MicrosoftDocs
diff --git a/‎articles/active-directory/app-proxy/application-proxy-application-gateway-waf.md
Lines changed: 9 additions & 10 deletions b/‎articles/active-directory/app-proxy/application-proxy-application-gateway-waf.md
Lines changed: 9 additions & 10 deletions
diff --git a/‎articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/fundamentals/5-secure-access-b2b.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/fundamentals/5-secure-access-b2b.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/fundamentals/road-to-the-cloud-migrate.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/fundamentals/road-to-the-cloud-migrate.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/fundamentals/secure-with-azure-ad-best-practices.md
Lines changed: 6 additions & 6 deletions b/‎articles/active-directory/fundamentals/secure-with-azure-ad-best-practices.md
Lines changed: 6 additions & 6 deletions
@@ -71,7 +71,7 @@ To ensure the connector VMs send requests to the Application Gateway, an [Azure
 
 ### Test the application.
 
-After [adding a user for testing](/azure/active-directory/app-proxy/application-proxy-add-on-premises-application#add-a-user-for-testing), you can test the application by accessing https://www.fabrikam.one. The user will be prompted to authenticate in Azure AD, and upon successful authentication, will access the application. 
+After [adding a user for testing](./application-proxy-add-on-premises-application.md#add-a-user-for-testing), you can test the application by accessing https://www.fabrikam.one. The user will be prompted to authenticate in Azure AD, and upon successful authentication, will access the application. 
 
 ![Screenshot of authentication step.](./media/application-proxy-waf/sign-in-2.png)
 ![Screenshot of server response.](./media/application-proxy-waf/application-gateway-response.png)
@@ -90,13 +90,12 @@ The Application Gateway [Firewall logs][waf-logs] provide more details about the
 
 ## Next steps
 
-To prevent false positives, learn how to [Customize Web Application Firewall rules](/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal), configure [Web Application Firewall exclusion lists](/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal), or [Web Application Firewall custom rules](/azure/web-application-firewall/ag/create-custom-waf-rules).
-
-[waf-overview]: /azure/web-application-firewall/ag/ag-overview 
-[appgw_quick]: /azure/application-gateway/quick-create-portal
-[appproxy-add-app]: /azure/active-directory/app-proxy/application-proxy-add-on-premises-application
-[appproxy-optimize]: /azure/active-directory/app-proxy/application-proxy-network-topology
-[appproxy-custom-domain]: /azure/active-directory/app-proxy/application-proxy-configure-custom-domain
-[private-dns]: /azure/dns/private-dns-getstarted-portal
-[waf-logs]: /azure/application-gateway/application-gateway-diagnostics#firewall-log
+To prevent false positives, learn how to [Customize Web Application Firewall rules](../../web-application-firewall/ag/application-gateway-customize-waf-rules-portal.md), configure [Web Application Firewall exclusion lists](../../web-application-firewall/ag/application-gateway-waf-configuration.md?tabs=portal), or [Web Application Firewall custom rules](../../web-application-firewall/ag/create-custom-waf-rules.md).
 
+[waf-overview]: ../../web-application-firewall/ag/ag-overview.md
+[appgw_quick]: ../../application-gateway/quick-create-portal.md
+[appproxy-add-app]: ./application-proxy-add-on-premises-application.md
+[appproxy-optimize]: ./application-proxy-network-topology.md
+[appproxy-custom-domain]: ./application-proxy-configure-custom-domain.md
+[private-dns]: ../../dns/private-dns-getstarted-portal.md
+[waf-logs]: ../../application-gateway/application-gateway-diagnostics.md#firewall-log
@@ -232,7 +232,7 @@ With outbound settings, you select which of your users and groups will be able t
    - When you're done selecting the users and groups you want to add, choose **Select**.
 
    > [!NOTE]
-   > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.
+   > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](../authentication/howto-authentication-sms-signin.md). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.
 
 1. Select the **External applications** tab.
 
@@ -281,4 +281,4 @@ When you remove an organization from your Organizational settings, the default c
 ## Next steps
 
 - See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.
-- [Configure cross-tenant access settings for B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md)
+- [Configure cross-tenant access settings for B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md)
@@ -84,7 +84,7 @@ Some organizations use a list of known ‘bad actor’ domains provided by their
 
 You can control both inbound and outbound access using Cross Tenant Access Settings. In addition, you can trust MFA, Compliant device, and hybrid Azure Active Directory joined device (HAADJ) claims from all or a subset of external Azure AD tenants. When you configure an organization specific policy, it applies to the entire Azure AD tenant and will cover all users from that tenant regardless of the user’s domain suffix. 
 
-You can enable collaboration across Microsoft clouds such as Microsoft Azure China 21Vianet or Microsoft Azure Government with additional configuration. Determine if any of your collaboration partners reside in a different Microsoft cloud. If so, you should [enable collaboration with these partners using Cross Tenant Access Settings](/azure/active-directory/external-identities/cross-cloud-settings).
+You can enable collaboration across Microsoft clouds such as Microsoft Azure China 21Vianet or Microsoft Azure Government with additional configuration. Determine if any of your collaboration partners reside in a different Microsoft cloud. If so, you should [enable collaboration with these partners using Cross Tenant Access Settings](../external-identities/cross-cloud-settings.md).
 
 If you wish to allow inbound access to only specific tenants (allowlist), you can set the default policy to block access and then create organization policies to granularly allow access on a per user, group, and application basis.
 
@@ -256,4 +256,4 @@ See the following articles on securing external access to resources. We recommen
 
 8. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md)
 
-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
+9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
@@ -128,7 +128,7 @@ This project has two primary initiatives. The first is to plan and implement a V
 
 For more information, see:
 
-* [Deploy Azure AD joined VMs in Azure Virtual Desktop - Azure](/azure/virtual-desktop/deploy-azure-ad-joined-vm)
+* [Deploy Azure AD joined VMs in Azure Virtual Desktop - Azure](../../virtual-desktop/deploy-azure-ad-joined-vm.md)
 
 * [Windows 365 planning guide](/windows-365/enterprise/planning-guide)
 
@@ -331,4 +331,4 @@ Azure AD Domain Services allows you to migrate application servers to the cloud
 
 [Establish an Azure AD footprint](road-to-the-cloud-establish.md)
 
-[Implement a cloud-first approach](road-to-the-cloud-implement.md)
+[Implement a cloud-first approach](road-to-the-cloud-implement.md)
@@ -30,7 +30,7 @@ When designing isolated environments, it's important to consider the following p
 
 * **Use only modern authentication** - Applications deployed in isolated environments must use claims-based modern authentication (for example, SAML, * Auth, OAuth2, and OpenID Connect) to use capabilities such as federation, Azure AD B2B collaboration, delegation, and the consent framework. This way, legacy applications that have dependency on legacy authentication methods such as NT LAN Manager (NTLM) won't carry forward in isolated environments.
 
-* **Enforce strong authentication** - Strong authentication must always be used when accessing the isolated environment services and infrastructure. Whenever possible, [passwordless authentication](/azure/active-directory/authentication/concept-authentication-passwordless) such as [Windows for Business Hello](/windows/security/identity-protection/hello-for-business/hello-overview) or a [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)) should be used.
+* **Enforce strong authentication** - Strong authentication must always be used when accessing the isolated environment services and infrastructure. Whenever possible, [passwordless authentication](../authentication/concept-authentication-passwordless.md) such as [Windows for Business Hello](/windows/security/identity-protection/hello-for-business/hello-overview) or a [FIDO2 security keys](../authentication/howto-authentication-passwordless-security-key.md)) should be used.
 
 * **Deploy secure workstations** - [Secure workstations](/security/compass/privileged-access-devices) provide the mechanism to ensure that the platform and the identity that platform represents is properly attested and secured against exploitation. Two other approaches to consider are:
 
@@ -73,7 +73,7 @@ Provision [emergency access accounts](../roles/security-emergency-access.md) for
 
 Use [Azure managed identities](../managed-identities-azure-resources/overview.md) for Azure resources that require a service identity. Check the [list of services that support managed identities](../managed-identities-azure-resources/managed-identities-status.md) when designing your Azure solutions.
 
-If managed identities aren't supported or not possible, consider [provisioning service principal objects](/azure/active-directory/develop/app-objects-and-service-principals).
+If managed identities aren't supported or not possible, consider [provisioning service principal objects](../develop/app-objects-and-service-principals.md).
 
 ### Hybrid service accounts
 
@@ -142,7 +142,7 @@ Below are some specific recommendations for Azure solutions. For general guidanc
 
 * Define Conditional Access policies for [security information registration](../conditional-access/howto-conditional-access-policy-registration.md) that reflects a secure root of trust process on-premises (for example, for workstations in physical locations, identifiable by IP addresses, that employees must visit in person for verification).
 
-* Consider managing Conditional Access policies at scale with automation using [MS Graph CA API](/azure/active-directory/conditional-access/howto-conditional-access-apis)). For example, you can use the API to configure, manage, and monitor CA policies consistently across tenants.
+* Consider managing Conditional Access policies at scale with automation using [MS Graph CA API](../conditional-access/howto-conditional-access-apis.md)). For example, you can use the API to configure, manage, and monitor CA policies consistently across tenants.
 
 * Consider using Conditional Access to restrict workload identities. Create a policy to limit or better control access based on location or other relevant circumstances.
 
@@ -276,7 +276,7 @@ Below are some considerations when designing a governed subscription lifecycle p
 
 ## Operations
 
-The following are additional operational considerations for Azure AD, specific to multiple isolated environments. Check the [Azure Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/), [Azure Security Benchmark](/security/benchmark/azure/) and [Azure AD Operations guide](/azure/active-directory/fundamentals/active-directory-ops-guide-ops) for detailed guidance to operate individual environments.
+The following are additional operational considerations for Azure AD, specific to multiple isolated environments. Check the [Azure Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/), [Azure Security Benchmark](/security/benchmark/azure/) and [Azure AD Operations guide](./active-directory-ops-guide-ops.md) for detailed guidance to operate individual environments.
 
 ### Cross-environment roles and responsibilities
 
@@ -417,7 +417,7 @@ The following scenarios must be explicitly monitored and investigated:
 
   * Assignment to Azure resources using dedicated accounts for MCA billing tasks.
 
-* **Privileged role activity** - Configure and review security [alerts generated by Azure AD PIM](/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts). If locking down direct RBAC assignments isn't fully enforceable with technical controls (for example, Owner role has to be granted to product teams to do their job), then monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly to access the subscription with Azure RBAC.
+* **Privileged role activity** - Configure and review security [alerts generated by Azure AD PIM](../privileged-identity-management/pim-how-to-configure-security-alerts.md). If locking down direct RBAC assignments isn't fully enforceable with technical controls (for example, Owner role has to be granted to product teams to do their job), then monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly to access the subscription with Azure RBAC.
 
 * **Classic role assignments** - Organizations should use the modern Azure RBAC role infrastructure instead of the classic roles. As a result, the following events should be monitored:
 
@@ -507,4 +507,4 @@ Similarly, Azure Monitor can be integrated with ITSM systems through the [IT Ser
 
 * [Resource isolation in a single tenant](secure-with-azure-ad-single-tenant.md)
 
-* [Resource isolation with multiple tenants](secure-with-azure-ad-multiple-tenants.md)
+* [Resource isolation with multiple tenants](secure-with-azure-ad-multiple-tenants.md)