MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/concept-authentication-methods.md‎
Lines changed: 3 additions & 1 deletion b/‎articles/active-directory/authentication/concept-authentication-methods.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/active-directory/cloud-infrastructure-entitlement-management/media/cloudknox-overview/cloudknox-key-cases.png‎
-152 KB b/‎articles/active-directory/cloud-infrastructure-entitlement-management/media/cloudknox-overview/cloudknox-key-cases.png‎
-152 KB
diff --git a/‎…rd-enable-tenant/data-collectors-tab.png‎ ‎…rd-enable-tenant/data-collectors-tab.png‎articles/active-directory/cloud-infrastructure-entitlement-management/media/cloudknox-onboard-enable-tenant/data-collectors-tab.png renamed to articles/active-directory/cloud-infrastructure-entitlement-management/media/onboard-enable-tenant/data-collectors-tab.png b/‎…rd-enable-tenant/data-collectors-tab.png‎ ‎…rd-enable-tenant/data-collectors-tab.png‎articles/active-directory/cloud-infrastructure-entitlement-management/media/cloudknox-onboard-enable-tenant/data-collectors-tab.png renamed to articles/active-directory/cloud-infrastructure-entitlement-management/media/onboard-enable-tenant/data-collectors-tab.png
diff --git a/‎articles/active-directory/cloud-infrastructure-entitlement-management/media/overview/key-use-cases.png‎
122 KB b/‎articles/active-directory/cloud-infrastructure-entitlement-management/media/overview/key-use-cases.png‎
122 KB
diff --git a/‎articles/active-directory/cloud-infrastructure-entitlement-management/overview.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/cloud-infrastructure-entitlement-management/overview.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/howto-configure-publisher-domain.md‎
Lines changed: 92 additions & 64 deletions b/‎articles/active-directory/develop/howto-configure-publisher-domain.md‎
Lines changed: 92 additions & 64 deletions
diff --git a/‎articles/active-directory/develop/media/howto-configure-publisher-domain/new-app-behavior-publisher-verification-table.png‎
252 Bytes b/‎articles/active-directory/develop/media/howto-configure-publisher-domain/new-app-behavior-publisher-verification-table.png‎
252 Bytes
diff --git a/‎articles/active-directory/develop/media/howto-configure-publisher-domain/new-app-behavior-table.png‎
17.3 KB b/‎articles/active-directory/develop/media/howto-configure-publisher-domain/new-app-behavior-table.png‎
17.3 KB
diff --git a/‎articles/active-directory/develop/media/howto-configure-publisher-domain/old-app-behavior-table.png‎
49.9 KB b/‎articles/active-directory/develop/media/howto-configure-publisher-domain/old-app-behavior-table.png‎
49.9 KB
diff --git a/‎articles/active-directory/develop/publisher-verification-overview.md‎
Lines changed: 45 additions & 36 deletions b/‎articles/active-directory/develop/publisher-verification-overview.md‎
Lines changed: 45 additions & 36 deletions
@@ -62,7 +62,7 @@ The following table outlines when an authentication method can be used during a
 
 | Method                         | Primary authentication | Secondary authentication  |
 |--------------------------------|:----------------------:|:-------------------------:|
-| Windows Hello for Business     | Yes                    | MFA                       |
+| Windows Hello for Business     | Yes                    | MFA\*                      |
 | Microsoft Authenticator app    | Yes                    | MFA and SSPR              |
 | FIDO2 security key             | Yes                    | MFA                       |
 | OATH hardware tokens (preview) | No                     | MFA and SSPR              |
@@ -71,6 +71,8 @@ The following table outlines when an authentication method can be used during a
 | Voice call                     | No                     | MFA and SSPR              |
 | Password                       | Yes                    |                           |
 
+> \* Windows Hello for Business, by itself, does not serve as a step-up MFA credential. For example, an MFA Challenge from Sign-in Frequency or SAML Request containing forceAuthn=true. Windows Hello for Business can serve as a step-up MFA credential by being used in FIDO2 authentication. This requires users to be enabled for FIDO2 authentication to work sucessfully.
+
 All of these authentication methods can be configured in the Azure portal, and increasingly using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
 
 To learn more about how each authentication method works, see the following separate conceptual articles:
 
@@ -26,7 +26,7 @@ Organizations have to consider permissions management as a central piece of thei
 - IT security teams are under increased pressure to ensure access to their expanding cloud estate is secure and compliant.
 - The inconsistency of cloud providers' native access management models makes it even more complex for Security and Identity to manage permissions and enforce least privilege access policies across their entire environment.
 
-:::image type="content" source="media/cloudknox-overview/cloudknox-key-cases.png" alt-text="CloudKnox Permissions Management.":::
+:::image type="content" source="media/overview/key-use-cases.png" alt-text="Diagram of Microsoft Entra Permissions Management use cases." lightbox="media/overview/key-use-cases.png":::
 
 ## Key use cases