Merging changes synced from https://github.com/MicrosoftDocs/entra-do…

…cs-pr (branch live)

docs/external-id/customers/whats-new-docs.md

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Microsoft Entra External ID in external tenants"
 description: "New and updated documentation for Microsoft Entra External ID in external tenants."
-ms.date: 01/10/2025
+ms.date: 02/04/2025
 ms.service: entra-external-id
 ms.subservice: external
 ms.topic: whats-new
@@ -16,6 +16,26 @@ manager: CelesteDG
 
 Welcome to what's new in documentation for Microsoft Entra External ID in external tenants. This article lists new docs that were added and docs that were significantly updated in the last three months.
 
+## January 2025
+
+### New articles
+
+- [Use Azure Front Door as a reverse proxy in production environment for a single-page app that uses native authentication (preview)](how-to-native-authentication-cors-solution-production-environment.md)
+- [Set up a reverse proxy for a single-page app that calls native authentication API by using Azure Function App (preview)](how-to-native-authentication-cors-solution-test-environment.md)
+- [Quickstart: Sign in users in a sample React single-page application by using native authentication (preview)](quickstart-native-authentication-single-page-app-react-sign-in.md)
+- [Tutorial: Reset password in a React single-page app by using native authentication (preview)](tutorial-native-authentication-single-page-app-react-reset-password.md)
+- [Tutorial: Set up CORS proxy server to manage CORS headers for native authentication (preview)](tutorial-native-authentication-single-page-app-react-set-up-local-cors.md)
+- [Tutorial: Sign in users into a React single-page app by using native authentication (preview)](tutorial-native-authentication-single-page-app-react-sign-in.md)
+- [Tutorial: Sign up users into a React single-page app by using native authentication (preview)](tutorial-native-authentication-single-page-app-react-sign-up.md)
+- [Register a SAML app in your external tenant (preview)](how-to-register-saml-app.md)
+- [Configure Microsoft Entra External ID with Azure Web Application Firewall](tutorial-configure-external-id-web-app-firewall.md)
+- [Register a SAML app in your external tenant (preview)](tutorial-web-app-node-sign-in-sign-out.md)
+- [Tutorial: Add add sign-in to a Node/Express.js web app by using Microsoft identity platform](how-to-register-saml-app.md)
+
+### Updated articles
+
+- [Add Azure AD B2C tenant as an OpenID Connect identity provider (preview)](how-to-b2c-federation-customers.md) - Editorial updates
+
 ## December 2024
 
 ### Updated articles
@@ -37,13 +57,3 @@ Welcome to what's new in documentation for Microsoft Entra External ID in extern
 - [Gain insights into your app users’ activity](how-to-user-insights.md) - Added MFA Usage dashboard details
 - [Multifactor authentication in external tenants](concept-multifactor-authentication-customers.md) - Opt-in telephony regions update
 - [Add multifactor authentication (MFA) to an app](how-to-multifactor-authentication-customers.md) - Opt-in telephony regions update
-
-## October 2024
-
-### Updated articles
-
-- [Register an app in your external tenant](how-to-register-ciam-app.md) -  Testing updates
-- [Multifactor authentication in external tenants](concept-multifactor-authentication-customers.md) -  SMS-based authentication updates
-- [Add multifactor authentication (MFA) to an app](how-to-multifactor-authentication-customers.md) -  SMS-based authentication updates
-- [Create self-service sign-up user flows for apps in external tenants](how-to-user-flow-sign-up-sign-in-customers.md) -  Graph API updates
-

docs/id-governance/scenarios/entitlement-management-private-access.md

@@ -8,7 +8,7 @@ manager: amycolannino
 
 ms.workload: identity
 ms.topic: overview
-ms.date: 01/31/2025
+ms.date: 02/04/2025
 ms.author: billmath
 ---
 
@@ -35,7 +35,7 @@ Entra ID Governance can establish who should have access to an on-premises app,
 
 Many organizations have applications on private networks enabling assigned users to access those apps while users are on their organization’s network. Through Microsoft Entra’s provisioning connectors, Entra ID Governance can orchestrate the creation of user accounts in most on-premises systems, such as LDAP directories or SQL databases. ​ 
 
-The Microsoft Entra Suite provides a better alternative that addresses both. Depending on your scenario, there will be two or three objects in Entra representing your real-world application: 
+Depending on your scenario, there will be two or three objects in Entra representing your real-world application: 
 
 - There will be an application object representing the Entra Private Access connection to that application's endpoints.
 - If the application is federated to your Microsoft Entra directory as an identity provider, there will be an application object representing authenticating the user to the application's endpoint, such as using SAML, OAuth, or OpenID Connect. 

docs/identity-platform/scopes-oidc.md

@@ -84,7 +84,7 @@ For a complete list of the `profile` claims available in the `id_tokens` paramet
 
 The [`offline_access` scope](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) gives your app access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the **Maintain access to data you have given it access to** permission.
 
-When a user approves the `offline_access` scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.
+If any of the requested delegated permissions from the `scope` parameter (excluding `openid`, `profile`, `email`) are granted, this is sufficient for the app to request a refresh token using `offline_access`. For example, if `User.Read` for Microsoft is granted, the app will only recieve an access token. That said, if the app were to subsequently request a refresh token, the fact that `User.Read` had been granted is sufficient for a refresh token to be provided. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.
 
 > [!NOTE]
 > This permission currently appears on all consent pages, even for flows that don't provide a refresh token (such as the [implicit flow](v2-oauth2-implicit-grant-flow.md)). This setup addresses scenarios where a client can begin within the implicit flow and then move to the code flow where a refresh token is expected.
@@ -93,7 +93,7 @@ On the Microsoft identity platform (requests made to the v2.0 endpoint), your ap
 
 The access token is valid for around one hour. At that point, your app needs to redirect the user back to the `/authorize` endpoint to request a new authorization code. During this redirect and depending on app type, the user may need to enter their credentials again or consent to permissions again.
 
-The refresh token has a longer expiry than the access token and is valid for a day. For more information about how to get and use refresh tokens, see the [Microsoft identity platform protocol reference](./v2-protocols.md).
+The refresh token has a longer expiry than the access token and is typically valid for 90 days. For more information about how to get and use refresh tokens, see the [Microsoft identity platform protocol reference](./v2-protocols.md).
 
 The inclusion of the refresh token in the response can depend on several factors, including the specific configuration of your application and the scopes requested during the authorization process. If you expect to receive a refresh token in the response but fail to, consider the following factors:
 

docs/identity/authentication/concept-mfa-regional-opt-in.md

@@ -63,6 +63,8 @@ For SMS verification, the following region codes require an opt-in. This means t
 | 380 | Ukraine | 
 | 216 | Tunisia | 
 | 212 | Morocco | 
+| 257 | Burundi | 
+
 
 ## Voice verification
 For voice verification, the following region codes require an opt-in.