | Backup the password to Microsoft Entra-only. |
 | 2 | Backup the password to Active Directory only. |
 <!-- Device-Policies-BackupDirectory-AllowedValues-End -->
 
@@ -506,7 +506,7 @@ Use this policy to configure the maximum password age of the managed local admin
 
 If not specified, this setting will default to 30 days.
 
-This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD.
+This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Microsoft Entra ID.
 
 This setting has a maximum allowed value of 365 days.
 <!-- Device-Policies-PasswordAgeDays-Description-End -->
@@ -806,7 +806,7 @@ This setting has a maximum allowed value of 24 hours.
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 ## Settings Applicability
 
-The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
+The LAPS CSP can be used to manage devices that are either joined to Microsoft Entra ID or joined to both Microsoft Entra ID and Active Directory (hybrid-joined). The LAPS CSP manages a mix of Microsoft Entra-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
 
 | Setting name                        | Azure-joined | Hybrid-joined |
 |-------------------------------------|--------------|---------------|
@@ -828,9 +828,11 @@ The LAPS CSP can be used to manage devices that are either joined to Azure AD or
 
 The following examples are provided to show the correct format and shouldn't be considered as a recommendation.
 
-### Azure-joined device backing password up to Azure AD
+<a name='azure-joined-device-backing-password-up-to-azure-ad'></a>
 
-This example shows how to configure an Azure-joined device to back up its password to Azure Active Directory:
+### Azure-joined device backing password up to Microsoft Entra ID
+
+This example shows how to configure an Azure-joined device to back up its password to Microsoft Entra ID:
 
 ```xml
 <SyncMl xmlns="SYNCML:SYNCML1.2">

windows/client-management/mdm/networkqospolicy-csp.md

@@ -32,9 +32,9 @@ The following actions are supported:
 - Layer 3 tagging using a differentiated services code point (DSCP) value
 
 > [!NOTE]
-> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on the following devices:
+> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Microsoft Entra joined. Currently, this CSP is not supported on the following devices:
 >
-> - Azure AD Hybrid joined devices.
+> - Microsoft Entra hybrid joined devices.
 > - Devices that use both GPO and CSP at the same time.
 >
 > The minimum operating system requirement for this CSP is Windows 10, version 1703. This CSP is not supported in Microsoft Surface Hub prior to Windows 10, version 1703.

windows/client-management/mdm/passportforwork-csp.md

@@ -20,7 +20,7 @@ ms.topic: reference
 
 <!-- PassportForWork-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
+The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Microsoft Entra account and replace passwords, smartcards, and virtual smart cards.
 
 > [!IMPORTANT]
 > Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
@@ -1119,9 +1119,9 @@ Windows Hello for Business can use certificates to authenticate to on-premise re
 
 <!-- Device-{TenantId}-Policies-UseCloudTrustForOnPremAuth-Description-Begin -->
 <!-- Description-Source-DDF -->
-Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
+Boolean value that enables Windows Hello for Business to use Microsoft Entra Kerberos to authenticate to on-premises resources.
 
-- If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
+- If you enable this policy setting, Windows Hello for Business will use a Microsoft Entra Kerberos ticket to authenticate to on-premises resources. The Microsoft Entra Kerberos ticket is returned to the client after a successful authentication to Microsoft Entra ID if Microsoft Entra Kerberos is enabled for the tenant and domain.
 
 - If you disable or don't configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
 <!-- Device-{TenantId}-Policies-UseCloudTrustForOnPremAuth-Description-End -->
@@ -1226,7 +1226,7 @@ Windows requires a user to lock and unlock their session after changing this set
 
 <!-- Device-{TenantId}-Policies-UsePassportForWork-Description-Begin -->
 <!-- Description-Source-DDF -->
-Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Microsoft Entra account that can replace passwords, Smart Cards, and Virtual Smart Cards.
 
 - If you enable or don't configure this policy setting, the device provisions Windows Hello for Business for all users.
 
@@ -2553,7 +2553,7 @@ A Trusted Platform Module (TPM) provides additional security benefits over softw
 
 <!-- User-{TenantId}-Policies-UsePassportForWork-Description-Begin -->
 <!-- Description-Source-DDF -->
-Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Microsoft Entra account that can replace passwords, Smart Cards, and Virtual Smart Cards.
 
 - If you enable or don't configure this policy setting, the device provisions Windows Hello for Business for all users.
 

windows/client-management/mdm/policy-csp-admx-ncsi.md

@@ -269,7 +269,7 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit
 <!-- NCSI_DomainLocationDeterminationUrl-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Azure AD only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md).
+> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Microsoft Entra-only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md).
 <!-- NCSI_DomainLocationDeterminationUrl-Editable-End -->
 
 <!-- NCSI_DomainLocationDeterminationUrl-DFProperties-Begin -->

windows/client-management/mdm/policy-csp-applicationdefaults.md

@@ -37,7 +37,7 @@ ms.topic: reference
 
 <!-- DefaultAssociationsConfiguration-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Microsoft Entra joined, the associations assigned in SyncML will be processed and default associations will be applied.
 <!-- DefaultAssociationsConfiguration-Description-End -->
 
 <!-- DefaultAssociationsConfiguration-Editable-Begin -->

windows/client-management/mdm/policy-csp-authentication.md

@@ -39,13 +39,13 @@ ms.topic: reference
 
 <!-- AllowAadPasswordReset-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether password reset is enabled for AAD accounts.
+Specifies whether password reset is enabled for Microsoft Entra accounts.
 <!-- AllowAadPasswordReset-Description-End -->
 
 <!-- AllowAadPasswordReset-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
-This policy allows the Azure Active Directory (Azure AD) tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
+This policy allows the Microsoft Entra tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
 <!-- AllowAadPasswordReset-Editable-End -->
 
 <!-- AllowAadPasswordReset-DFProperties-Begin -->
@@ -262,7 +262,7 @@ Specifies a list of domains that are allowed to access the webcam in Web Sign-in
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!NOTE]
-> Web sign-in is only supported on Azure AD joined PCs.
+> Web sign-in is only supported on Microsoft Entra joined PCs.
 <!-- ConfigureWebcamAccessDomainNames-Editable-End -->
 
 <!-- ConfigureWebcamAccessDomainNames-DFProperties-Begin -->
@@ -312,7 +312,7 @@ Specifies a list of URLs that are navigable in Web Sign-in based authentication
 
 This policy specifies the list of domains that users can access in certain authentication scenarios. For example:
 
-- Azure Active Directory (Azure AD) PIN reset
+- Microsoft Entra ID PIN reset
 - Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider
 
 > [!NOTE]
@@ -358,13 +358,13 @@ Your organization's PIN reset or web sign-in authentication flow is expected to
 
 <!-- EnableFastFirstSignIn-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts.
+Specifies whether new non-admin Microsoft Entra accounts should auto-connect to pre-created candidate local accounts.
 <!-- EnableFastFirstSignIn-Description-End -->
 
 <!-- EnableFastFirstSignIn-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
-This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
+This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Microsoft Entra accounts to the pre-configured candidate local accounts.
 
 > [!IMPORTANT]
 > Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device.
@@ -386,8 +386,8 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
 | Value | Description |
 |:--|:--|
 | 0 (Default) | The feature defaults to the existing SKU and device capabilities. |
-| 1 | Enabled. Auto-connect new non-admin Azure AD accounts to pre-configured candidate local accounts. |
+| 1 | Enabled. Auto-connect new non-admin Microsoft Entra accounts to pre-configured candidate local accounts. |
-| 2 | Disabled. Don't auto-connect new non-admin Azure AD accounts to pre-configured local accounts. |
+| 2 | Disabled. Don't auto-connect new non-admin Microsoft Entra accounts to pre-configured local accounts. |
 <!-- EnableFastFirstSignIn-AllowedValues-End -->
 
 <!-- EnableFastFirstSignIn-Examples-Begin -->
@@ -470,12 +470,12 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!WARNING]
-> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Azure Active Directory (Azure AD), unless it's used in a limited federated scope.
+> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Microsoft Entra ID, unless it's used in a limited federated scope.
 
-**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Azure AD credentials, like temporary access pass.
+**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Microsoft Entra credentials, like temporary access pass.
 
 > [!NOTE]
-> Web sign-in is only supported on Azure AD joined PCs.
+> Web sign-in is only supported on Microsoft Entra joined PCs.
 <!-- EnableWebSignIn-Editable-End -->
 
 <!-- EnableWebSignIn-DFProperties-Begin -->
@@ -521,7 +521,7 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
 
 <!-- PreferredAadTenantDomainName-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies the preferred domain among available domains in the AAD tenant.
+Specifies the preferred domain among available domains in the Microsoft Entra tenant.
 <!-- PreferredAadTenantDomainName-Description-End -->
 
 <!-- PreferredAadTenantDomainName-Editable-Begin -->

windows/client-management/mdm/policy-csp-deliveryoptimization.md

@@ -703,13 +703,13 @@ Note this is a best effort optimization and shouldn't be relied on for an authen
 
 <!-- DOGroupIdSource-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
 <!-- DOGroupIdSource-Description-End -->
 
 <!-- DOGroupIdSource-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
+> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
 <!-- DOGroupIdSource-Editable-End -->
 
 <!-- DOGroupIdSource-DFProperties-Begin -->
@@ -732,7 +732,7 @@ Set this policy to restrict peer selection to a specific source. Available optio
 | 2 | Authenticated domain SID. |
 | 3 | DHCP user option. |
 | 4 | DNS suffix. |
-| 5 | AAD. |
+| 5 | Microsoft Entra ID. |
 <!-- DOGroupIdSource-AllowedValues-End -->
 
 <!-- DOGroupIdSource-GpMapping-Begin -->

windows/client-management/mdm/policy-csp-experience.md

@@ -352,7 +352,7 @@ When Find My Device is off, the device and its location aren't registered and th
 
 <!-- AllowManualMDMUnenrollment-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect.
+Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Microsoft Entra joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect.
 
 > [!NOTE]
 > The MDM server can always remotely delete the account. Most restricted value is 0.

windows/client-management/mdm/policy-csp-federatedauthentication.md

@@ -43,7 +43,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
 <!-- EnableWebSignInForPrimaryUser-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> Web Sign-in is only supported on Azure AD Joined PCs.
+> Web Sign-in is only supported on Microsoft Entra joined PCs.
 <!-- EnableWebSignInForPrimaryUser-Editable-End -->
 
 <!-- EnableWebSignInForPrimaryUser-DFProperties-Begin -->
@@ -63,7 +63,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
 |:--|:--|
 | 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. |
 | 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. |
-| 2 | Disabled. Web Sign-in Credential Provider will be not be enabled for device sign-in. |
+| 2 | Disabled. Web Sign-in Credential Provider isn't be enabled for device sign-in. |
 <!-- EnableWebSignInForPrimaryUser-AllowedValues-End -->
 
 <!-- EnableWebSignInForPrimaryUser-Examples-Begin -->

windows/client-management/mdm/policy-csp-kerberos.md

@@ -98,11 +98,11 @@ This policy setting defines the list of trusting forests that the Kerberos clien
 
 <!-- CloudKerberosTicketRetrievalEnabled-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon.
+This policy setting allows retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon.
 
-- If you disable or don't configure this policy setting, the Azure AD Kerberos Ticket Granting Ticket isn't retrieved during logon.
+- If you disable or don't configure this policy setting, the Microsoft Entra Kerberos Ticket Granting Ticket isn't retrieved during logon.
 
-- If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket is retrieved during logon.
+- If you enable this policy setting, the Microsoft Entra Kerberos Ticket Granting Ticket is retrieved during logon.
 <!-- CloudKerberosTicketRetrievalEnabled-Description-End -->
 
 <!-- CloudKerberosTicketRetrievalEnabled-Editable-Begin -->
@@ -134,7 +134,7 @@ This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Tick
 | Name | Value |
 |:--|:--|
 | Name | CloudKerberosTicketRetrievalEnabled |
-| Friendly Name | Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon |
+| Friendly Name | Allow retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon |
 | Location | Computer Configuration |
 | Path | System > Kerberos |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
@@ -781,8 +781,8 @@ The size of the context token buffer determines the maximum size of SSPI context
 
 <!-- UPNNameHints-Description-Begin -->
 <!-- Description-Source-DDF -->
-Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
+Devices joined to Microsoft Entra ID in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve a Microsoft Entra UPN into an Active Directory Principal.
-This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it's otherwise unable to resolve a UPN to a principal.
+This parameter adds a list of domains that a Microsoft Entra joined device should attempt to contact if it's otherwise unable to resolve a UPN to a principal.
 <!-- UPNNameHints-Description-End -->
 
 <!-- UPNNameHints-Editable-Begin -->

windows/client-management/mdm/policy-csp-localusersandgroups.md

@@ -54,7 +54,7 @@ members that aren't specified in the policy are removed.
 <!-- Configure-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
+> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Microsoft Entra groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
 >
 > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersAndGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
 <!-- Configure-Editable-End -->
@@ -166,21 +166,21 @@ where:
 
     > [!NOTE]
     > When specifying member names of the user accounts, you must use following format - AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk".
-For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy.
+For adding Microsoft Entra groups, you need to specify the Microsoft Entra group SID. Microsoft Entra group names are not supported with this policy.
 For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).
 
 See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
 
 > [!IMPORTANT]
 >
-> - `<add member>` and `<remove member>` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
+> - `<add member>` and `<remove member>` can use a Microsoft Entra SID or the user's name. For adding or removing Microsoft Entra groups using this policy, you must use the group's SID. Microsoft Entra group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
 > - When specifying a SID in the `<add member>` or `<remove member>`, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct.
 > - `<remove member>` is not valid for the R (Restrict) action and will be ignored if present.
 > - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
 
-**Example 1**: Azure Active Directory focused.
+**Example 1**: Microsoft Entra ID focused.
 
-The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
+The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with a Microsoft Entra account "bob@contoso.com" and a Microsoft Entra group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on a Microsoft Entra joined machine.
 
 ```xml
 <GroupConfiguration>
@@ -192,7 +192,7 @@ The following example updates the built-in administrators group with the SID **S
 </GroupConfiguration>
 ```
 
-**Example 2**: Replace / Restrict the built-in administrators group with an Azure AD user account.
+**Example 2**: Replace / Restrict the built-in administrators group with a Microsoft Entra user account.
 
 > [!NOTE]
 > When using the 'R' replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group.
@@ -209,7 +209,7 @@ The following example updates the built-in administrators group with the SID **S
 
 **Example 3**: Update action for adding and removing group members on a hybrid joined machine.
 
-The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
+The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Microsoft Entra group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
 
 ```xml
 <GroupConfiguration>
@@ -223,7 +223,7 @@ The following example shows how you can update a local group (**Administrators**
 ```
 
 > [!NOTE]
-> When Azure Active Directory group SID's are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
+> When Microsoft Entra group SID's are added to local groups, Microsoft Entra account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
 >
 > - Administrators
 > - Users

windows/client-management/mdm/policy-csp-mixedreality.md

@@ -42,24 +42,24 @@ These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-
 
 <!-- AADGroupMembershipCacheValidityInDays-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy controls for how many days, AAD group membership cache is allowed to be used for Assigned Access configurations targeting AAD groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions.
+This policy controls for how many days, Microsoft Entra group membership cache is allowed to be used for Assigned Access configurations targeting Microsoft Entra groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions.
 <!-- AADGroupMembershipCacheValidityInDays-Description-End -->
 
 <!-- AADGroupMembershipCacheValidityInDays-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Steps to use this policy correctly:
 
-1. Create a device configuration profile for kiosk, which targets Azure AD groups. Assign it to the HoloLens devices.
+1. Create a device configuration profile for kiosk, which targets Microsoft Entra groups. Assign it to the HoloLens devices.
 1. Create a custom OMA URI-based device configuration. Set this policy value to the chosen number of days greater than zero (`0`). Then assign the configuration to the HoloLens devices.
     - The URI value should be entered in OMA-URI text box as `./Device/Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays`
     - The value can be any integer in the allowed range.
 1. Enroll the HoloLens devices. Verify that both configurations apply to the device.
-1. When internet is available, sign in as an Azure AD user. Once the user signs-in, and Azure AD group membership is confirmed successfully, the cache will be created.
+1. When internet is available, sign in as a Microsoft Entra user. Once the user signs-in, and Microsoft Entra group membership is confirmed successfully, the cache will be created.
 1. You can now take the HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
-1. Steps 4 and 5 can be repeated for any other Azure AD user. The key point is that any Azure AD user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of an Azure AD group to which the kiosk configuration is targeted.
+1. Steps 4 and 5 can be repeated for any other Microsoft Entra user. The key point is that any Microsoft Entra user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of a Microsoft Entra group to which the kiosk configuration is targeted.
 
 > [!NOTE]
-> Until you do step 4 for an Azure AD user, the user will experience failure behavior similar to a disconnected environment.
+> Until you do step 4 for a Microsoft Entra user, the user will experience failure behavior similar to a disconnected environment.
 <!-- AADGroupMembershipCacheValidityInDays-Editable-End -->
 
 <!-- AADGroupMembershipCacheValidityInDays-DFProperties-Begin -->
@@ -212,7 +212,7 @@ On a device where you configure this policy, the user specified in the policy ne
 > [!NOTE]
 >
 > - Some events such as major OS updates may require the specified user to sign in to the device again to resume auto-logon behavior.
-> - Auto-logon is only supported for Microsoft accounts and Azure Active Directory (Azure AD) users.
+> - Auto-logon is only supported for Microsoft accounts and Microsoft Entra users.
 <!-- AutoLogonUser-Editable-End -->
 
 <!-- AutoLogonUser-DFProperties-Begin -->
@@ -507,7 +507,7 @@ The following XML string is an example of the value for this policy:
 
 <!-- ConfigureSharedAccount-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy specifies the configuration for Shared Accounts on the device. Shared Accounts are AAD accounts that are deployed to the device by an IT admin and can be used by anyone with physical access to the device. These accounts excel in deployments where the HoloLens device is used like a tool shared between multiple people and it doesn't matter which account is used to access AAD resources. Because these accounts can be signed in without requiring the user to provide credentials, you should ensure that these devices are physically secure, with access granted only to authorized personnel. You should also lock down these accounts to only have access to the required resources.
+This policy specifies the configuration for Shared Accounts on the device. Shared Accounts are Microsoft Entra accounts that are deployed to the device by an IT admin and can be used by anyone with physical access to the device. These accounts excel in deployments where the HoloLens device is used like a tool shared between multiple people and it doesn't matter which account is used to access Microsoft Entra resources. Because these accounts can be signed in without requiring the user to provide credentials, you should ensure that these devices are physically secure, with access granted only to authorized personnel. You should also lock down these accounts to only have access to the required resources.
 <!-- ConfigureSharedAccount-Description-End -->
 
 <!-- ConfigureSharedAccount-Editable-Begin -->

windows/client-management/mdm/policy-csp-privacy.md

@@ -93,7 +93,7 @@ Allows or disallows the automatic acceptance of the pairing and privacy user con
 <!-- Description-Source-ADMX -->
 This policy setting determines whether Clipboard contents can be synchronized across devices.
 
-- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account.
+- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Microsoft Entra account.
 
 - If you disable this policy setting, Clipboard contents can't be shared to other devices.
 

windows/client-management/mdm/policy-csp-remotedesktop.md

@@ -95,13 +95,13 @@ To automatically subscribe to [Azure Virtual Desktop](/azure/virtual-desktop/ove
 
 <!-- LoadAadCredKeyFromProfile-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allow encrypted DPAPI cred keys to be loaded from user profiles for AAD accounts.
+Allow encrypted DPAPI cred keys to be loaded from user profiles for Microsoft Entra accounts.
 <!-- LoadAadCredKeyFromProfile-Description-End -->
 
 <!-- LoadAadCredKeyFromProfile-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
-This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Azure AD-joined VMs.
+This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Microsoft Entra joined VMs.
 <!-- LoadAadCredKeyFromProfile-Editable-End -->
 
 <!-- LoadAadCredKeyFromProfile-DFProperties-Begin -->

windows/client-management/mdm/policy-csp-restrictedgroups.md

@@ -20,7 +20,7 @@ ms.topic: reference
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!IMPORTANT]
-> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Azure Active Directory (Azure AD) groups.
+> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Microsoft Entra groups.
 >
 > Don't apply both policies to the same device, it's unsupported and may yield unpredictable results.
 <!-- RestrictedGroups-Editable-End -->
@@ -135,7 +135,7 @@ Descriptions of the properties:
 
 - `<accessgroup desc>` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
 
-- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in Active Directory, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
+- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in Active Directory, Microsoft Entra ID, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
 
 - In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.
 

windows/client-management/mdm/policy-csp-security.md

@@ -354,7 +354,7 @@ Configures the use of passwords for Windows features.
 
 <!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic device encryption during OOBE when the device is Microsoft Entra joined.
 <!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Description-End -->
 
 <!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Editable-Begin -->

windows/client-management/mdm/policy-csp-system.md

@@ -113,12 +113,12 @@ This policy is only supported up to Windows 10, Version 1703. Please use 'Manage
 <!-- Description-Source-ADMX -->
 This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
 
-AllowCommercialDataPipeline configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
+AllowCommercialDataPipeline configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.
 
@@ -198,7 +198,7 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 3. Set Allow Telemetry to value 1 - Required, or higher
 4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
@@ -574,7 +574,7 @@ Specifies whether to allow app access to the Location service. Most restricted v
 <!-- AllowMicrosoftManagedDesktopProcessing-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
-This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
+This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See <https://go.microsoft.com/fwlink/?linkid=2184944> for more information.
 hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
 This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
@@ -762,7 +762,7 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 3. Set Allow Telemetry to value 1 - Required, or higher
 4. Set the Configure the Commercial ID setting for your Update Compliance workspace.
@@ -884,12 +884,12 @@ Specifies whether to allow the user to factory reset the device by using control
 <!-- Description-Source-ADMX -->
 This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
 
-This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
+This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 3. Set Allow Telemetry to value 1 - Required, or higher.
 

windows/client-management/mdm/policy-csp-tenantrestrictions.md

@@ -39,12 +39,12 @@ ms.topic: reference
 
 <!-- ConfigureTenantRestrictions-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.
+This setting enables and configures the device-based tenant restrictions feature for Microsoft Entra ID.
 
-When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant.
+When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Microsoft Entra tenant.
 
 > [!NOTE]
-> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details.
+> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Microsoft Entra tenant Restrictions for more details.
 
 <https://go.microsoft.com/fwlink/?linkid=2148762>
 

windows/client-management/mdm/policy-csp-userrights.md

@@ -93,7 +93,7 @@ For example, the following syntax grants user rights to Authenticated Users and
 <![CDATA[Authenticated Users&#xF000;Replicator]]>
 ```
 
-For example, the following syntax grants user rights to two specific Azure Active Directory (Azure AD) users from Contoso, user1 and user2:
+For example, the following syntax grants user rights to two specific Microsoft Entra users from Contoso, user1 and user2:
 
 ```xml
 <![CDATA[AzureAD\user1@contoso.com&#xF000;AzureAD\user2@contoso.com]]>

windows/client-management/mdm/policy-csp-windowslogon.md

@@ -43,7 +43,7 @@ This policy setting controls whether a device will automatically sign in and loc
 
 This only occurs if the last interactive user didn't sign out before the restart or shutdown. 
 
-If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
+If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
 
 - If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. 
 
@@ -574,7 +574,7 @@ The locations that Switch User interface appear are in the Logon UI, the Start m
 
 <!-- OverrideShellProgram-Description-Begin -->
 <!-- Description-Source-DDF -->
-OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
+OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features, which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application that would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
 <!-- OverrideShellProgram-Description-End -->
 
 <!-- OverrideShellProgram-Editable-Begin -->

windows/client-management/mdm/remotewipe-csp.md

@@ -96,7 +96,7 @@ Node for the Autopilot Reset operation.
 
 <!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Description-Begin -->
 <!-- Description-Source-DDF -->
-Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
+Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Microsoft Entra ID and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
 <!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Description-End -->
 
 <!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Editable-Begin -->

windows/client-management/mdm/surfacehub-csp.md

@@ -106,7 +106,7 @@ The following list shows the SurfaceHub configuration service provider nodes:
 
 <!-- Device-DeviceAccount-Description-Begin -->
 <!-- Description-Source-DDF -->
-Node for setting device account information. A device account is a Microsoft Exchange account that's connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Azure Active Directory: 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. 4. Get the ErrorContext in case something goes wrong during validation.
+Node for setting device account information. A device account is a Microsoft Exchange account that's connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Microsoft Entra ID: 1. Set the UserPrincipalName (for Microsoft Entra ID). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Microsoft Entra ID. 4. Get the ErrorContext in case something goes wrong during validation.
 <!-- Device-DeviceAccount-Description-End -->
 
 <!-- Device-DeviceAccount-Editable-Begin -->
@@ -333,7 +333,7 @@ Possible error values:
 | **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
 | --- | --- | --- |
 | 1 | Unknown | |
-| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/> For Azure AD accounts, ensure that UserPrincipalName and Password are valid.<br/> For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/> Ensure that the specified account has an Exchange server mailbox. |
+| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/> For Microsoft Entra accounts, ensure that UserPrincipalName and Password are valid.<br/> For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/> Ensure that the specified account has an Exchange server mailbox. |
 | 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
 | 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
 | 5 | Saving account information | Unable to save account details to the system. |
@@ -499,7 +499,7 @@ Password for the device account. Get is allowed here, but will always return a b
 
 <!-- Device-DeviceAccount-PasswordRotationEnabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Microsoft Entra ID).
 <!-- Device-DeviceAccount-PasswordRotationEnabled-Description-End -->
 
 <!-- Device-DeviceAccount-PasswordRotationEnabled-Editable-Begin -->
@@ -625,7 +625,7 @@ Username of the device account when you are using Active Directory. To use a dev
 
 <!-- Device-DeviceAccount-UserPrincipalName-Description-Begin -->
 <!-- Description-Source-DDF -->
-User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
+User principal name (UPN) of the device account. To use a device account from Microsoft Entra ID or a hybrid deployment, you should specify the UPN of the device account.
 <!-- Device-DeviceAccount-UserPrincipalName-Description-End -->
 
 <!-- Device-DeviceAccount-UserPrincipalName-Editable-Begin -->

windows/client-management/mdm/tenantlockdown-csp.md

@@ -52,7 +52,7 @@ When RequireNetworkInOOBE is true, when the device goes through OOBE at first si
   -  True - Require network in OOBE.
   -  False - No network connection requirement in OOBE.
 
-Example scenario:  Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
+Example scenario:  Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Microsoft Entra credentials. There is no option to skip the network connection and create a local account.
 
 ## Related topics
 

windows/client-management/mdm/vpnv2-csp.md

@@ -964,7 +964,7 @@ Determines the level of data encryption required for the connection.
 
 <!-- Device-{ProfileName}-DeviceCompliance-Description-Begin -->
 <!-- Description-Source-DDF -->
-Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
 <!-- Device-{ProfileName}-DeviceCompliance-Description-End -->
 
 <!-- Device-{ProfileName}-DeviceCompliance-Editable-Begin -->
@@ -1003,7 +1003,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
 
 <!-- Device-{ProfileName}-DeviceCompliance-Enabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
 <!-- Device-{ProfileName}-DeviceCompliance-Enabled-Description-End -->
 
 <!-- Device-{ProfileName}-DeviceCompliance-Enabled-Editable-Begin -->
@@ -5261,7 +5261,7 @@ Determines the level of data encryption required for the connection.
 
 <!-- User-{ProfileName}-DeviceCompliance-Description-Begin -->
 <!-- Description-Source-DDF -->
-Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
 <!-- User-{ProfileName}-DeviceCompliance-Description-End -->
 
 <!-- User-{ProfileName}-DeviceCompliance-Editable-Begin -->
@@ -5300,7 +5300,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
 
 <!-- User-{ProfileName}-DeviceCompliance-Enabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
 <!-- User-{ProfileName}-DeviceCompliance-Enabled-Description-End -->
 
 <!-- User-{ProfileName}-DeviceCompliance-Enabled-Editable-Begin -->

windows/configuration/TOC.yml

@@ -143,7 +143,7 @@
           href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md
         - name: Cortana at work testing scenarios
           href: cortana-at-work/cortana-at-work-testing-scenarios.md
-        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
+        - name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
           href: cortana-at-work/cortana-at-work-scenario-1.md
         - name: Test scenario 2 - Run a Bing search with Cortana
           href: cortana-at-work/cortana-at-work-scenario-2.md
@@ -163,7 +163,7 @@
           href: cortana-at-work/cortana-at-work-o365.md
         - name: Testing scenarios using Cortana in your business or organization
           href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
-        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
+        - name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
           href: cortana-at-work/test-scenario-1.md
         - name: Test scenario 2 - Run a quick search with Cortana at work
           href: cortana-at-work/test-scenario-2.md

windows/configuration/cortana-at-work/cortana-at-work-o365.md

@@ -29,7 +29,7 @@ Your employees can use Cortana to help manage their day and be more productive b
 ### Before you begin
 There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier.
 
-- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana's notebook. They must also authorize Cortana to access Microsoft 365 on their behalf.
+- **Microsoft Entra account.** Before your employees can use Cortana in your org, they must be logged in using their Microsoft Entra account through Cortana's notebook. They must also authorize Cortana to access Microsoft 365 on their behalf.
 
 - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy).
 

windows/configuration/cortana-at-work/cortana-at-work-overview.md

@@ -38,15 +38,17 @@ Cortana requires a PC running Windows 10, version 1703 or later, and the followi
 | Software | Minimum version |
 |---------|---------|
 |Client operating system     | - Windows 10, version 2004 (recommended)  <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
-|Azure Active Directory (Azure AD)    | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required.        |
+|Microsoft Entra ID    | While all employees signing into Cortana need a Microsoft Entra account, a Microsoft Entra ID P1 or P2 tenant isn't required.        |
 |Additional policies (Group Policy and Mobile Device Management (MDM))     |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help.  |
 
 >[!NOTE]
 >For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana.
 
-## Signing in using Azure AD
+<a name='signing-in-using-azure-ad'></a>
 
-Your organization must have an Azure AD tenant and your employees&#39; devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/)
+## Signing in using Microsoft Entra ID
+
+Your organization must have a Microsoft Entra tenant and your employees&#39; devices must all be Microsoft Entra joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what a Microsoft Entra tenant is, how to get your devices joined, and other Microsoft Entra maintenance info, see [Microsoft Entra documentation.](/azure/active-directory/)
 
 ## How is my data processed by Cortana?
 
@@ -54,7 +56,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
 
 ### Cortana in Windows 10, version 2004 and later, or Windows 11
 
-Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
+Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
 
 #### How does Microsoft store, retain, process, and use Customer Data in Cortana?
 

windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md

@@ -72,7 +72,7 @@ For specific info about how to set, manage, and use each of these MDM policies t
 - **AllowMicrosoftAccountConnection**
   - **Group policy**: None
   - **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
-  - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting.
+  - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Microsoft Entra account, then disable this setting.
 
 - **Allow search and Cortana to use location**
   - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`

windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md

@@ -1,5 +1,5 @@
 ---
-title: Sign into Azure AD, enable the wake word, and try a voice query
+title: Sign into Microsoft Entra ID, enable the wake word, and try a voice query
 description: A test scenario walking you through signing in and managing the notebook.
 ms.prod: windows-client
 ms.collection: tier3
@@ -13,14 +13,14 @@ ms.date: 12/31/2017
 ms.topic: article
 ---
 
-# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
+# Test scenario 1 – Sign into Microsoft Entra ID, enable the wake word, and try a voice query
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 
 >[!NOTE]
 >The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
 
-1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account.
+1. Select the **Cortana** icon in the task bar and sign in using your Microsoft Entra account.
 
 2. Select the &quot;…&quot; menu and select **Talking to Cortana**.
 

windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md

@@ -19,7 +19,7 @@ ms.technology: itpro-configure
 
 We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
 
-- [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
+- [Sign into Microsoft Entra ID, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
 - [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md)
 - [Set a reminder](cortana-at-work-scenario-3.md)
 - [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md)

windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md

@@ -49,4 +49,4 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
 Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization.
 
 ## How the Bing Answer policy configuration is applied
-Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an Azure Active Directory group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
+Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of a Microsoft Entra group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.

windows/configuration/cortana-at-work/test-scenario-1.md

@@ -16,11 +16,11 @@ ms.technology: itpro-configure
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 
-This scenario turns on Azure AD and lets your employee use Cortana to manage an entry in the notebook.
+This scenario turns on Microsoft Entra ID and lets your employee use Cortana to manage an entry in the notebook.
 
 ## Sign in with your work or school account
 
-This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account.
+This process helps you to sign out of a Microsoft Account and to sign into a Microsoft Entra account.
 
 1. Click on the  **Cortana**  icon in the taskbar, then click the profile picture in the navigation to open Cortana settings.
 

windows/configuration/cortana-at-work/test-scenario-4.md

@@ -28,7 +28,7 @@ This scenario helps you search for both general upcoming meetings, and specific
 
 This process helps you find your upcoming meetings.
 
-1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
+1. Check to make sure your work calendar is connected and synchronized with your Microsoft Entra account.
 
 2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
 

windows/configuration/cortana-at-work/test-scenario-5.md

@@ -25,7 +25,7 @@ This scenario helps you to send an email to a co-worker listed in your work addr
 
 This process helps you to send a quick message to a co-worker from the work address book.
 
-1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
+1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Microsoft Entra account.
 
 2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
 

windows/configuration/docfx.json

@@ -60,7 +60,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "v-stchambers",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },

windows/configuration/kiosk-methods.md

@@ -65,7 +65,7 @@ There are several kiosk configuration methods that you can choose from, dependin
 
     ![icon that represents a user account.](images/user.png)
 
-    The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
+    The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
 
 
 >[!IMPORTANT]
@@ -79,9 +79,9 @@ You can use this method | For this edition | For this kiosk account type
 --- | --- | ---
 [Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user
 [Assigned access cmdlets](kiosk-single-app.md#powershell)  | Pro, Ent, Edu | Local standard user
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard)  | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD 
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard)  | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID 
-[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
-[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
+[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
 
 <span id="classic" />
 
@@ -89,9 +89,9 @@ You can use this method | For this edition | For this kiosk account type
 
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD 
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID 
-[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
-[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
+[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
 
 <span id="desktop" />
 
@@ -99,9 +99,9 @@ You can use this method | For this edition | For this kiosk account type
 
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
-[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
-[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD
+[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Microsoft Entra ID
-[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD  
+[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID  
 
 ## Summary of kiosk configuration methods
 
@@ -109,11 +109,11 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk
 --- | --- | --- | :---: | :---:
 [Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | ✔️  |
 [Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | ✔️ |
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️  |
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️  |
-[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md)  | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️  | ✔️
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md)  | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️  | ✔️
-Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | ✔️ | ✔️
+Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✔️ | ✔️
-[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | 
+[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ | 
-[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD |  | ✔️
+[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID |  | ✔️
 
 
 >[!NOTE]

windows/configuration/kiosk-policies.md

@@ -29,7 +29,7 @@ When the assigned access kiosk configuration is applied on the device, certain p
 
 ## Group Policy
 
-The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not.  These users include local users, domain users, and Azure Active Directory users.
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not.  These users include local users, domain users, and Microsoft Entra users.
 
 | Setting |	Value |
 | --- | --- |

windows/configuration/kiosk-prepare.md

@@ -216,7 +216,7 @@ Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-exper
 You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
 
 > [!NOTE]
-> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
+> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
 
 > [!TIP]
 > If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. 

windows/configuration/kiosk-shelllauncher.md

@@ -52,7 +52,7 @@ For sample XML configurations for the different app combinations, see [Samples f
 >
 >- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. 
 
--   A domain, Azure Active Directory, or local user account.
+-   A domain, Microsoft Entra ID, or local user account.
 
 -   A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
 

windows/configuration/kiosk-single-app.md

@@ -85,7 +85,7 @@ You have several options for configuring your single-app kiosk.
 
 You can use **Settings** to quickly configure one or a few devices as a kiosk. 
 
-When your kiosk is a local device that isn't managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+When your kiosk is a local device that isn't managed by Active Directory or Microsoft Entra ID, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
 
 - If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything.
 
@@ -235,17 +235,17 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
 
 3. Enable account management:
 
-    :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+    :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
 
     If you want to enable account management, select **Account Management**, and configure the following settings:
 
     - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
       - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
-      - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+      - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
 
-        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
 
-        You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+        You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
       - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
 
@@ -323,7 +323,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
 >
 >Account type:
 > - Local standard user
-> - Azure AD
+> - Microsoft Entra ID
 
 Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
 

windows/configuration/lock-down-windows-10-to-specific-apps.md

@@ -311,7 +311,7 @@ The following example hides the taskbar:
 ```
 
 >[!IMPORTANT]
->The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.  
+>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.  
 
 #### Configs
 
@@ -322,8 +322,8 @@ The full multi-app assigned access experience can only work for non-admin users.
 You can assign:
 
 - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
-- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
+- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
-- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
+- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
 
 >[!NOTE]
 >Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
@@ -365,7 +365,7 @@ Individual accounts are specified using `<Account>`.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
-- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Azure AD email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
+- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
 
 >[!WARNING]
 >Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
@@ -373,7 +373,7 @@ Individual accounts are specified using `<Account>`.
 Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
 
 >[!NOTE]
->For both domain and Azure AD accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+>For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
 
 ```xml
 <Configs>
@@ -388,7 +388,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
 
-- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group won't have the kiosk settings applied.
+- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
 
   ```xml
   <Config>
@@ -406,7 +406,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   </Config>
   ```
 
-- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
+- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
 
   ```xml
   <Config>
@@ -416,7 +416,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   ```
 
   >[!NOTE]
-  >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+  >If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
 
 <span id="add-xml" />
 
@@ -588,7 +588,7 @@ When the multi-app assigned access configuration is applied on the device, certa
 
 ### Group policy
 
-The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Azure Active Directory users.
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users.
 
 | Setting | Value |
 | --- | --- |

windows/configuration/lock-down-windows-11-to-specific-apps.md

@@ -203,7 +203,7 @@ The following example hides the taskbar:
 ```
 
 > [!IMPORTANT]
-> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.  
+> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.  
 
 #### Configs
 
@@ -214,8 +214,8 @@ The full multi-app assigned access experience can only work for non-admin users.
 You can assign:
 
 - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
-- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
+- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
-- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
+- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
 
 > [!NOTE]
 > Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
@@ -257,7 +257,7 @@ Individual accounts are specified using `<Account>`.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
-- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Azure AD email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
+- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
 
 > [!WARNING]
 > Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
@@ -265,7 +265,7 @@ Individual accounts are specified using `<Account>`.
 Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
 
 > [!NOTE]
-> For both domain and Azure AD accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
 
 ```xml
 <Configs>
@@ -280,7 +280,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
 
-- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group won't have the kiosk settings applied.
+- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
 
   ```xml
   <Config>
@@ -298,7 +298,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   </Config>
   ```
 
-- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
+- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
 
   ```xml
   <Config>
@@ -308,7 +308,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   ```
 
   > [!NOTE]
-  > If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+  > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
 
 <span id="add-xml" />
 

windows/configuration/provisioning-packages/diagnose-provisioning-packages.md

@@ -22,9 +22,11 @@ When applying a provisioning package (PPKG) containing power settings, elevated
 
 To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings).
 
-## Unable to perform bulk enrollment in Azure AD
+<a name='unable-to-perform-bulk-enrollment-in-azure-ad'></a>
 
-When [enrolling devices into Azure AD using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
+## Unable to perform bulk enrollment in Microsoft Entra ID
+
+When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
 
 > [!NOTE]
 > When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request may be rejected.

windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md

@@ -44,12 +44,12 @@ The desktop wizard helps you configure the following settings in a provisioning
 - Configure the device for shared use
 - Remove pre-installed software
 - Configure Wi-Fi network 
-- Enroll device in Active Directory or Azure Active Directory 
+- Enroll device in Active Directory or Microsoft Entra ID 
 - Create local administrator account 
 - Add applications and certificates
 
 >[!WARNING]
->You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
 Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. 
 
@@ -100,17 +100,17 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 3. Enable account management:
 
-    :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+    :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
 
     If you want to enable account management, select **Account Management**, and configure the following settings:
 
     - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
       - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
-      - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+      - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
 
-        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
 
-        You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+        You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
       - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
 

windows/configuration/provisioning-packages/provisioning-install-icd.md

@@ -47,7 +47,7 @@ Windows Configuration Designer can create provisioning packages for Windows clie
 - Windows Server 2008 R2
 
 >[!WARNING]
->You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
 ## Install Windows Configuration Designer
 

windows/configuration/provisioning-packages/provisioning-packages.md

@@ -73,8 +73,8 @@ The following table describes settings that you can configure using the wizards
 | --- | --- | --- | --- | --- |
 | Set up device | Assign device name, enter product key to upgrade Windows, configure shared use, remove pre-installed software | ✔️ | ✔️ | ✔️ |
 | Set up network | Connect to a Wi-Fi network | ✔️ | ✔️ | ✔️ |
-| Account management | Enroll device in Active Directory, enroll device in Azure Active Directory, or create a local administrator account | ✔️ | ✔️ | ✔️ |
+| Account management | Enroll device in Active Directory, enroll device in Microsoft Entra ID, or create a local administrator account | ✔️ | ✔️ | ✔️ |
-| Bulk Enrollment in Azure AD | Enroll device in Azure Active Directory using Bulk Token</br></br> [Set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Azure AD enrollment. | ✔️ | ✔️ | ✔️ |
+| Bulk Enrollment in Microsoft Entra ID | Enroll device in Microsoft Entra ID using Bulk Token</br></br> [Set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment. | ✔️ | ✔️ | ✔️ |
 | Add applications | Install applications using the provisioning package.  | ✔️ | ✔️ | ❌ |
 | Add certificates | Include a certificate file in the provisioning package. | ✔️ | ✔️ | ✔️ |
 | Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✔️ | ❌ |

windows/configuration/set-up-shared-or-guest-pc.md

@@ -105,7 +105,7 @@ For more information, see [Using PowerShell scripting with the WMI Bridge Provid
 
 ## Guidance for accounts on shared PCs
 
-- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
+- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Microsoft Entra ID and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
 
 - Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**.
 

windows/configuration/wcd/wcd-accounts.md

@@ -15,7 +15,7 @@ ms.technology: itpro-configure
 
 # Accounts (Windows Configuration Designer reference)
 
-Use these settings to join a device to an Active Directory domain or an Azure Active Directory tenant, or to add local user accounts to the device.
+Use these settings to join a device to an Active Directory domain or a Microsoft Entra tenant, or to add local user accounts to the device.
 
 ## Applies to
 
@@ -28,7 +28,7 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac
 
 ## Azure
 
-The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see:
+The **Azure > Authority** and **Azure > BPRT** settings for bulk Microsoft Entra enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Microsoft Entra enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see:
 
 - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
 - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)

windows/configuration/wcd/wcd-sharedpc.md

@@ -29,7 +29,7 @@ Use these settings to configure settings for accounts allowed on the shared PC.
 
 | Setting | Value | Description |
 | --- | --- | --- |
-| AccountModel  | - Only guest</br>- Domain-joined only</br>- Domain-joined and guest  | This option controls how users can sign in on the PC. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign in screen and enable anonymous guest access to the PC. </br></br>- Only guest allows anyone to use the PC as a local standard (non-admin) account.</br>- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.</br>- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account.  |
+| AccountModel  | - Only guest</br>- Domain-joined only</br>- Domain-joined and guest  | This option controls how users can sign in on the PC. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign in screen and enable anonymous guest access to the PC. </br></br>- Only guest allows anyone to use the PC as a local standard (non-admin) account.</br>- Domain-joined only allows users to sign in with an Active Directory or Microsoft Entra account.</br>- Domain-joined and guest allows users to sign in with an Active Directory, Microsoft Entra ID, or local standard account.  |
 | DeletionPolicy  | - Delete immediately </br>- Delete at disk space threshold</br>- Delete at disk space threshold and inactive threshold | - **Delete immediately** deletes the account on sign out.</br>- **Delete at disk space threshold** starts deleting accounts when available disk space falls below the threshold you set for `DiskLevelDeletion`. It stops deleting accounts when the available disk space reaches the threshold you set for `DiskLevelCaching`. Accounts are deleted in order of oldest accessed to most recently accessed.</br>- **Delete at disk space threshold and inactive threshold** applies the same disk space checks as noted above. It also deletes accounts if they haven't signed in within the number of days in `InactiveThreshold`.  |
 | DiskLevelCaching  | A number between 0 and 100  | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching.  |
 | DiskLevelDeletion  | A number between 0 and 100  | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion.  |

windows/configuration/wcd/wcd-takeatest.md

@@ -43,7 +43,7 @@ When set to True, students can print in the Take A Test app.
 
 Enter the account to use when taking a test.
 
-To specify a domain account, enter **domain\user**. To specify an Azure AD account, enter `username@tenant.com`. To specify a local account, enter the username.
+To specify a domain account, enter **domain\user**. To specify a Microsoft Entra account, enter `username@tenant.com`. To specify a local account, enter the username.
 
 ## Related articles
 

windows/configuration/wcd/wcd-windowsteamsettings.md

@@ -45,10 +45,10 @@ A device account is a Microsoft Exchange account that's connected with Skype for
 | Email  | Email address  | Email address of the device account.  |
 | ExchangeServer  | Exchange Server  | Normally, the device will try to automatically discover the Exchange server. This field is only required if automatic discovery fails.  |
 | Password  | Password  | Password for the device account.  |
-| PasswordRotationEnabled  | 0 = enabled</br>1 = disabled  | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, then use this setting to allow the device to manage its own password. It can change the password frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD.  |
+| PasswordRotationEnabled  | 0 = enabled</br>1 = disabled  | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, then use this setting to allow the device to manage its own password. It can change the password frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Microsoft Entra ID.  |
 | SipAddress  | Session Initiation Protocol (SIP) address   | Normally, the device will try to automatically discover the SIP. This field is only required if automatic discovery fails.  |
 | UserName  | User name  | Username of the device account when using Active Directory.  |
-| UserPrincipalName  | User principal name (UPN)  | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.  |
+| UserPrincipalName  | User principal name (UPN)  | To use a device account from Microsoft Entra ID or a hybrid deployment, you should specify the UPN of the device account.  |
 | ValidateAndCommit  | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. |
 
 ## Dot3

windows/deployment/docfx.json

@@ -58,7 +58,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },

windows/privacy/docfx.json

@@ -57,7 +57,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",        
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
       "searchScope": ["Windows 10"]

windows/security/docfx.json

@@ -65,7 +65,10 @@
         "dstrome",
         "v-dihans",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": [
         "Windows 10"

windows/whats-new/docfx.json

@@ -59,7 +59,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },