Merge pull request #104548 from JasSuri/patch-9

Jak-MS · web-flow · commit 612efbc3ac6e · 2023-01-31T13:58:16.000-08:00
Update azure-ad-b2c-global-identity-funnel-based-design.md
diff --git a/articles/active-directory-b2c/azure-ad-b2c-global-identity-funnel-based-design.md b/articles/active-directory-b2c/azure-ad-b2c-global-identity-funnel-based-design.md
@@ -16,7 +16,7 @@ ms.subservice: B2C
 
 # Build a global identity solution with funnel-based approach
 
-In this article, we describe the scenarios for funnel-based design approach. Before starting to design, it's recommended that you review the [capabilities](azure-ad-b2c-global-identity-solutions.md#capabilities-and-considerations), and [performance](azure-ad-b2c-global-identity-solutions.md#performance) of both funnel and region-based design approach.
+In this article, we describe the scenarios for funnel-based design approach. Before starting to design, it's recommended that you review the [capabilities](azure-ad-b2c-global-identity-solutions.md#capabilities-and-considerations), and [performance](azure-ad-b2c-global-identity-solutions.md#performance) of both funnel and region-based design approach. This article will further help determine which design may fit best for your organization.
 
 The designs account for:
 
@@ -37,9 +37,9 @@ This use case demonstrates how a user from their home country/region performs a
 
 ![Screenshot shows the Local user sign-up flow.](media/azure-ad-b2c-global-identity-design-considerations/local-user-account-signup.png)
 
-1. User from Europe, Middle East, and Africa (EMEA) attempts to sign up at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from Europe, Middle East, and Africa (EMEA) attempts to sign up at **myapp.fr**. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the Global Funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on defined criteria using OpenId federation. This can be a lookup based on Application clientId.
+1. The user reaches the Global Funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on defined criteria using OpenId federation. This can be a lookup based on Application clientId.
 
 1. The user attempts to sign up. The sign-up process checks the global lookup table to determine if the user exists in any of the regional Azure AD B2C tenants.
 
@@ -55,9 +55,9 @@ This use case demonstrates how a user re-registering the same email from their o
 
 ![Screenshot shows the existing account sign-up flow.](media/azure-ad-b2c-global-identity-design-considerations/local-existing-account-signup.png)
 
-1. User from EMEA attempts to sign up at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from EMEA attempts to sign up at **myapp.fr**. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the Global Funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
+1. The user reaches the Global Funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
 
 1. The user attempts to sign up. The sign-up process checks the global lookup table to determine if the user exists in any of the regional Azure AD B2C tenants.
 
@@ -71,11 +71,11 @@ This use case demonstrates how a user from their home country/region performs a
 
 ![Screenshot shows the local user sign-in flow.](media/azure-ad-b2c-global-identity-design-considerations/local-user-account-signin.png)
 
-1. User from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
 
-1. User enters their credentials at the regional tenant.
+1. The user enters their credentials at the regional tenant.
 
 1. The regional tenant issues a token back to the funnel tenant.
 
@@ -87,11 +87,11 @@ This use case demonstrates how a user can travel across regions and maintain the
 
 ![Screenshot shows the traveling user sign-in flow.](media/azure-ad-b2c-global-identity-design-considerations/traveling-user-account-signin.png)
 
-1. User from North America (NOAM) attempts to sign in at **myapp.fr** since there's a holiday in France. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from North America (NOAM) attempts to sign in at **myapp.fr** while they are on holiday in France. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
 
-1. User enters their credentials at the regional tenant.
+1. The user enters their credentials at the regional tenant.
 
 1. The regional tenant performs a lookup into the global lookup table, since the user’s email wasn't found in the EMEA Azure AD B2C directory.
 
@@ -111,9 +111,9 @@ This use case demonstrates how a user can reset their password when they are wit
 
 ![Screenshot shows the local user forgot password flow.](media/azure-ad-b2c-global-identity-design-considerations/local-user-forgot-password.png)
 
-1. User from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
 
 1. The user arrives at the EMEA Azure AD B2C tenant and selects **forgot password**. The user enters and verifies their email.
 
@@ -133,9 +133,9 @@ This use case demonstrates how a user can reset their password when they're trav
 
 ![Screenshot shows the traveling user forgot password flow.](media/azure-ad-b2c-global-identity-design-considerations/traveling-user-forgot-password.png)
 
-1. User from NOAM attempts to sign in at **myapp.fr** since they are on holiday in France. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from NOAM attempts to sign in at **myapp.fr** since they are on holiday in France. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
 
 1. The user arrives at the EMEA Azure AD B2C tenant and selects **forgot password**. The user enters and verifies their email.
 
@@ -155,9 +155,9 @@ This use case demonstrates how a user can change their password after they've lo
 
 ![Screenshot shows the local user password change flow.](media/azure-ad-b2c-global-identity-design-considerations/local-user-password-change.png)
 
-1. User from EMEA attempts selects **change password** after logging into **myapp.fr**.
+1. A user from EMEA attempts selects **change password** after logging into **myapp.fr**.
 
-1. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
 
 1. The user arrives at the EMEA Azure AD B2C tenant, and the  Single-Sign On (SSO) cookie set allows the user to change their password immediately.
 
@@ -173,9 +173,9 @@ This use case demonstrates how a user can change their password after they've lo
 
 ![Screenshot shows the flow for traveling user password change.](media/azure-ad-b2c-global-identity-design-considerations/traveling-user-password-change.png)
 
-1. User from NOAM attempts **change password** after logging into **myapp.fr**.
+1. A user from NOAM attempts **change password** after logging into **myapp.fr**.
 
-1. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
 
 1. The user arrives at the EMEA Azure AD B2C tenant, and the SSO cookie set allows the user to change their password immediately.
 
@@ -193,15 +193,15 @@ The following use cases show examples of using federated identities to sign up o
 
 ### Local federated ID sign-up
 
-This use case demonstrates how a user from their local region signs up to the service using a federated ID.
+This use case demonstrates how a user can sign up to the service from their local region using a federated ID.
 
 ![Screenshot shows the flow for federated ID sign-up.](media/azure-ad-b2c-global-identity-design-considerations/local-federated-id-signup.png)
 
-1. User from EMEA attempts to sign up at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from EMEA attempts to sign up at **myapp.fr**. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.
 
-1. User selects to sign in with a federated Identity Provider (IdP).
+1. The user selects to sign in with a federated Identity Provider (IdP).
 
 1. Perform a lookup into the global lookup table.
    * **If account linking is in scope**: Proceed if the federated IdP identifier nor the email that came back from the federated IdP doesn't exist in the lookup table.
@@ -220,11 +220,11 @@ This use case demonstrates how a user from their local region signs into the ser
 
 ![Screenshot shows the flow for local federated user sign-in.](media/azure-ad-b2c-global-identity-design-considerations/local-federated-signin.png)
 
-1. User from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-2. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
+2. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
 
-3. User selects to sign in with a federated identity provider.
+3. The user selects to sign in with a federated identity provider.
 
 4. Perform a lookup into the global lookup table and confirm the user’s federated ID is registered in EMEA.
 
@@ -234,15 +234,15 @@ This use case demonstrates how a user from their local region signs into the ser
 
 ### Traveling federated user sign-in
 
-This use case demonstrates how a user located away from the region in which they signed up signs into the service using a federated IdP.
+This use case demonstrates how a user can sign into their account with a federated IdP, whilst located away from the region in which they signed up in.
 
 ![Screenshot shows the flow for traveling federated user sign-in.](media/azure-ad-b2c-global-identity-design-considerations/traveling-federated-user-signin.png)
 
-1. User from NOAM attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from NOAM attempts to sign in at **myapp.fr**. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
 
-1. User selects to sign in with a federated identity provider.
+1. The user selects to sign in with a federated identity provider.
 
     >[!NOTE]
    >Use the same App Id from the App Registration at the Social IdP across all Azure AD B2C regional tenants. This ensures that the ID coming back from the Social IdP is always the same.
@@ -257,15 +257,15 @@ This use case demonstrates how a user located away from the region in which they
 
 ### Account linking with matching criteria
 
-This use case demonstrates how users are able to perform account linking when matching criteria is satisfied. The matching criteria is typically the users email address.
+This use case demonstrates how users are able to perform account linking when matching criteria is satisfied. The matching criteria is typically the users email address. When the matching criteria of a sign in from a new identity provider has the same value for an existing account in Azure AD B2C, the account linking process can begin.
 
 ![Screenshot shows the flow to merge a federated account.](media/azure-ad-b2c-global-identity-design-considerations/local-federated-account-merge.png)
 
-1. User from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
 
-1. User selects to sign in with a federated identity provider/social IdP.
+1. The user selects to sign in with a federated identity provider/social IdP.
 
 1. A lookup is performed into the global lookup table for the ID returned from the federated IdP.
 
@@ -281,19 +281,19 @@ This use case demonstrates how users are able to perform account linking when ma
 
 ### Traveling user account linking with matching criteria
 
-This use case demonstrates how non-local users are able to perform account linking when matching criteria is satisfied. The matching criteria is typically the users email address.
+This use case demonstrates how non-local users are able to perform account linking when matching criteria is satisfied. The matching criteria is typically the users email address. When the matching criteria of a sign in from a new identity provider has the same value for an existing account in Azure AD B2C, the account linking process can begin.
 
 ![Screenshot shows the flow to merge traveling federated user.](media/azure-ad-b2c-global-identity-design-considerations/traveling-federated-user-merge-account.png)
 
-1. User from NOAM attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.
+1. A user from NOAM attempts to sign in at **myapp.fr**. If the user isn't being sent to their local appication instance, the traffic manager will enforce a redirect.
 
-1. User reaches the Global Funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
+1. The user reaches the Global Funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.
 
-1. User selects to sign in with a federated identity provider/social IdP.
+1. The user selects to sign in with a federated identity provider/social IdP.
 
 1. A lookup is performed into the global lookup table for the ID returned from the federated IdP.
 
-1. Where the ID doesn't exist, and the email from the federated IdP exists in another region -this is a traveling user account linking use case.
+1. Where the ID doesn't exist, and the email from the federated IdP exists in another region - this is a traveling user account linking use case.
 
 1. Create an id_token_hint link asserting the users currently collected claims. Bootstrap a journey into the NOAM Azure AD B2C tenant using federation. The user will prove that they own the account via the NOAM Azure AD B2C tenant.
    >[!NOTE]
