[APIM] Update to Entra auth to dev portal

Author: dlepow

articles/api-management/api-management-howto-aad.md

@@ -6,7 +6,7 @@ description: Learn how to enable user sign-in to the API Management developer po
 author: dlepow
 ms.service: azure-api-management
 ms.topic: article
-ms.date: 12/08/2023
+ms.date: 09/18/2024
 ms.author: danlep
 ms.custom: engagement-fy23, devx-track-azurecli
 ---
@@ -76,14 +76,7 @@ After the Microsoft Entra provider is enabled:
 1. Save the **Redirect URL** for later.
 
     :::image type="content" source="media/api-management-howto-aad/api-management-with-aad001.png" alt-text="Screenshot of adding identity provider in Azure portal.":::
-
-    > [!NOTE]
-    > There are two redirect URLs:<br/>
-    > * **Redirect URL** points to the latest developer portal of the API Management.
-    > * **Redirect URL (deprecated portal)** points to the deprecated developer portal of API Management.
-    >
-    > We recommended you use the latest developer portal Redirect URL.
-   
+  
 1. In your browser, open the Azure portal in a new tab. 
 1. Navigate to [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) to register an app in Active Directory.
 1. Select **New registration**. On the **Register an application** page, set the values as follows:
@@ -104,9 +97,6 @@ After the Microsoft Entra provider is enabled:
     * Select any option for **Expires**.
     * Choose **Add**. 
 1. Copy the client **Secret value** before leaving the page. You will need it later. 
-1. Under **Manage** in the side menu, select **Authentication**.
-    1. Under the **Implicit grant and hybrid flows** section, select the **ID tokens** checkbox.
-    1. Select **Save**.
 1. Under **Manage** in the side menu, select **Token configuration** > **+ Add optional claim**.
     1. In **Token type**, select **ID**.
     1. Select (check) the following claims: **email**, **family_name**, **given_name**.
@@ -121,8 +111,8 @@ After the Microsoft Entra provider is enabled:
     * You can separate multiple domains with newlines, spaces, or commas.
 
     > [!NOTE]
-    > You can specify multiple domains in the **Allowed Tenants** section. A global administration must grant the application access to directory data before users can sign in from a different domain than the original app registration domain. To grant permission, the global administrator should:
-    > 1. Go to `https://<URL of your developer portal>/aadadminconsent` (for example, `https://contoso.portal.azure-api.net/aadadminconsent`).
+    > You can specify multiple domains in the **Allowed Tenants** section. A global administrator must grant the application access to directory data before users can sign in from a different domain than the original app registration domain. To grant permission, the global administrator should:
+    > 1. Go to `https://<URL of your developer portal>/aadadminconsent` (for example, `https://contoso.developer.azure-api.net/aadadminconsent`).
     > 1. Enter the domain name of the Microsoft Entra tenant to which they want to grant access.
     > 1. Select **Submit**. 
 
@@ -160,7 +150,7 @@ For steps, see [Switch redirect URIs to the single-page application type](../act
 ## Add an external Microsoft Entra group
 
 Now that you've enabled access for users in a Microsoft Entra tenant, you can:
-* Add Microsoft Entra groups into API Management. 
+* Add Microsoft Entra groups into API Management. Groups added must be in the tenant where your API Management instance is deployed.
 * Control product visibility using Microsoft Entra groups.
 
 1. Navigate to the App Registration page for the application you registered in [the previous section](#enable-user-sign-in-using-azure-ad---portal).