MicrosoftDocs
diff --git a/‎articles/active-directory/app-provisioning/index.yml
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory/app-provisioning/index.yml
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/active-directory/app-proxy/application-proxy-configure-custom-domain.md
Lines changed: 3 additions & 1 deletion b/‎articles/active-directory/app-proxy/application-proxy-configure-custom-domain.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/develop/v2-permissions-and-consent.md
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/develop/v2-permissions-and-consent.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/roles/TOC.yml
Lines changed: 5 additions & 1 deletion b/‎articles/active-directory/roles/TOC.yml
Lines changed: 5 additions & 1 deletion
@@ -10,10 +10,10 @@ metadata:
    ms.subservice: app-provisioning
    ms.workload: identity
    ms.topic: landing-page
-   ms.date: 02/06/2020
-   author: msmimart
-   ms.author: mimart
-   manager: celested
+   ms.date: 08/12/2021
+   author: kenwith
+   ms.author: kenwith
+   manager: mtillman
 
 landingContent:
   - title: Provision users and groups to a cloud app
 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-proxy
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/24/2019
+ms.date: 08/12/2021
 ms.author: kenwith
 ms.reviewer: japere
 ---
@@ -35,12 +35,14 @@ If you're not able to make the internal and external URLs match, it's not as imp
 
 There are several options for setting up your DNS configuration, depending on your requirements:
 
+
 ### Same internal and external URL, different internal and external behavior 
 
 If you don't want your internal users to be directed through the Application Proxy, you can set up a *split-brain DNS*. A split DNS infrastructure directs internal hosts to an internal domain name server, and external hosts to an external domain name server, for name resolution. 
 
 ![Split-brain DNS](./media/application-proxy-configure-custom-domain/split-brain-dns.png)
 
+
 ### Different internal and external URLs 
 
 If the internal and external URLs are different, you don't need to configure split-brain behavior, because user routing is determined by the URL. In this case, you change only the external DNS, and route the external URL to the Application Proxy endpoint. 
 
@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 08/31/2020
+ms.date: 08/12/2021
 
 ms.author: justinha
 author: justinha
@@ -30,8 +30,8 @@ To give your users the right balance of security and ease of use by asking them
 
 * If you have Azure AD Premium:
     * Enable single sign-on (SSO) across applications using [managed devices](../devices/overview.md) or [Seamless SSO](../hybrid/how-to-connect-sso.md).
-    * If reauthentication is required, use a Conditional Access [sign-in Frequency policy](../conditional-access/howto-conditional-access-session-lifetime.md).
-    * For users that sign in from non-managed devices or mobile device scenarios, use Conditional Access to enable persistent browser sessions and sign-in frequency policies.
+    * If reauthentication is required, use a Conditional Access [sign-in frequency policy](../conditional-access/howto-conditional-access-session-lifetime.md).
+    * For users that sign in from non-managed devices or mobile device scenarios, persistent browser sessions may not be preferable, or you might use Conditional Access to enable persistent browser sessions with sign-in frequency policies. Limit the duration to an appropriate time based on the sign-in risk, where a user with less risk has a longer session duration.
 * If you have Microsoft 365 apps licenses or the free Azure AD tier:
     * Enable single sign-on (SSO) across applications using [managed devices](../devices/overview.md) or [Seamless SSO](../hybrid/how-to-connect-sso.md).
     * Keep the *Remain signed-in* option enabled and guide your users to accept it.
 
@@ -43,6 +43,8 @@ In OAuth 2.0, these types of permission sets are called *scopes*. They're also o
 
 An app most commonly requests these permissions by specifying the scopes in requests to the Microsoft identity platform authorize endpoint. However, some high-privilege permissions can be granted only through administrator consent. They can be requested or granted by using the [administrator consent endpoint](#admin-restricted-permissions). Keep reading to learn more.
 
+In requests to the authorization, token or consent endpoints for the Microsoft Identity platform, if the resource identifier is omitted in the scope parameter, the resource is assumed to be Microsoft Graph. For example, `scope=User.Read` is equivalent to `https://graph.microsoft.com/User.Read`.
+
 ## Permission types
 
 The Microsoft identity platform supports two types of permissions: *delegated permissions* and *application permissions*.
 
@@ -40,12 +40,16 @@
     items: 
     - name: List role assignments
       href: view-assignments.md
-    - name: List role assignments for groups
+    - name: List role assignments for a user
+      href: list-role-assignments-users.md
+    - name: List role assignments for a group
       href: groups-view-assignments.md
   - name: Assign roles
     items:
     - name: Assign roles to users
       href: manage-roles-portal.md
+    - name: Assign roles to a user at different scopes
+      href: assign-roles-different-scopes.md
     - name: Create a role-assignable group
       href: groups-create-eligible.md
     - name: Assign roles to groups