diff --git a/docs/external-id/customers/tutorial-configure-cloudflare-integration.md b/docs/external-id/customers/tutorial-configure-cloudflare-integration.md
index 2391dd8f228..ee3c6e0a4fe 100644
--- a/docs/external-id/customers/tutorial-configure-cloudflare-integration.md
+++ b/docs/external-id/customers/tutorial-configure-cloudflare-integration.md
@@ -13,7 +13,7 @@ ms.custom: it-pro
 
 # Tutorial: Configure Cloudflare Web Application Firewall with Microsoft Entra External ID
 
-In this tutorial, learn how to configure Cloudflare Web Applcation Firewall ([Cloudflare WAF](https://www.cloudflare.com/application-services/products/waf/)) to protect your organization from attacks, such as distributed denial of service (DDoS), malicious bots, Open Worldwide Application Security Project [(OWASP) Top-10](https://owasp.org/www-project-top-ten/) security risks, and others. 
+In this tutorial, learn how to configure Cloudflare Web Application Firewall ([Cloudflare WAF](https://www.cloudflare.com/application-services/products/waf/)) to protect your organization from attacks, such as distributed denial of service (DDoS), malicious bots, Open Worldwide Application Security Project [(OWASP) Top-10](https://owasp.org/www-project-top-ten/) security risks, and others. 
 
 ## Prerequisites
 
diff --git a/docs/global-secure-access/concept-universal-conditional-access.md b/docs/global-secure-access/concept-universal-conditional-access.md
index 42ba9c4abba..95ecec00359 100644
--- a/docs/global-secure-access/concept-universal-conditional-access.md
+++ b/docs/global-secure-access/concept-universal-conditional-access.md
@@ -3,7 +3,7 @@ title: Learn about Universal Conditional Access through Global Secure Access
 description: Learn about how Microsoft Entra Internet Access and Microsoft Entra Private Access secures access to your resources through Conditional Access.
 ms.service: global-secure-access
 ms.topic: conceptual
-ms.date: 05/09/2024
+ms.date: 11/05/2024
 ms.author: kenwith
 author: kenwith
 manager: amycolannino
@@ -33,8 +33,8 @@ One example is if you block access to the Internet access target resource on non
 
 ### Other known limitations
 
-- Continuous access evaluation is not currently supported for Universal Conditional Access for Microsoft traffic.
-- Applying Conditional Access policies to Private Access traffic is not currently supported. To model this behavior, you can apply a Conditional Access policy at the application level for Quick Access and Global Secure Access apps. For more information, see [Apply Conditional Access to Private Access apps](how-to-target-resource-private-access-apps.md).
+- Continuous access evaluation isn't currently supported for Universal Conditional Access for Microsoft traffic.
+- Applying Conditional Access policies to Private Access traffic isn't currently supported. To model this behavior, you can apply a Conditional Access policy at the application level for Quick Access and Global Secure Access apps. For more information, see [Apply Conditional Access to Private Access apps](how-to-target-resource-private-access-apps.md).
 - Microsoft traffic can be accessed through remote network connectivity without the Global Secure Access Client; however the Conditional Access policy isn't enforced. In other words, Conditional Access policies for the Global Secure Access Microsoft traffic are only enforced when a user has the Global Secure Access Client.
 
 
@@ -46,6 +46,30 @@ With Conditional Access, you can enable access controls and security policies fo
 - Apply Conditional Access policies to your [Private Access apps](how-to-target-resource-private-access-apps.md), such as Quick Access.
 - Enable [Global Secure Access signaling in Conditional Access](how-to-source-ip-restoration.md) so the source IP address is visible in the appropriate logs and reports.
 
+## Internet Access – Universal Conditional Access
+
+The following example demonstrates how Microsoft Entra Internet Access works when you apply Universal Conditional Access policies to network traffic.
+
+> [!NOTE]
+> Microsoft's Security Service Edge solution comprises three tunnels: Microsoft traffic, Internet Access, and Private Access. Universal Conditional Access applies to the Internet Access and Microsoft traffic tunnels. There isn't support to target the Private Access tunnel. You must individually target Private Access Enterprise Applications.
+
+The following flow diagram illustrates Universal Conditional Access targeting internet resources and Microsoft apps with Global Secure Access.
+
+:::image type="content" source="media/concept-universal-conditional-access/internet-access-universal-conditional-access-inline.png" alt-text="Diagram shows flow for Universal Conditional Access when targeting internet resources with Global Secure Access and Microsoft apps with Global Secure Access." lightbox="media/concept-universal-conditional-access/internet-access-universal-conditional-access-expanded.png":::
+
+|Step|Description|
+|-----|-----|
+|1|The Global Secure Access client attempts to connect to Microsoft's Security Service Edge solution.|
+|2|The client redirects to Microsoft Entra ID for authentication and authorization.|
+|3|The user and the device authenticate. Authentication happens seamlessly when the user has a valid Primary Refresh Token.|
+|4|After the user and device authenticate, Universal Conditional Access policy enforcement occurs. Universal Conditional Access policies target the established Microsoft and internet tunnels between the Global Secure Access client and Microsoft Security Service Edge.|
+|5|Microsoft Entra ID issues the access token for the Global Secure Access client.|
+|6|The Global Secure Access client presents the access token to Microsoft Security Service Edge. The token validates.|
+|7|Tunnels establish between the Global Secure Access client and Microsoft Security Service Edge.|
+|8|Traffic starts being acquired and tunneled to the destination via the Microsoft and Internet Access tunnels.|
+
+> [!NOTE]
+> Target Microsoft apps with Global Secure Access to protect the connection between Microsoft Security Service Edge and the Global Secure Access client. To ensure that users can't bypass the Microsoft Security Service Edge service, create a Conditional Access policy that requires compliant network for your Microsoft 365 Enterprise applications.
 
 ## User experience
 
diff --git a/docs/global-secure-access/how-to-configure-web-content-filtering.md b/docs/global-secure-access/how-to-configure-web-content-filtering.md
index 81b810e53ac..6aa57162148 100644
--- a/docs/global-secure-access/how-to-configure-web-content-filtering.md
+++ b/docs/global-secure-access/how-to-configure-web-content-filtering.md
@@ -5,7 +5,7 @@ author: kenwith
 ms.author: kenwith
 manager: amycolannino
 ms.topic: how-to
-ms.date: 09/25/2024
+ms.date: 11/05/2024
 ms.service: global-secure-access
 ms.subservice: entra-internet-access 
 ms.reviewer: frankgomulka
@@ -93,6 +93,31 @@ Create a Conditional Access policy for end users or groups and deliver your secu
 1. In the **Enable policy** section, ensure **On** is selected.
 1. Select **Create**.
 
+## Internet Access – web content filtering
+
+This example demonstrates the flow of Microsoft Entra Internet Access traffic when you apply web content filtering policies.
+
+The following flow diagram illustrates web content filtering policies blocking or allowing access to internet resources.
+
+:::image type="content" source="media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-inline.png" alt-text="Diagram shows flow for web content filtering policies blocking or allowing access to internet resources." lightbox="media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-expanded.png":::
+
+|Step|Description|
+|-----|-----|
+|1|The Global Secure Access client attempts to connect to Microsoft's Security Service Edge solution.|
+|2|The client redirects to Microsoft Entra ID for authentication and authorization.|
+|3|The user and device authenticate. Authentication happens seamlessly when the user has a valid Primary Refresh Token (PRT).|
+|4|After the user and device authenticate, Conditional Access (CA) matches on Internet Access CA rules and adds applicable security profiles to the token. It enforces applicable authorization policies.|
+|5|Microsoft Entra ID presents the token to Microsoft Security Service Edge for validation.|
+|6|The tunnel establishes between the Global Secure Access client and Microsoft Security Service Edge.|
+|7|Traffic starts being acquired and tunnels through the Internet Access tunnel.|
+|8|Microsoft Security Service Edge evaluates the security policies in the access token in priority order. After it matches on a web content filtering rule, web content filtering policy evaluation stops.|
+|9|Microsoft Security Service Edge enforces the security policies.|
+|10|Policy = block results in an error for HTTP traffic or a connection reset exception occurs for HTTPS traffic.|
+|11|Policy = allow results in traffic forwarding to the destination.|
+
+> [!NOTE]
+> Applying a new security profile can take up to 60-90 minutes due to security profile enforcement with access tokens. The user must receive a new access token with the new security profile ID as a claim before it takes effect. Changes to existing security profiles start being enforced much more quickly.
+
 ## User and group assignments
 You can scope the Internet Access profile to specific users and groups. To learn more about user and group assignment, see [How to assign and manage users and groups with traffic forwarding profiles](how-to-manage-users-groups-assignment.md).
 
diff --git a/docs/global-secure-access/media/concept-universal-conditional-access/internet-access-universal-conditional-access-expanded.png b/docs/global-secure-access/media/concept-universal-conditional-access/internet-access-universal-conditional-access-expanded.png
new file mode 100644
index 00000000000..c57d5f2ff0c
Binary files /dev/null and b/docs/global-secure-access/media/concept-universal-conditional-access/internet-access-universal-conditional-access-expanded.png differ
diff --git a/docs/global-secure-access/media/concept-universal-conditional-access/internet-access-universal-conditional-access-inline.png b/docs/global-secure-access/media/concept-universal-conditional-access/internet-access-universal-conditional-access-inline.png
new file mode 100644
index 00000000000..993235f8b75
Binary files /dev/null and b/docs/global-secure-access/media/concept-universal-conditional-access/internet-access-universal-conditional-access-inline.png differ
diff --git a/docs/global-secure-access/media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-expanded.png b/docs/global-secure-access/media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-expanded.png
new file mode 100644
index 00000000000..604b55d537d
Binary files /dev/null and b/docs/global-secure-access/media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-expanded.png differ
diff --git a/docs/global-secure-access/media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-inline.png b/docs/global-secure-access/media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-inline.png
new file mode 100644
index 00000000000..b01d92b11ab
Binary files /dev/null and b/docs/global-secure-access/media/how-to-configure-web-content-filtering/internet-access-web-content-filtering-inline.png differ
diff --git a/docs/identity-platform/includes/registration/quickstart-register-app.md b/docs/identity-platform/includes/registration/quickstart-register-app.md
index 41c028c5797..96b5eb346a6 100644
--- a/docs/identity-platform/includes/registration/quickstart-register-app.md
+++ b/docs/identity-platform/includes/registration/quickstart-register-app.md
@@ -120,7 +120,7 @@ Sometimes called a *public key*, a certificate is the recommended credential typ
 
 ### [Add a client secret](#tab/client-secret)
 
-Sometimes called an *application password*, a client secret is a string value your app can use in place of a certificate to identity itself.
+Sometimes called an *application password*, a client secret is a string value your app can use in place of a certificate to identify itself.
 
 Client secrets are considered less secure than certificate credentials. Application developers sometimes use client secrets during local app development because of their ease of use. However, you should use certificate credentials for any of your applications that are running in production.
 
diff --git a/docs/identity/authentication/TOC.yml b/docs/identity/authentication/TOC.yml
index df9defd78fe..dc37686027c 100644
--- a/docs/identity/authentication/TOC.yml
+++ b/docs/identity/authentication/TOC.yml
@@ -26,6 +26,9 @@
   items:
   - name: Authentication methods
     items:
+    - name: Accessibility
+      href: ./accessibility/authentication-methods-accessibility.md
+      displayName: Accessibility, Special People, MFA Accessibility
     - name: Overview
       href: concept-authentication-methods.md
     - name: Manage 
diff --git a/docs/identity/authentication/accessibility/authentication-methods-accessibility.md b/docs/identity/authentication/accessibility/authentication-methods-accessibility.md
new file mode 100644
index 00000000000..17198acad8f
--- /dev/null
+++ b/docs/identity/authentication/accessibility/authentication-methods-accessibility.md
@@ -0,0 +1,61 @@
+---
+title: Enhance accessibility with multifactor authentication in Microsoft Entra ID
+description: Explains authentication Methods Accessibility
+author:      gdaluz1 # GitHub alias
+ms.author: justinha
+ms.service: entra-id
+ms.topic: article
+ms.date:     11/05/2024
+ms.subservice: authentication
+---
+# Improve accessibility with multifactor authentication in Microsoft Entra ID
+
+As cybersecurity threats evolve, multifactor authentication (MFA) has become a cornerstone of secure digital identity. Microsoft Entra ID offers a range of MFA methods designed not only for robust security but also to cater to diverse user needs, including those with accessibility constraints. Here's a closer look at how these MFA options enhance accessibility and inclusivity.
+
+## Microsoft Authenticator
+
+The Microsoft Authenticator app provides either notifications for quick approval or generates time-based codes for more traditional MFA entry. This app is compatible with various assistive technologies, including screen readers, making it accessible for users with visual impairments. It also offers flexibility for individuals who prefer not to rely solely on SMS or voice calls.
+
+[Download Microsoft Authenticator](https://www.microsoft.com/security/mobile-authenticator-app?msockid=04750fac1789618938f71b4a16ee6056).
+
+## Text and voice calls
+
+Text and voice call options cater to those who may not use a smartphone app. This can be particularly beneficial for individuals with certain accessibility needs:
+
+- **Text:** Allows users to receive a verification code via text message, which can be useful for those with hearing impairments or those who prefer text-based communication.
+
+- **Voice calls:** Voice calls are a great option for users with visual impairments, as they provide audio cues rather than visual or tactile ones.
+
+For more information, see [Phone authentication methods](/entra/identity/authentication/concept-authentication-phone-options).
+
+## FIDO2 security keys
+
+FIDO2 security keys are physical devices that offer a highly accessible and secure MFA option. These hardware keys support biometric authentication (such as fingerprint scans) or PINs, making them ideal for users who may find traditional passwords or other authentication methods challenging. FIDO2 keys are particularly beneficial for users with physical disabilities who may have difficulty typing complex passwords.
+
+For more information, see [How to register passkey (FIDO2)](/entra/identity/authentication/how-to-register-passkey-with-security-key).
+
+## Windows Hello for Business
+
+Windows Hello for Business leverages biometric authentication (facial recognition or fingerprint) and PINs, offering a quick, secure, and accessible MFA option. This method eliminates the need for password input, which can be challenging for users with physical or cognitive disabilities. Biometric authentication allows for seamless access while maintaining strong security.
+
+For more information, see [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/policy-settings?tabs=feature).
+
+## Email verification
+
+While not as secure as other MFA methods, email verification can be useful in certain accessibility scenarios, providing a fallback option. For users who experience difficulty with text, voice, or app-based authentication, email can offer a familiar and easily accessible alternative.
+
+References:
+
+- [Available verification methods](/entra/identity/authentication/concept-mfa-howitworks)
+- [How to enable MFA](/entra/identity/authentication/tutorial-enable-azure-mfa)
+
+## Conclusion
+
+Microsoft Entra ID's range of MFA options enables individuals with diverse needs to access secure authentication without compromising on usability. By offering various options like the Authenticator app, SMS and voice calls, FIDO2 keys, Windows Hello, and email verification, Microsoft Entra ID ensures that security measures remain accessible and inclusive for all users.
+
+Selecting the right MFA method depends on individual needs and constraints. Microsoft’s commitment to flexible and inclusive authentication helps everyone stay secure, regardless of their physical or technological limitations. For those with specific accessibility requirements, it’s worth exploring each MFA option to find the one that aligns best with personal preferences and usability needs.
+
+## Related content
+
+- [Available verification methods](/entra/identity/authentication/concept-mfa-howitworks)
+- [How to enable MFA](/entra/identity/authentication/tutorial-enable-azure-mfa)
diff --git a/docs/includes/entra-service-limits-include.md b/docs/includes/entra-service-limits-include.md
index 98890c4b96d..a9d05476aca 100644
--- a/docs/includes/entra-service-limits-include.md
+++ b/docs/includes/entra-service-limits-include.md
@@ -17,7 +17,7 @@ Here are the usage constraints and other service limits for the Microsoft Entra
 | Domains | <li>You can add no more than 5,000 managed domain names. <li>If you set up all of your domains for federation with on-premises Active Directory, you can add no more than 2,500 domain names in each tenant. |
 |Resources |<ul><li>By default, a maximum of 50,000 Microsoft Entra resources can be created in a single tenant by users of the Microsoft Entra ID Free edition. If you have at least one verified domain, the default Microsoft Entra service quota for your organization is extended to 300,000 Microsoft Entra resources. <br>The Microsoft Entra service quota for organizations created by self-service sign-up remains 50,000 Microsoft Entra resources, even after you perform an internal admin takeover and the organization is converted to a managed tenant with at least one verified domain. This service limit is unrelated to the pricing tier limit of 500,000 resources on the Microsoft Entra pricing page. <br>To go beyond the default quota, you must contact Microsoft Support.</li><li>A non-admin user can create no more than 250 Microsoft Entra resources. Both active resources and deleted resources that are available to restore count toward this quota. Only deleted Microsoft Entra resources that were deleted fewer than 30 days ago are available to restore. Deleted Microsoft Entra resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days. <br>If you have developers who are likely to repeatedly exceed this quota in the course of their regular duties, you can [create and assign a custom role](~/identity/role-based-access-control/quickstart-app-registration-limits.md) with permission to create a limitless number of app registrations.</li><li>Resource limitations apply to all directory objects in a given Microsoft Entra tenant, including users, groups, applications, and service principals.</li></ul> |
 | Schema extensions |<ul><li>String-type extensions can have a maximum of 256 characters. </li><li>Binary-type extensions are limited to 256 bytes.</li><li>Only 100 extension values, across *all* types and *all* applications, can be written to any single Microsoft Entra resource.</li><li>Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.</li></ul> |
-| Applications | <ul><li>A maximum of 100 users and service principals can be owners of a single application.</li><li>A user, group, or service principal can have a maximum of 1,500 app role assignments. The limitation is on the service principal, user, or group across all app roles and not on the number of assignments on a single app role.</li><li>A user can have credentials configured for a maximum of 48 apps using password-based single sign-on. This limit only applies for credentials configured when the user is directly assigned the app, not when the user is a member of a group that is assigned.</li><li>A group can have credentials configured for a maximum of 48 apps using password-based single sign-on.</li><li>See additional limits in [Validation differences by supported account types](~/identity-platform/supported-accounts-validation.md).</li></ul> |
+| Applications | <ul><li>A maximum of 100 users and service principals can be owners of a single application.</li><li>A user, group, or service principal can have a maximum of 1,500 app role assignments. The limitation is on the assigned service principal, user, or group across all app roles and not on the number of assignments of a single app role. This limit includes app role assignments where the resource service principal has been soft-deleted.</li><li>A user can have credentials configured for a maximum of 48 apps using password-based single sign-on. This limit only applies for credentials configured when the user is directly assigned the app, not when the user is a member of a group that is assigned.</li><li>A group can have credentials configured for a maximum of 48 apps using password-based single sign-on.</li><li>See additional limits in [Validation differences by supported account types](~/identity-platform/supported-accounts-validation.md).</li></ul> |
 |Application manifest |A maximum of 1,200 entries can be added to the application manifest.<br/>See additional limits in [Validation differences by supported account types](~/identity-platform/supported-accounts-validation.md). |
 | Groups |<ul><li>A non-admin user can create a maximum of 250 groups in a Microsoft Entra organization. Any Microsoft Entra admin who can manage groups in the organization can also create an unlimited number of groups (up to the Microsoft Entra object limit). If you assign a role to a user to remove the limit for that user, assign a less privileged, built-in role such as User Administrator or Groups Administrator.</li><li>A Microsoft Entra organization can have a maximum of 15,000 dynamic groups and dynamic administrative units combined.</li><li>A maximum of 500 [role-assignable groups](~/identity/role-based-access-control/groups-concept.md) can be created in a single Microsoft Entra organization (tenant).</li><li>A maximum of 100 users can be owners of a single group.</li><li>Any number of Microsoft Entra resources can be members of a single group.</li><li>A user can be a member of any number of groups. When security groups are being used in combination with SharePoint Online, a user can be a part of 2,049 security groups in total. This includes both direct and indirect group memberships. When this limit is exceeded, authentication and search results become unpredictable.</li><li>Starting with Microsoft Entra Connect v2.0, the V2 endpoint is the default API. The number of members in a group that you can synchronize from your on-premises Active Directory to Microsoft Entra ID by using Microsoft Entra Connect is limited to 250,000 members. For more information, see [Microsoft Entra Connect Sync V2](../identity/hybrid/connect/how-to-connect-sync-endpoint-api-v2.md).</li><li>When you select a list of groups, you can assign a group expiration policy to a maximum of 500 Microsoft 365 groups. There's no limit when the policy is applied to all Microsoft 365 groups.</li></ul><br/> At this time, the following scenarios are supported with nested groups:<ul><li> One group can be added as a member of another group, and you can achieve group nesting.</li><li> Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included.</li><li>Conditional Access (when a Conditional Access policy has a group scope).</li><li>Restricting access to self-serve password reset.</li><li>Restricting which users can do Microsoft Entra join and device registration.</li></ul><br/>The following scenarios are *not* supported with nested groups:<ul><li> App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access.</li><li>Group-based licensing (assigning a license automatically to all members of a group).</li><li>Microsoft 365 Groups.</li></ul> |
 | Application Proxy | <ul><li>A maximum of 500 transactions\* per second per Application Proxy application.</li><li>A maximum of 750 transactions per second for the Microsoft Entra organization.<br><br>\*A transaction is defined as a single HTTP request and response for a unique resource. When clients are throttled, they receive a 429 response (too many requests). Transaction metrics are collected on each connector and can be monitored using performance counters under the object name `Microsoft Entra private network connector`. |