diff --git a/aspnetcore/includes/disableVer6.md b/aspnetcore/includes/disableVer6.md
index e83813a37f52..7aebf53dd78c 100644
--- a/aspnetcore/includes/disableVer6.md
+++ b/aspnetcore/includes/disableVer6.md
@@ -1,12 +1,16 @@
-<a name="ddav"></a>
-### Disable default account verification when Account.RegisterConfirmation has been scaffolded
+### Disable default account verification when Account.RegisterConfirmation is scaffolded
 
-This section only applies when `Account.RegisterConfirmation` is scaffolded. Skip this section if you have not scaffolded `Account.RegisterConfirmation`.
+If `Account.RegisterConfirmation` is scaffolded, complete the instructions in this section.
 
-The user is redirected to the `Account.RegisterConfirmation` where they can select a link to have the account confirmed. The default `Account.RegisterConfirmation` is used ***only*** for testing, automatic account verification should be disabled in a production app.
+> [!IMPORTANT]
+> If `Account.RegisterConfirmation` is **not** scaffolded, skip the following instructions and continue to the next section.
 
-To require a confirmed account and prevent immediate login at registration, set `DisplayConfirmAccountLink = false` in the scaffolded `/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs` file:
+The user is redirected to the `/Identity/Account/RegisterConfirmation` page where they can select a link to have the account confirmed. The default `Account.RegisterConfirmation` is used ***only*** for testing. Automatic account verification should be disabled in a production app.
+
+To require a confirmed account and prevent immediate sign in at registration, set `DisplayConfirmAccountLink = false` in the scaffolded _/Areas/Identity/Pages/Account/RegisterConfirmation.cshtml.cs_ file:
 
 [!code-csharp[](~/security/authentication/accconfirm/sample/RegisterConfirmation.cshtml.cs?highlight=63)]
 
-This step is only necessary when `Account.RegisterConfirmation` is scaffolded. The non-scaffolded [RegisterConfirmation](https://github.com/dotnet/aspnetcore/blob/1dcf7acfacf0fe154adcc23270cb0da11ff44ace/src/Identity/UI/src/Areas/Identity/Pages/V4/Account/RegisterConfirmation.cshtml.cs#L74-L87) automatically detects when an [IEmailSender](https://github.com/dotnet/aspnetcore/blob/1dcf7acfacf0fe154adcc23270cb0da11ff44ace/src/Identity/UI/src/Areas/Identity/Services/EmailSender.cs) has been implemented and registered with the [dependency injection container](xref:fundamentals/dependency-injection).
+This step is necessary only when `Account.RegisterConfirmation` is scaffolded.
+
+The non-scaffolded [RegisterConfirmation](https://github.com/dotnet/aspnetcore/blob/1dcf7acfacf0fe154adcc23270cb0da11ff44ace/src/Identity/UI/src/Areas/Identity/Pages/V4/Account/RegisterConfirmation.cshtml.cs#L74-L87) automatically detects when an [IEmailSender](https://github.com/dotnet/aspnetcore/blob/1dcf7acfacf0fe154adcc23270cb0da11ff44ace/src/Identity/UI/src/Areas/Identity/Services/EmailSender.cs) is implemented and registered with the [dependency injection container](xref:fundamentals/dependency-injection).
diff --git a/aspnetcore/includes/dotnet-tool-install-arch-options.md b/aspnetcore/includes/dotnet-tool-install-arch-options.md
index ce7f0af9841f..f63997e46c4e 100644
--- a/aspnetcore/includes/dotnet-tool-install-arch-options.md
+++ b/aspnetcore/includes/dotnet-tool-install-arch-options.md
@@ -1,3 +1,4 @@
 > [!NOTE]
-> By default the architecture of the .NET binaries to install represents the currently running OS architecture. To specify a different OS architecture, see [dotnet tool install, --arch option](/dotnet/core/tools/dotnet-tool-install#options).
-> For more information, see GitHub issue [dotnet/AspNetCore.Docs #29262](https://github.com/dotnet/AspNetCore.Docs/issues/29262).
+> By default, the architecture of the .NET binaries to install represents the currently running operating system architecture.
+> To specify a different architecture, review how to use the `dotnet tool install` command with the ['--arch' option](/dotnet/core/tools/dotnet-tool-install#options).
+> For more information, see [GitHub dotnet/aspnetcore.docs issue #29262](https://github.com/dotnet/AspNetCore.Docs/issues/29262) - _Add '-a arm64' on Apple Silicon_.
diff --git a/aspnetcore/security/authentication/accconfirm.md b/aspnetcore/security/authentication/accconfirm.md
index e51c0b4c3b3b..ea0a21b27bb1 100644
--- a/aspnetcore/security/authentication/accconfirm.md
+++ b/aspnetcore/security/authentication/accconfirm.md
@@ -1,20 +1,22 @@
 ---
-title: Account confirmation and password recovery in ASP.NET Core
+title: Account confirmation and password recovery
 author: wadepickett
 description: Learn how to build an ASP.NET Core app with email confirmation and password reset.
 ms.author: wpickett
 ms.custom: sfi-image-nochange
 monikerRange: '>= aspnetcore-3.1'
-ms.date: 2/9/2022
+ms.date: 05/11/2026
 uid: security/authentication/accconfirm
+
+# customer intent: As an ASP.NET developer, I want to confirm user accounts and recover passwords, so I can verify user email addresses and allow password resets in my ASP.NET Core app.
 ---
 # Account confirmation and password recovery in ASP.NET Core
 
 By [Rick Anderson](https://twitter.com/RickAndMSFT), [Ponant](https://github.com/Ponant), and [Joe Audette](https://twitter.com/joeaudette)
 
-This tutorial shows how to build an ASP.NET Core app with email confirmation and password reset. This tutorial is **not** a beginning topic. You should be familiar with:
+This tutorial shows how to build an ASP.NET Core app with email confirmation and password reset. This tutorial is **not** a beginning article. You should be familiar with:
 
-* [ASP.NET Core](xref:tutorials/razor-pages/razor-pages-start)
+* [Razor Pages in ASP.NET Core](xref:tutorials/razor-pages/razor-pages-start)
 * [Authentication](xref:security/authentication/identity)
 * [Entity Framework Core](xref:data/ef-mvc/intro)
 
@@ -34,11 +36,11 @@ For Blazor guidance, which adds to or supersedes the guidance in this article, s
 ## Prerequisites
 
 * [.NET 6 or later SDK](https://dotnet.microsoft.com/download/dotnet/6.0)
-* Successfully [send email from a C# console app](https://www.twilio.com/blog/send-emails-using-the-sendgrid-api-with-dotnetnet-6-and-csharp).
+* Successfully [send email from a C# console app by using the SendGrid API (Twilio)](https://www.twilio.com/blog/send-emails-using-the-sendgrid-api-with-dotnetnet-6-and-csharp)
 
 ## Create and test a web app with authentication
 
-Run the following commands to create a web app with authentication.
+Run the following commands to create a web app with authentication:
 
 ```dotnetcli
 dotnet new webapp -au Individual -o WebPWrecover
@@ -46,34 +48,39 @@ cd WebPWrecover
 dotnet run
 ```
 
-<a name="regsim"></a>
+### Register a user with simulated email confirmation
 
-### Register user with simulated email confirmation
+Run the app, select the **Register** link, and register a user.
 
-Run the app, select the **Register** link, and register a user. Once registered, you are redirected to the to `/Identity/Account/RegisterConfirmation` page which contains a link to simulate email confirmation:
+After registration completes, you're redirected to the `/Identity/Account/RegisterConfirmation` page, which contains a link to simulate email confirmation.
 
-* Select the `Click here to confirm your account` link.
-* Select the **Login** link and sign-in with the same credentials.
-* Select the `Hello YourEmail@provider.com!` link, which redirects to the `/Identity/Account/Manage/PersonalData` page.
-* Select the **Personal data** tab on the left, and then select **Delete**.
+1. Select the `Click here to confirm your account` link.
+
+1. Select the **Login** link and sign-in with the same credentials.
+
+1. Select the `Hello YourEmail@provider.com!` link, which redirects to the `/Identity/Account/Manage/PersonalData` page.
 
-The `Click here to confirm your account` link is displayed because an [IEmailSender](https://github.com/dotnet/aspnetcore/blob/1dcf7acfacf0fe154adcc23270cb0da11ff44ace/src/Identity/UI/src/Areas/Identity/Services/EmailSender.cs) has not been implemented and registered with the [dependency injection container](xref:fundamentals/dependency-injection). See the [`RegisterConfirmation` source](https://github.com/dotnet/aspnetcore/blob/main/src/Identity/UI/src/Areas/Identity/Pages/V4/Account/RegisterConfirmation.cshtml.cs#L71-L74).
+1. Select the **Personal data** tab, and then select **Delete**.
+
+The `Click here to confirm your account` link displays because the [IEmailSender](https://github.com/dotnet/aspnetcore/blob/1dcf7acfacf0fe154adcc23270cb0da11ff44ace/src/Identity/UI/src/Areas/Identity/Services/EmailSender.cs) interface isn't yet implemented and registered with the [dependency injection container](xref:fundamentals/dependency-injection). For more information, see the [RegisterConfirmation source](https://github.com/dotnet/aspnetcore/blob/main/src/Identity/UI/src/Areas/Identity/Pages/V4/Account/RegisterConfirmation.cshtml.cs#L71-L74).
 
 [!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)]
 
 ### Configure an email provider
 
-In this tutorial, [SendGrid](https://sendgrid.com) is used to send email. A SendGrid account and key is needed to send email. We recommend using SendGrid or another email service to send email rather than SMTP. SMTP is difficult to secure and set up correctly.
+<!-- Locale identifier (en-us) required in next link -->
 
-The SendGrid account may require [adding a Sender](https://sendgrid.com/docs/ui/sending-email/senders/).
+In this tutorial, Twilio [SendGrid](https://www.twilio.com/en-us/sendgrid) is used to send email. A SendGrid account and key are required to send email. We recommend using SendGrid or another email service to send email rather than SMTP. SMTP is difficult to secure and set up correctly.
 
-Create a class to fetch the secure email key. For this sample, create `Services/AuthMessageSenderOptions.cs`:
+The SendGrid account might require [adding a Sender](https://sendgrid.com/docs/ui/sending-email/senders/).
+
+Create a class to fetch the secure email key. For this sample, create the _Services/AuthMessageSenderOptions.cs_ file:
 
 [!code-csharp[](accconfirm/sample/WebPWrecover60/Services/AuthMessageSenderOptions.cs)]
 
 #### Configure SendGrid user secrets
 
-Set the `SendGridKey` with the [secret-manager tool](xref:security/app-secrets). For example:
+Set the `SendGridKey` value with the [secret-manager tool](xref:security/app-secrets). For example:
 
 ```dotnetcli
 dotnet user-secrets set SendGridKey <key>
@@ -81,9 +88,9 @@ dotnet user-secrets set SendGridKey <key>
 Successfully saved SendGridKey to the secret store.
 ```
 
-On Windows, Secret Manager stores keys/value pairs in a `secrets.json` file in the `%APPDATA%/Microsoft/UserSecrets/<WebAppName-userSecretsId>` directory.
+On Windows, Secret Manager stores keys/value pairs in a _secrets.json_ file in the `%APPDATA%/Microsoft/UserSecrets/<WebAppName-userSecretsId>` directory.
 
-The contents of the `secrets.json` file aren't encrypted. The following markup shows the `secrets.json` file. The `SendGridKey` value has been removed.
+The contents of the _secrets.json_ file aren't encrypted. The following markup shows the _secrets.json_ file. The `SendGridKey` value is removed from the example.
 
 ```json
 {
@@ -91,7 +98,7 @@ The contents of the `secrets.json` file aren't encrypted. The following markup s
 }
 ```
 
-For more information, see the [Options pattern](xref:fundamentals/configuration/options) and [configuration](xref:fundamentals/configuration/index).
+For more information, see the [Options pattern](xref:fundamentals/configuration/options) and <xref:fundamentals/configuration/index>.
 
 ### Install SendGrid
 
@@ -117,68 +124,80 @@ dotnet add package SendGrid
 
 ---
 
-See [Get Started with SendGrid for Free](https://sendgrid.com/free/) to register for a free SendGrid account.
+To register for a free SendGrid account, [start sending with a free SendGrid Email API trial](https://www.twilio.com/en-us/products/email-api/pricing).
 
 ### Implement IEmailSender
 
-To Implement `IEmailSender`, create `Services/EmailSender.cs` with code similar to the following:
+To implement the `IEmailSender` interface, create the _Services/EmailSender.cs_ file with code similar to the following example:
 
 [!code-csharp[](accconfirm/sample/WebPWrecover60/Services/EmailSender.cs)]
 
-### Configure app to support email
+### Configure the app to support email
 
-Add the following code to the `Program.cs` file:
+Add the following code to the _Program.cs_ file, which performs the following tasks:
 
-* Add `EmailSender` as a transient service.
-* Register the `AuthMessageSenderOptions` configuration instance.
+* Adds the `EmailSender` instance as a transient service.
+* Registers the `AuthMessageSenderOptions` configuration instance.
 
 [!code-csharp[](accconfirm/sample/WebPWrecover60/Program.cs?name=snippet1&highlight=2,5,18-19)]
 
-<!-- instructions when you scaffold RegisterConfirmation -->
-[!INCLUDE[](~/includes/disableVer6.md)]
+[!INCLUDE[Disable default account verification for scaffolded RegisterConfirmation](~/includes/disableVer6.md)]
 
 ## Register, confirm email, and reset password
 
 Run the web app, and test the account confirmation and password recovery flow.
 
-* Run the app and register a new user
-* Check your email for the account confirmation link. See [Debug email](#debug) if you don't get the email.
-* Click the link to confirm your email.
-* Sign in with your email and password.
-* Sign out.
+1. Run the app and register a new user.
+
+1. Check your email for the account confirmation link. If you don't receive the email, see the [Debug email](#debug-email) section for troubleshooting.
+
+1. Select the link and confirm your email.
+
+1. Sign in with your email and password.
+
+1. Sign out.
 
 ### Test password reset
 
-* If you're signed in, select **Logout**.
-* Select the **Log in** link and select the **Forgot your password?** link.
-* Enter the email you used to register the account.
-* An email with a link to reset your password is sent. Check your email and click the link to reset your password. After your password has been successfully reset, you can sign in with your email and new password.
+1. If you're signed in, select **Logout**.
 
-<a name="resend"></a>
+1. Select the **Log in** link, and then select the **Forgot your password?** link.
+
+1. Enter the email you used to register the account. The app sends an email with a link to reset your password.
+
+1. Go to the sent email message.
+
+1. Select the link and reset your password.
+
+After your password successfully resets, you can sign in with your email and new password.
 
 ## Resend email confirmation
 
-Select the **Resend email confirmation** link on the **Login** page.
+This section describes the code that supports the email confirmation process and related tasks.
+
+* Start by selecting the **Resend email confirmation** link on the **Login** page.
 
 ### Change email and activity timeout
 
-The default inactivity timeout is 14 days. The following code sets the inactivity timeout to 5 days:
+The default inactivity timeout is 14 days. The following code sets the inactivity timeout to five days:
 
 [!code-csharp[](accconfirm/sample/WebPWrecover60/Program.cs?name=snippet_timeout&highlight=21-24)]
 
 ### Change all data protection token lifespans
 
-The following code changes all data protection tokens timeout period to 3 hours:
+The following code changes the timeout period for all data protection tokens to three hours:
 
 [!code-csharp[](accconfirm/sample/WebPWrecover60/Program.cs?name=snippet_dpt&highlight=21-22)]
 
-The built in Identity user tokens (see [AspNetCore/src/Identity/Extensions.Core/src/TokenOptions.cs](https://github.com/dotnet/AspNetCore/blob/v2.2.2/src/Identity/Extensions.Core/src/TokenOptions.cs) )have a [one day timeout](https://github.com/dotnet/AspNetCore/blob/v2.2.2/src/Identity/Core/src/DataProtectionTokenProviderOptions.cs).
+The built-in Identity user tokens (see the [AspNetCore/src/Identity/Extensions.Core/src/TokenOptions.cs](https://github.com/dotnet/AspNetCore/blob/v2.2.2/src/Identity/Extensions.Core/src/TokenOptions.cs) source) have a [one day timeout](https://github.com/dotnet/AspNetCore/blob/v2.2.2/src/Identity/Core/src/DataProtectionTokenProviderOptions.cs).
 
 ### Change the email token lifespan
 
-The default token lifespan of [the Identity user tokens](https://github.com/dotnet/AspNetCore/blob/v2.2.2/src/Identity/Extensions.Core/src/TokenOptions.cs) is [one day](https://github.com/dotnet/AspNetCore/blob/v2.2.2/src/Identity/Core/src/DataProtectionTokenProviderOptions.cs). This section shows how to change the email token lifespan.
+The default token lifespan of [the Identity user tokens](https://github.com/dotnet/AspNetCore/blob/v2.2.2/src/Identity/Extensions.Core/src/TokenOptions.cs) is [one day](https://github.com/dotnet/AspNetCore/blob/v2.2.2/src/Identity/Core/src/DataProtectionTokenProviderOptions.cs).
 
-Add a custom <xref:Microsoft.AspNetCore.Identity.DataProtectorTokenProvider%601> and <xref:Microsoft.AspNetCore.Identity.DataProtectionTokenProviderOptions>:
+The following code shows how to change the email token lifespan.
+
+Add a custom <xref:Microsoft.AspNetCore.Identity.DataProtectorTokenProvider%601> class and <xref:Microsoft.AspNetCore.Identity.DataProtectionTokenProviderOptions> class:
 
 [!code-csharp[](accconfirm/sample/WebPWrecover60/TokenProviders/CustomTokenProvider.cs?name=snippet1)]
 
@@ -186,44 +205,60 @@ Add the custom provider to the service container:
 
 [!code-csharp[](accconfirm/sample/WebPWrecover60/Program.cs?name=snippet_etl&highlight=18-24)]
 
-<a name="debug"></a>
-
 ### Debug email
 
-If you can't get email working:
+If the email process isn't working as expected, try these troubleshooting steps:
+
+* Set a breakpoint in the `EmailSender.Execute` method and verify the `SendGridClient.SendEmailAsync` method is called.
+
+* Create a [console app to send email](https://www.twilio.com/docs/sendgrid/for-developers/sending-email/v2-csharp-code-example) by using similar code to `EmailSender.Execute`.
+
+* Review the [Email Activity](https://www.twilio.com/docs/sendgrid/ui/analytics-and-reporting/email-activity-feed) page.
 
-* Set a breakpoint in `EmailSender.Execute` to verify `SendGridClient.SendEmailAsync` is called.
-* Create a [console app to send email](https://sendgrid.com/docs/Integrate/Code_Examples/v2_Mail/csharp.html) using similar code to `EmailSender.Execute`.
-* Review the [Email Activity](https://sendgrid.com/docs/User_Guide/email_activity.html) page.
 * Check your spam folder.
-* Try another email alias on a different email provider (Microsoft, Yahoo, Gmail, etc.)
+
+* Try another email alias on a different email provider, such as Microsoft, Yahoo, Gmail, and so on.
+
 * Try sending to different email accounts.
 
-**A security best practice** is to **not** use production secrets in test and development. If you publish the app to Azure, set the SendGrid secrets as application settings in the Azure Web App portal. The configuration system is set up to read keys from environment variables.
+> [!TIP]
+> **A security best practice** is to **not** use production secrets in test and development. If you publish the app to Azure, set the SendGrid secrets as application settings in the Azure Web App portal. The configuration system is set up to read keys from environment variables.
 
 ## Combine social and local login accounts
 
-To complete this section, you must first enable an external authentication provider. See [Facebook, Google, and external provider authentication](xref:security/authentication/social/index).
+To complete this section, you must first enable an external authentication provider. For more information, see <xref:security/authentication/social/index>.
 
-You can combine local and social accounts by clicking on your email link. In the following sequence, "RickAndMSFT@gmail.com" is first created as a local login; however, you can create the account as a social login first, then add a local login.
+In this sequence, the email address `RickAndMSFT@gmail.com` is first created as a local login. However, you can create the account as a social login first, and then add a local login.
 
-![Web application: RickAndMSFT@gmail.com user authenticated](accconfirm/_static/rick.png)
+1. To combine local and social accounts, select the email address link.
 
-Click on the **Manage** link. Note the 0 external (social logins) associated with this account.
+   :::image type="content" source="accconfirm/_static/rick.png" border="false" alt-text="Screenshot that shows how to select the email address link for the authenticated user in the web app.":::
 
-![Manage view](accconfirm/_static/manage.png)
+1. In the **Manage your account** page, select the **Manage** link.
 
-Click the link to another login service and accept the app requests. In the following image, Facebook is the external authentication provider:
+   Notice there are currently zero (0) external (social logins) associated with the authenticated account.
 
-![Manage your external logins view listing Facebook](accconfirm/_static/fb.png)
+   :::image type="content" source="accconfirm/_static/manage.png" border="false" alt-text="Screenshot that shows zero external (social logins) associated with the authenticated account. The Management link is highlighted.":::
 
-The two accounts have been combined. You are able to sign in with either account. You might want your users to add local accounts in case their social login authentication service is down, or more likely they've lost access to their social account.
+1. In the **Manage your external logins** page, select the link to another login service. Follow the service prompts and accept the app requests.
+
+   In the following image, Facebook is added as an external authentication provider:
+
+   :::image type="content" source="accconfirm/_static/fb.png" border="false" alt-text="Screenshot that shows Facebook added as an external (social) login for the authenticated account.":::
+
+Authentication for the user email address now combines local and external (social) accounts. The user can sign in with either account.
+
+> [!TIP]
+> It's a good practice to recommend your users to add a local account to your app. This approach can help ensure continued access in case their social login authentication service is down, or they lose access to their social account.
 
 ## Enable account confirmation after a site has users
 
-Enabling account confirmation on a site with users locks out all the existing users. Existing users are locked out because their accounts aren't confirmed. To work around existing user lockout, use one of the following approaches:
+If you enable account confirmation on a site with existing users, you lock them out because their accounts aren't confirmed.
+
+To work around the issue of existing user lockout, use one of the following approaches:
+
+* Update the database to mark all existing users as confirmed.
 
-* Update the database to mark all existing users as being confirmed.
 * Confirm existing users. For example, batch-send emails with confirmation links.
 
 :::moniker-end
@@ -424,3 +459,9 @@ Enabling account confirmation on a site with users locks out all the existing us
 * Confirm existing users. For example, batch-send emails with confirmation links.
 
 :::moniker-end
+
+## Related content
+
+* [Razor Pages in ASP.NET Core](xref:tutorials/razor-pages/razor-pages-start)
+* [Authentication](xref:security/authentication/identity)
+* [Entity Framework Core](xref:data/ef-mvc/intro)
diff --git a/aspnetcore/security/authentication/accconfirm/_static/fb.png b/aspnetcore/security/authentication/accconfirm/_static/fb.png
index e9a134f6c2d8..fc5200eec597 100644
Binary files a/aspnetcore/security/authentication/accconfirm/_static/fb.png and b/aspnetcore/security/authentication/accconfirm/_static/fb.png differ
diff --git a/aspnetcore/security/authentication/accconfirm/_static/manage.png b/aspnetcore/security/authentication/accconfirm/_static/manage.png
index 6e5ad418e819..1cd32708618a 100644
Binary files a/aspnetcore/security/authentication/accconfirm/_static/manage.png and b/aspnetcore/security/authentication/accconfirm/_static/manage.png differ
diff --git a/aspnetcore/security/authentication/accconfirm/_static/rick.png b/aspnetcore/security/authentication/accconfirm/_static/rick.png
index 80704719686d..28ddefda2413 100644
Binary files a/aspnetcore/security/authentication/accconfirm/_static/rick.png and b/aspnetcore/security/authentication/accconfirm/_static/rick.png differ
diff --git a/aspnetcore/security/authentication/jwt-authn.md b/aspnetcore/security/authentication/jwt-authn.md
index 71dcca3ca9c1..7f3db309e80a 100644
--- a/aspnetcore/security/authentication/jwt-authn.md
+++ b/aspnetcore/security/authentication/jwt-authn.md
@@ -1,19 +1,23 @@
 ---
 title: Generate tokens with dotnet user-jwts
 author: tdykstra
-description: Learn how to set up manage JSON Web Tokens in development with dotnet user-jwts
+description: Learn how to generate and manage JSON Web Tokens in development with the dotnet user-jwts command.
 monikerRange: '>= aspnetcore-7.0'
 ms.author: tdykstra
-ms.date: 09/22/2018
+ms.date: 05/11/2026
 ms.custom: mvc
 uid: security/authentication/jwt
+
+# customer intent: As an ASP.NET developer, I want to use the dotnet user-jwts command, so I can generate and manage JSON Web Tokens in development.
 ---
 
 # Manage JSON Web Tokens in development with dotnet user-jwts
 
 By [Rick Anderson](https://twitter.com/RickAndMSFT)
 
-The `dotnet user-jwts` command line tool can create and manage app specific local [JSON Web Tokens](https://jwt.io/introduction) (JWTs).
+The `dotnet user-jwts` command line tool can create and manage app specific local [JSON Web Tokens](https://www.jwt.io/introduction#what-is-json-web-token) (JWTs).
+
+This article provides syntax details for the command and examples.
 
 ## Synopsis
 
@@ -30,9 +34,9 @@ Creates and manages project specific local JSON Web Tokens.
 
 `PROJECT | SOLUTION`
 
-The MSBuild project to apply a command on. If a project is not specified, MSBuild searches the current working directory for a file that has a file extension that ends in *proj* and uses that file.
+The MSBuild project to apply a command on. If a project isn't specified, MSBuild searches the current working directory for a file that has a file extension that ends in *proj*. It then uses that file to obtain the project information for the command.
 
-<!-- Once solutions are supported delete the preceding and uncomment this section 
+<!-- When solutions are supported, delete the preceding and uncomment this section
 
 ```dotnetcli
 dotnet user-jwts [<PROJECT>|<SOLUTION>] [command]
@@ -54,33 +58,33 @@ The MSBuild project or solution to apply a command on. If a project or solution
 ## Commands
 
 | Command  | Description |
-| ------------- | ------------- |
-| clear  |  Delete all issued JWTs for a project. |
-| create | Issue a new JSON Web Token.   |
-| remove | Delete a given JWT. |
-| key | Display or reset the signing key used to issue JWTs. |
-| list | Lists the JWTs issued for the project. |
-| print | Display the details of a given JWT. |
+| -------- | ----------- |
+| `clear`  | Delete all issued JWTs for a project. |
+| `create` | Issue a new JSON Web Token.   |
+| `remove` | Delete a given JWT. |
+| `key`    | Display or reset the signing key used to issue JWTs. |
+| `list`   | List the JWTs issued for the project. |
+| `print`  | Display the details of a given JWT. |
 
-### Create
+### Options for the create command
 
 Usage: `dotnet user-jwts create [options]`
 
 | Option  | Description |
-| ------------- | ------------- |
-|  -p \| --project | The path of the project to operate on. Defaults to the project in the current directory. |
-| --scheme | The scheme name to use for the generated token. Defaults to 'Bearer'. |
-| -n \| --name | The name of the user to create the JWT for. Defaults to the current environment user. |
-| --audience | The audiences to create the JWT for. Defaults to the URLs configured in the project's launchSettings.json. |
-| --issuer | The issuer of the JWT. Defaults to 'dotnet-user-jwts'. |
-| --scope | A scope claim to add to the JWT. Specify once for each scope. |
-| --role | A role claim to add to the JWT. Specify once for each role. |
-| --claim | Claims to add to the JWT. Specify once for each claim in the format "name=value". |
-| --not-before | The UTC date & time the JWT should not be valid before in the format 'yyyy-MM-dd [[HH:mm[[:ss]]]]'. Defaults to the date & time the JWT is created. |
-| --expires-on | The UTC date & time the JWT should expire in the format 'yyyy-MM-dd [[[ [HH:mm]]:ss]]'. Defaults to 6 months after the --not-before date. Do not use this option in conjunction with the --valid-for option. |
-| --valid-for | The period the JWT should expire after. Specify using a number followed by duration type like 'd' for days, 'h' for hours, 'm' for minutes, and 's' for seconds, for example 365d'. Do not use this option in conjunction with the --expires-on option. |
-| -o \| --output | The format to use for displaying output from the command. Can be one of 'default', 'token', or 'json'. |
-| -h \| --help | Show help information |
+| ------- | ----------- |
+| `-p \| --project` | The path of the project to operate on. Defaults to the project in the current directory. |
+| `--scheme`        | The scheme name to use for the generated token. Defaults to `Bearer`. |
+| `-n \| --name`    | The name of the user to create the JWT for. Defaults to the current environment user. |
+| `--audience`      | The audiences to create the JWT for. Defaults to the URLs configured in the project's _launchSettings.json_ file. |
+| `--issuer`        | The issuer of the JWT. Defaults to `dotnet-user-jwts`. |
+| `--scope`         | A scope claim to add to the JWT. Specify once for each scope. |
+| `--role`          | A role claim to add to the JWT. Specify once for each role. |
+| `--claim`         | Claims to add to the JWT. Specify once for each claim in the format `name=value`. |
+| `--not-before`    | The UTC date and time at which the JWT becomes valid, in the format `yyyy-MM-dd [[HH:mm[[:ss]]]]`. Defaults to the date and time the JWT is created. |
+| `--expires-on`    | The UTC date and time at which the JWT expires, in the format `yyyy-MM-dd [[[ [HH:mm]]:ss]]`. Defaults to six months after the `--not-before` date. Don't use this option with the `--valid-for` option. |
+| `--valid-for`     | The amount of time the JWT remains valid. When the time is reached, the JWT expires. Specify a number followed by the duration type (`d` days, `h` hours, `m` minutes, `s` seconds), such as `365d`. Don't use this option with the `--expires-on` option. |
+| `-o \| --output`  | The format to use for displaying output from the command: `default`, `token`, or `json`. |
+| `-h \| --help`    | Show help information for the command. |
 
 ## Examples
 
@@ -92,29 +96,21 @@ cd MyJWT
 dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
 ```
 
-Replace the contents of `Program.cs` with the following code:
+Replace the contents of the _Program.cs_ file with the following code:
 
 :::code language="csharp" source="~/security/authentication/jwt-authn/samples/MyJWT/Program.cs" id="snippet_1":::
 
-In the preceding code, a GET request to `/secret` returns an `401 Unauthorized` error. A production app might get the JWT from a [Security token service](/azure/active-directory/develop/security-tokens) (STS), perhaps in response to logging in via a set of credentials. For the purpose of working with the API during local development, the `dotnet user-jwts` command line tool can be used to create and manage app-specific local JWTs.
-
-The `user-jwts` tool is similar in concept to the  [user-secrets](xref:security/app-secrets) tool, it can be used to manage values for the app that are only valid for the developer on the local machine. In fact, the user-jwts tool utilizes the `user-secrets` infrastructure to manage the key that the JWTs are signed with, ensuring it’s stored safely in the user profile.
+In the preceding code, a GET request to the `/secret` endpoint returns a `401 Unauthorized` error. A production app might get the JWT from a [Security token service](/entra/identity-platform/security-tokens), perhaps in response to signing in with credentials. When you use the API during local development, the `dotnet user-jwts` command line tool can be used to create and manage app-specific local JWTs.
 
-The `user-jwts` tool hides implementation details, such as where and how the values are stored. The tool can be used without knowing the implementation details. The values are stored in a JSON file in the local machine's user profile folder:
+The `user-jwts` tool is similar in concept to the [user-secrets](xref:security/app-secrets) tool. It can be used to manage values for the app that are valid only for the developer on the local machine. In fact, the `user-jwts` tool utilizes the `user-secrets` infrastructure to manage the key that the JWTs are signed with. This approach ensures the key is stored safely in the user profile.
 
-# [Windows](#tab/windows)
+The `user-jwts` tool hides implementation details, such as where and how the values are stored. The tool can be used without knowing the implementation details.
 
-File system path:
+The values are stored in a JSON file in the local machine's user profile folder:
 
-`%APPDATA%\Microsoft\UserSecrets\<secrets_GUID>\user-jwts.json`
+- **Windows**: _%APPDATA%\Microsoft\UserSecrets\<secrets_GUID>\user-jwts.json_
 
-# [Linux / macOS](#tab/linux+macos)
-
-File system path:
-
-`~/.microsoft/usersecrets/<secrets_GUID>/user-jwts.json`
-
----
+- **Linux/macOS**: _~/.microsoft/usersecrets/<secrets_GUID>/user-jwts.json_
 
 ### Create a JWT
 
@@ -124,18 +120,16 @@ The following command creates a local JWT:
 dotnet user-jwts create
 ```
 
-The preceding command creates a JWT and updates the project’s `appsettings.Development.json` file with JSON similar to the following:
+The preceding command creates a JWT and updates the project `appsettings.Development.json` file with JSON similar to the following example:
 
 :::code language="csharp" source="~/security/authentication/jwt-authn/samples/MyJWT/appsettings.Development.json" highlight="7-19":::
 
-Copy the JWT and the `ID` created in the preceding command. Use a tool like Curl to test `/secret`:
+Copy the JWT and the `ID` created in the preceding command. Use a tool like Curl to test the `/secret` endpoint, where `{token}` is the previously generated JWT:
 
 ```dotnetcli
 curl -i -H "Authorization: Bearer {token}" https://localhost:{port}/secret
 ```
 
-Where `{token}` is the previously generated JWT.
-
 ### Display JWT security information
 
 The following command displays the JWT security information, including expiration, scopes, roles, token header and payload, and the compact token:
@@ -146,15 +140,13 @@ dotnet user-jwts print {ID} --show-all
 
 ### Create a token for a specific user and scope
 
-See [Create](#create) in this topic for supported create options.
-
-The following command creates a JWT for a user named `MyTestUser`:
+The following command creates a JWT for a user named `MyTestUser`. For the supported `create` options, see the [Options for the create command](#options-for-the-create-command) section.
 
 ```dotnetcli
 dotnet user-jwts create --name MyTestUser --scope "myapi:secrets"
 ```
 
-The preceding command has output similar to the following:
+The preceding command has output similar to the following example:
 
 ```dotnetcli
 New JWT saved with ID '43e0b748'.
@@ -167,3 +159,8 @@ Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.{Remaining token deleted}
 The preceding token can be used to test the `/secret2` endpoint in the following code:
 
 :::code language="csharp" source="~/security/authentication/jwt-authn/samples/MyJWT/Program.cs" id="snippet_2" highlight="11-12":::
+
+## Related content
+
+- [Microsoft.AspNetCore.Authentication.JwtBearer](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer)
+- [JSON Web Tokens](https://www.jwt.io/introduction#what-is-json-web-token)
diff --git a/aspnetcore/security/authentication/scaffold-identity.md b/aspnetcore/security/authentication/scaffold-identity.md
index 18ce1ab12424..b8f119260439 100644
--- a/aspnetcore/security/authentication/scaffold-identity.md
+++ b/aspnetcore/security/authentication/scaffold-identity.md
@@ -36,7 +36,7 @@ Although the scaffolder generates most of the necessary code, you need to update
 
 We recommend using a source control system that shows file differences and allows you to back out of changes. Inspect the changes after running the Identity scaffolder.
 
-Services are required when using [Two Factor Authentication](xref:security/authentication/identity-enable-qrcodes), [Account confirmation and password recovery](xref:security/authentication/accconfirm), and other security features with Identity. Services or service stubs aren't generated when scaffolding Identity. Services to enable these features must be added manually. For example, see [Require Email Confirmation](xref:security/authentication/accconfirm#require-email-confirmation).
+Services are required when using [Two Factor Authentication](xref:security/authentication/identity-enable-qrcodes), [Account confirmation and password recovery](xref:security/authentication/accconfirm), and other security features with Identity. Services or service stubs aren't generated when scaffolding Identity. Services to enable these features must be added manually. For example, see [Configure an email provider](xref:security/authentication/accconfirm#configure-an-email-provider) so the app can require email confirmation.
 
 Typically, apps created with individual accounts should ***not*** create a new data context.
 
diff --git a/aspnetcore/security/authorization/secure-data.md b/aspnetcore/security/authorization/secure-data.md
index f206a2f65935..10e0a0851374 100644
--- a/aspnetcore/security/authorization/secure-data.md
+++ b/aspnetcore/security/authorization/secure-data.md
@@ -4,9 +4,11 @@ author: tdykstra
 description: Learn how to create an ASP.NET Core web app with user data protected by authorization. Includes HTTPS, authentication, security, ASP.NET Core Identity.
 ms.author: tdykstra
 ms.custom: mvc, sfi-image-nochange
-ms.date: 12/5/2021
+ms.date: 05/11/2026
 ms.sfi.ropc: t
 uid: security/authorization/secure-data
+
+# customer intent: As an ASP.NET developer, I want to create a web app with authorization functionality, so I can protect user data with ASP.NET Core Identity.
 ---
 
 # Create an ASP.NET Core web app with user data protected by authorization
@@ -15,33 +17,34 @@ By [Rick Anderson](https://twitter.com/RickAndMSFT) and [Joe Audette](https://tw
 
 :::moniker range=">= aspnetcore-6.0"
 
-This tutorial shows how to create an ASP.NET Core web app with user data protected by authorization. It displays a list of contacts that authenticated (registered) users have created. There are three security groups:
+This tutorial shows how to create an ASP.NET Core web app with user data protected by authorization. It displays a list of contacts created by the authenticated (registered) users. The app supports three security groups:
 
-* **Registered users** can view all the approved data and can edit/delete their own data.
-* **Managers** can approve or reject contact data. Only approved contacts are visible to users.
+* **Registered users** can view all _Approved_ data and can edit/delete their own data.
+* **Managers** can approve or reject contact data. Only contacts marked as _Approved_ are visible to users.
 * **Administrators** can approve/reject and edit/delete any data.
 
-The images in this document don't exactly match the latest templates.
+> [!NOTE]
+> The images in this article don't exactly match the latest templates.
 
-In the following image, user Rick (`rick@example.com`) is signed in. Rick can only view approved contacts and **Edit**/**Delete**/**Create New** links for his contacts. Only the last record, created by Rick, displays **Edit** and **Delete** links. Other users won't see the last record until a manager or administrator changes the status to "Approved".
+In the following image, the user `rick@contoso.com` is signed in to the web app. This user can view only _Approved_ contacts along with the **Edit**/**Delete**/**Create New** links for the contacts. In this view, only the last record (created by this user) displays the **Edit** and **Delete** links. Other users don't see the last record until a manager or administrator approves the record.
 
-![Screenshot showing Rick signed in](secure-data/_static/rick.png)
+:::image type="content" source="secure-data/_static/rick.png" border="false" alt-text="Screenshot showing the user 'rick@contoso.com' signed in to the web app.":::
 
-In the following image, `manager@contoso.com` is signed in and in the manager's role:
+In the next image, the `manager@contoso.com` user is signed in and has access to the management features:
 
-![Screenshot showing manager@contoso.com signed in](secure-data/_static/manager1.png)
+:::image type="content" source="secure-data/_static/manager1.png" border="false" alt-text="Screenshot showing the user 'manager@contoso.com' signed in to the web app with visibility of management features.":::
 
-The following image shows the managers details view of a contact:
+A manager can select a contact to see details about the user, as shown in the following image:
 
-![Manager's view of a contact](secure-data/_static/manager.png)
+:::image type="content" source="secure-data/_static/manager.png" border="false" alt-text="Screenshot shows the manager view of a contact in the web app.":::
 
-The **Approve** and **Reject** buttons are only displayed for managers and administrators.
+The **Approve** and **Reject** options display for managers and administrators only.
 
-In the following image, `admin@contoso.com` is signed in and in the administrator's role:
+In the following image, the `admin@contoso.com` user is signed in and has access to the administration features:
 
-![Screenshot showing admin@contoso.com signed in](secure-data/_static/admin.png)
+:::image type="content" source="secure-data/_static/admin.png" border="false" alt-text="Screenshot showing the user 'admin@contoso.com' signed in to the web app with visibility of administration features.":::
 
-The administrator has all privileges. She can read, edit, or delete any contact and change the status of contacts.
+An administrator has all privileges. They can read, edit, or delete any contact and change the status of contacts.
 
 The app was created by [scaffolding](xref:tutorials/first-mvc-app/adding-model#scaffold-movie-pages) the following `Contact` model:
 
@@ -58,8 +61,8 @@ The sample contains the following authorization handlers:
 This tutorial is advanced. You should be familiar with:
 
 * [ASP.NET Core](xref:tutorials/first-mvc-app/start-mvc)
-* [Authentication](xref:security/authentication/identity)
-* [Account Confirmation and Password Recovery](xref:security/authentication/accconfirm)
+* [Authentication and ASP.NET Core Identity](xref:security/authentication/identity)
+* [Account confirmation and password recovery](xref:security/authentication/accconfirm)
 * [Authorization](xref:security/authorization/introduction)
 * [Entity Framework Core](xref:data/ef-mvc/intro)
 
@@ -68,9 +71,11 @@ This tutorial is advanced. You should be familiar with:
 [Download](xref:fundamentals/index#how-to-download-a-sample) the [completed](https://github.com/dotnet/AspNetCore.Docs/tree/main/aspnetcore/security/authorization/secure-data/samples) app. [Test](#test-the-completed-app) the completed app so you become familiar with its security features.
 
 > [!TIP]
-> Use [`git sparse-checkout`](https://git-scm.com/docs/git-sparse-checkout) to only download the sample subfolder.
+> You can use the [git sparse-checkout](https://git-scm.com/docs/git-sparse-checkout) command to download only the sample subfolder.
+
 For example:
-```
+
+```terminal
 git clone --depth 1 --filter=blob:none https://github.com/dotnet/AspNetCore.Docs.git --sparse
 cd AspNetCore.Docs
 git sparse-checkout init --cone
@@ -85,11 +90,11 @@ Run the app, tap the **ContactManager** link, and verify you can create, edit, a
 
 ## Secure user data
 
-The following sections have all the major steps to create the secure user data app. You may find it helpful to refer to the completed project.
+The following sections demonstrate all the major steps to create the secure user data app. You might find it helpful to refer to the completed project.
 
 ### Tie the contact data to the user
 
-Use the ASP.NET [Identity](xref:security/authentication/identity) user ID to ensure users can edit their data, but not other users data. Add `OwnerID` and `ContactStatus` to the `Contact` model:
+Use the ASP.NET [Identity](xref:security/authentication/identity) user ID to ensure users can edit their data, but not other users data. Add the `OwnerID` and `ContactStatus` fields to the `Contact` model:
 
 [!code-csharp[](secure-data/samples/final6/Models/Contact.cs?name=snippet1&highlight=5-6,16-999)]
 
@@ -104,12 +109,10 @@ dotnet ef database update
 
 ### Add Role services to Identity
 
-Append <xref:Microsoft.AspNetCore.Identity.IdentityBuilder.AddRoles%2A> to add Role services:
+Enable the app to use Role services by appending the <xref:Microsoft.AspNetCore.Identity.IdentityBuilder.AddRoles%2A> method:
 
 [!code-csharp[](secure-data/samples/final6/Program.cs?name=snippet&highlight=10)]
 
-<a name="rau"></a>
-
 ### Require authenticated users
 
 Set the fallback authorization policy to require users to be authenticated:
@@ -118,37 +121,35 @@ Set the fallback authorization policy to require users to be authenticated:
 
 The preceding highlighted code sets the [fallback authorization policy](xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.FallbackPolicy). The fallback authorization policy requires ***all*** users to be authenticated, except for Razor Pages, controllers, or action methods with an authorization attribute. For example, Razor Pages, controllers, or action methods with `[AllowAnonymous]` or `[Authorize(PolicyName="MyPolicy")]` use the applied authorization attribute rather than the fallback authorization policy.
 
-<xref:Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder.RequireAuthenticatedUser%2A> adds <xref:Microsoft.AspNetCore.Authorization.Infrastructure.DenyAnonymousAuthorizationRequirement> to the current instance, which enforces that the current user is authenticated.
-
-The fallback authorization policy:
+The <xref:Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder.RequireAuthenticatedUser%2A> method adds the <xref:Microsoft.AspNetCore.Authorization.Infrastructure.DenyAnonymousAuthorizationRequirement> class to the current instance, which enforces that the current user is authenticated.
 
-* Is applied to all requests that don't explicitly specify an authorization policy. For requests served by endpoint routing, this includes any endpoint that doesn't specify an authorization attribute. For requests served by other middleware after the authorization middleware, such as [static files](xref:fundamentals/static-files), this applies the policy to all requests.
+The fallback authorization policy applies to all requests that don't explicitly specify an authorization policy. For requests served by endpoint routing, the policy applies to any endpoint that doesn't specify an authorization attribute. For requests served by other middleware after the authorization middleware, such as [static files](xref:fundamentals/static-files), the policy applies to all requests.
 
 Setting the fallback authorization policy to require users to be authenticated protects newly added Razor Pages and controllers. Having authorization required by default is more secure than relying on new controllers and Razor Pages to include the `[Authorize]` attribute.
 
-The <xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions> class also contains <xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.DefaultPolicy?displayProperty=nameWithType>. The `DefaultPolicy` is the policy used with the `[Authorize]` attribute when no policy is specified. `[Authorize]` doesn't contain a named policy, unlike `[Authorize(PolicyName="MyPolicy")]`.
+The <xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions> class also contains the <xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.DefaultPolicy?displayProperty=nameWithType> property. The `DefaultPolicy` is the policy used with the `[Authorize]` attribute when no policy is specified. `[Authorize]` doesn't contain a named policy, unlike `[Authorize(PolicyName="MyPolicy")]`.
 
 For more information on policies, see <xref:security/authorization/policies>.
 
-An alternative way for MVC controllers and Razor Pages to require all users be authenticated is adding an authorization filter:
+As an alternate approach, MVC controllers and Razor Pages can add an authorization filter to require all users be authenticated:
 
 [!code-csharp[](secure-data/samples/final6/Program.cs?name=snippet3&highlight=21-27)]
 
 The preceding code uses an authorization filter, setting the fallback policy uses endpoint routing. Setting the fallback policy is the preferred way to require all users be authenticated.
 
-Add [AllowAnonymous](xref:Microsoft.AspNetCore.Authorization.AllowAnonymousAttribute) to the `Index` and `Privacy` pages so anonymous users can get information about the site before they register:
+Add the [AllowAnonymous](xref:Microsoft.AspNetCore.Authorization.AllowAnonymousAttribute) attribute to the `Index` and `Privacy` pages so anonymous users can get information about the site before they register:
 
 [!code-csharp[](secure-data/samples/final6/Pages/Index.cshtml.cs?highlight=1,6)]
 
 ### Configure the test account
 
-The `SeedData` class creates two accounts: administrator and manager. Use the [Secret Manager tool](xref:security/app-secrets) to set a password for these accounts. Set the password from the project directory (the directory containing `Program.cs`):
+The `SeedData` class creates two accounts: administrator and manager. Use the [Secret Manager tool](xref:security/app-secrets) to set a password for these accounts. Set the password from the project directory (the directory containing the _Program.cs_ file):
 
 ```dotnetcli
 dotnet user-secrets set SeedUserPW <PW>
 ```
 
-If a weak password is specified, an exception is thrown when `SeedData.Initialize` is called.
+If a weak password is specified, an exception is thrown when the `SeedData.Initialize` method is called.
 
 Update the app to use the test password:
 
@@ -156,11 +157,11 @@ Update the app to use the test password:
 
 ### Create the test accounts and update the contacts
 
-Update the `Initialize` method in the `SeedData` class to create the test accounts:
+Create the test accounts by updating the `Initialize` method in the `SeedData` class:
 
 [!code-csharp[](secure-data/samples/final6/Data/SeedData.cs?name=snippet_Initialize)]
 
-Add the administrator user ID and `ContactStatus` to the contacts. Make one of the contacts "Submitted" and one "Rejected". Add the user ID and status to all the contacts. Only one contact is shown:
+Add the administrator user ID and the `ContactStatus` field to the contacts. Mark one of the contacts as _Submitted_ and one as _Rejected_. Add the user ID and status to all the contacts. Only one contact is shown:
 
 [!code-csharp[](secure-data/samples/final6/Data/SeedData.cs?name=snippet1&highlight=17,18)]
 
@@ -170,12 +171,14 @@ Create a `ContactIsOwnerAuthorizationHandler` class in the *Authorization* folde
 
 [!code-csharp[](secure-data/samples/final6/Authorization/ContactIsOwnerAuthorizationHandler.cs)]
 
-The `ContactIsOwnerAuthorizationHandler` calls [context.Succeed](xref:Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext.Succeed%2A) if the current authenticated user is the contact owner. Authorization handlers generally:
+The `ContactIsOwnerAuthorizationHandler` calls the [context.Succeed](xref:Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext.Succeed%2A) method if the current authenticated user is the contact owner. 
 
-* Call `context.Succeed` when the requirements are met.
-* Return `Task.CompletedTask` when requirements aren't met. Returning `Task.CompletedTask` without a prior call to `context.Success` or `context.Fail`, is not a success or failure, it allows other authorization handlers to run.
+The authorization handler generally:
 
-If you need to explicitly fail, call [context.Fail](xref:Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext.Fail%2A).
+* Calls the `context.Succeed` method when the requirements are met.
+* When requirements aren't met, it returns `Task.CompletedTask`. When `Task.CompletedTask` is returned without a prior call to `context.Succeed` or `context.Fail`, the result isn't a success or failure. Instead, it allows other authorization handlers to run.
+
+If you need to explicitly fail, call the [context.Fail](xref:Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext.Fail%2A) method.
 
 The app allows contact owners to edit/delete/create their own data. `ContactIsOwnerAuthorizationHandler` doesn't need to check the operation passed in the requirement parameter.
 
@@ -193,11 +196,11 @@ Create a `ContactAdministratorsAuthorizationHandler` class in the *Authorization
 
 ## Register the authorization handlers
 
-Services using Entity Framework Core must be registered for [dependency injection](xref:fundamentals/dependency-injection) using <xref:Microsoft.Extensions.DependencyInjection.ServiceCollectionServiceExtensions.AddScoped%2A>. The `ContactIsOwnerAuthorizationHandler` uses ASP.NET Core [Identity](xref:security/authentication/identity), which is built on Entity Framework Core. Register the handlers with the service collection so they're available to the `ContactsController` through [dependency injection](xref:fundamentals/dependency-injection). Add the following code to the end of `ConfigureServices`:
+Services that use Entity Framework Core must be registered for [dependency injection](xref:fundamentals/dependency-injection) with the <xref:Microsoft.Extensions.DependencyInjection.ServiceCollectionServiceExtensions.AddScoped%2A> method. The `ContactIsOwnerAuthorizationHandler` uses ASP.NET Core [Identity](xref:security/authentication/identity), which is built on Entity Framework Core. Register the handlers with the service collection so they're available to the `ContactsController` through [dependency injection](xref:fundamentals/dependency-injection). Add the following code to the end of `ConfigureServices`:
 
 [!code-csharp[](secure-data/samples/final6/Program.cs?name=snippet4&highlight=22-30)]
 
-`ContactAdministratorsAuthorizationHandler` and `ContactManagerAuthorizationHandler` are added as singletons. They're singletons because they don't use EF and all the information needed is in the `Context` parameter of the `HandleRequirementAsync` method.
+`ContactAdministratorsAuthorizationHandler` and `ContactManagerAuthorizationHandler` are added as singletons. They're singletons because they don't use Entity Framework and all the information needed is in the `Context` parameter of the `HandleRequirementAsync` method.
 
 ## Support authorization
 
@@ -225,8 +228,8 @@ The preceding code:
 
 Update the create page model:
 
-* Constructor to use the `DI_BasePageModel` base class.
-* `OnPostAsync` method to:
+* Define the constructor to use the `DI_BasePageModel` base class.
+* Configure the `OnPostAsync` method to:
   * Add the user ID to the `Contact` model.
   * Call the authorization handler to verify the user has permission to create contacts.
 
@@ -234,19 +237,19 @@ Update the create page model:
 
 ### Update the IndexModel
 
-Update the `OnGetAsync` method so only approved contacts are shown to general users:
+Update the `OnGetAsync` method so only _Approved_ contacts are shown to standard registered users:
 
 [!code-csharp[](secure-data/samples/final6/Pages/Contacts/Index.cshtml.cs?name=snippet)]
 
 ### Update the EditModel
 
-Add an authorization handler to verify the user owns the contact. Because resource authorization is being validated, the `[Authorize]` attribute is not enough. The app doesn't have access to the resource when attributes are evaluated. Resource-based authorization must be imperative. Checks must be performed once the app has access to the resource, either by loading it in the page model or by loading it within the handler itself. You frequently access the resource by passing in the resource key.
+Add an authorization handler to verify the user owns the contact. Because resource authorization is being validated, the `[Authorize]` attribute isn't enough. The app doesn't have access to the resource when attributes are evaluated. Resource-based authorization must be imperative. Checks must be performed after the app has access to the resource, either by loading it in the page model or by loading it within the handler itself. You frequently access the resource by passing in the resource key.
 
 [!code-csharp[](secure-data/samples/final6/Pages/Contacts/Edit.cshtml.cs?name=snippet)]
 
 ### Update the DeleteModel
 
-Update the delete page model to use the authorization handler to verify the user has delete permission on the contact.
+Update the delete page model to use the authorization handler and verify the user has delete permission on the contact.
 
 [!code-csharp[](secure-data/samples/final6/Pages/Contacts/Delete.cshtml.cs?name=snippet)]
 
@@ -254,13 +257,13 @@ Update the delete page model to use the authorization handler to verify the user
 
 Currently, the UI shows edit and delete links for contacts the user can't modify.
 
-Inject the authorization service in the `Pages/_ViewImports.cshtml` file so it's available to all views:
+Inject the authorization service in the _Pages/\_ViewImports.cshtml_ file so it's available to all views:
 
 [!code-cshtml[](secure-data/samples/final6/Pages/_ViewImports.cshtml?highlight=6-99)]
 
 The preceding markup adds several `using` statements.
 
-Update the **Edit** and **Delete** links in `Pages/Contacts/Index.cshtml` so they're only rendered for users with the appropriate permissions:
+Update the **Edit** and **Delete** links in _Pages/Contacts/Index.cshtml_ file so they're only rendered for users with the appropriate permissions:
 
 [!code-cshtml[](secure-data/samples/final6/Pages/Contacts/Index.cshtml?highlight=34-36,62-999)]
 
@@ -277,18 +280,17 @@ Update the details view so managers can approve or reject contacts:
 
 [!code-csharp[](secure-data/samples/final6/Pages/Contacts/Details.cshtml.cs?name=snippet)]
 
-## Add or remove a user to a role
+## Add or remove user roles
 
-See [this issue](https://github.com/dotnet/AspNetCore.Docs/issues/8502) for information on:
+Updating a user's role assignments lets you control the privileges available to the user. Remove a user from a role and reduce their ability to change data, such as editing or deleting a contact. Add a user to a role and increase their privileges for making global changes. You can also use role assignments to limit user participation, such as muting a user in a chat conversation.
 
-* Removing privileges from a user. For example, muting a user in a chat app.
-* Adding privileges to a user.
+For more information, see [GitHub dotnet/aspnetcore issue #8502](https://github.com/dotnet/AspNetCore.Docs/issues/8502) - _Mute or remove privileges from a user. Admin changes_.
 
 <a name="challenge"></a>
 
 ## Differences between Challenge and Forbid
 
-This app sets the default policy to [require authenticated users](#require-authenticated-users). The following code allows anonymous users. Anonymous users are allowed to show the differences between Challenge vs Forbid.
+This app sets the default policy to [require authenticated users](#require-authenticated-users). The following code allows anonymous users. Anonymous users are allowed to show the differences between Challenge versus Forbid.
 
 [!code-csharp[](secure-data/samples/final6/Pages/Contacts/Details2.cshtml.cs?name=snippet)]
 
@@ -304,12 +306,12 @@ In the preceding code:
 
 If you haven't already set a password for seeded user accounts, use the [Secret Manager tool](xref:security/app-secrets#secret-manager) to set a password:
 
-* Choose a [strong password](https://support.microsoft.com/windows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb):
-  * At least 12 characters long but 14 or more is better.
+* Choose a [strong password](https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-secure-628538c2-7006-33bb-5ef4-c917657362b9):
+  * At least 12 characters long, but 14 or more is better.
   * A combination of uppercase letters, lowercase letters, numbers, and symbols.
   * Not a word that can be found in a dictionary or the name of a person, character, product, or organization.
   * Significantly different from your previous passwords.
-  * Easy for you to remember but difficult for others to guess. Consider using a memorable phrase like "6MonkeysRLooking^".
+  * Easy for you to remember but difficult for others to guess. Consider using a memorable phrase like `6MonkeysRLooking^`.
 * Execute the following command from the project's folder, where `<PW>` is the password:
 
   ```dotnetcli
@@ -321,51 +323,53 @@ If the app has contacts:
 * Delete all of the records in the `Contact` table.
 * Restart the app to seed the database.
 
-An easy way to test the completed app is to launch three different browsers (or incognito/InPrivate sessions). In one browser, register a new user (for example, `test@example.com`). Sign in to each browser with a different user. Verify the following operations:
+An easy way to test the completed app is to launch three different browsers (or incognito/InPrivate sessions). In one browser, register a new user (for example, `test@contoso.com`). Sign in to each browser with a different user. Verify the following operations:
 
-* Registered users can view all of the approved contact data.
+* Registered users can view all of the _Approved_ contact data.
 * Registered users can edit/delete their own data.
 * Managers can approve/reject contact data. The `Details` view shows **Approve** and **Reject** buttons.
 * Administrators can approve/reject and edit/delete all data.
 
-| User                | Approve or reject contacts| Options                                  |
-| ------------------- | :---------------: | ---------------------------------------- |
-| test@example.com    | No                | Edit and delete their data.                |
-| manager@contoso.com | Yes               | Edit and delete their data. |
-| admin@contoso.com   | Yes               | Edit and delete ***all*** data. |
+| User                  | Approve/Reject contacts | Options                         |
+| --------------------- | :---------------------: | ------------------------------- |
+| `test@contoso.com`    | No                      | Edit and delete their data.     |
+| `manager@contoso.com` | Yes                     | Edit and delete their data.     |
+| `admin@contoso.com`   | Yes                     | Edit and delete ***all*** data. |
 
-Create a contact in the administrator's browser. Copy the URL for delete and edit from the administrator contact. Paste these links into the test user's browser to verify the test user can't perform these operations.
+Create a contact in the administrator's browser. Copy the URL for delete and edit from the administrator contact. Paste these links into the test user's browser and verify the test user can't perform these operations.
 
 ## Create the starter app
 
-* Create a Razor Pages app named "ContactManager"
-  * Create the app with **Individual Accounts**.
-  * Name it "ContactManager" so the namespace matches the namespace used in the sample.
-  * `-uld` specifies LocalDB instead of SQLite
+* Create a Razor Pages app:
+
+  * Create the app with _Individual Accounts_.
+  * Name the app **ContactManager**, so the namespace matches the namespace used in the sample.
+  * Use the `-uld` flag to specify LocalDB instead of SQLite.
 
   ```dotnetcli
   dotnet new webapp -o ContactManager -au Individual -uld
   ```
 
-* Add `Models/Contact.cs`:
-                  secure-data\samples\starter6\ContactManager\Models\Contact.cs
+* Add the _Models/Contact.cs_ file:
+
   [!code-csharp[](secure-data/samples/starter6/Models/Contact.cs)]
 
 * Scaffold the `Contact` model.
+
 * Create initial migration and update the database:
 
-```dotnetcli
-dotnet add package Microsoft.VisualStudio.Web.CodeGeneration.Design
-dotnet tool install -g dotnet-aspnet-codegenerator
-dotnet-aspnet-codegenerator razorpage -m Contact -udl -dc ApplicationDbContext -outDir Pages\Contacts --referenceScriptLibraries
-dotnet ef database drop -f
-dotnet ef migrations add initial
-dotnet ef database update
-```
+  ```dotnetcli
+  dotnet add package Microsoft.VisualStudio.Web.CodeGeneration.Design
+  dotnet tool install -g dotnet-aspnet-codegenerator
+  dotnet-aspnet-codegenerator razorpage -m Contact -udl -dc ApplicationDbContext -outDir Pages\Contacts --referenceScriptLibraries
+  dotnet ef database drop -f
+  dotnet ef migrations add initial
+  dotnet ef database update
+  ```
 
-[!INCLUDE[](~/includes/dotnet-tool-install-arch-options.md)]
+  [!INCLUDE[](~/includes/dotnet-tool-install-arch-options.md)]
 
-* Update the **ContactManager** anchor in the `Pages/Shared/_Layout.cshtml` file:
+* Update the **ContactManager** anchor in the _Pages/Shared/\_Layout.cshtml_ file:
 
   ```cshtml
   <a class="nav-link text-dark" asp-area="" asp-page="/Contacts/Index">Contact Manager</a>
@@ -375,16 +379,16 @@ dotnet ef database update
 
 ### Seed the database
 
-<!-- must be sync Task for finished program -->
+<!-- Must be sync Task for finished program -->
 Add the [SeedData](https://github.com/dotnet/AspNetCore.Docs/tree/main/aspnetcore/security/authorization/secure-data/samples/starter6/Data/SeedData.cs) class to the *Data* folder:
 
 [!code-csharp[](secure-data/samples/starter6/Data/SeedData.cs)]
 
-Call `SeedData.Initialize` from `Program.cs`:
+Call the `SeedData.Initialize` method from the _Program.cs_ file:
 
 [!code-csharp[](secure-data/samples/starter6/Program.cs?highlight=18-23)]
 
-Test that the app seeded the database. If there are any rows in the contact DB, the seed method doesn't run.
+Test the app and confirm the database is seeded. If there are any rows in the contact database, the seed method doesn't run.
 
 :::moniker-end
 
@@ -750,11 +754,9 @@ Test that the app seeded the database. If there are any rows in the contact DB,
 
 :::moniker-end
 
-<a name="secure-data-add-resources-label"></a>
-
-### Additional resources
+## Related content
 
 * [Tutorial: Build an ASP.NET Core and Azure SQL Database app in Azure App Service](/azure/app-service/tutorial-dotnetcore-sqldb-app)
-* [ASP.NET Core Authorization Lab](https://github.com/blowdart/AspNetAuthorizationWorkshop). This lab goes into more detail on the security features introduced in this tutorial.
+* [ASP.NET Core Authorization Lab](https://github.com/blowdart/AspNetAuthorizationWorkshop) (extended details on security features)
 * <xref:security/authorization/introduction>
 * [Custom policy-based authorization](xref:security/authorization/policies)
diff --git a/aspnetcore/security/authorization/secure-data/_static/admin.png b/aspnetcore/security/authorization/secure-data/_static/admin.png
index 6fa0245b73b4..e3f435a26add 100644
Binary files a/aspnetcore/security/authorization/secure-data/_static/admin.png and b/aspnetcore/security/authorization/secure-data/_static/admin.png differ
diff --git a/aspnetcore/security/authorization/secure-data/_static/manager.png b/aspnetcore/security/authorization/secure-data/_static/manager.png
index d32add66b75d..3a40b46add4d 100644
Binary files a/aspnetcore/security/authorization/secure-data/_static/manager.png and b/aspnetcore/security/authorization/secure-data/_static/manager.png differ
diff --git a/aspnetcore/security/authorization/secure-data/_static/manager1.png b/aspnetcore/security/authorization/secure-data/_static/manager1.png
index 5db61fa9870f..f3b7a80afe8d 100644
Binary files a/aspnetcore/security/authorization/secure-data/_static/manager1.png and b/aspnetcore/security/authorization/secure-data/_static/manager1.png differ
diff --git a/aspnetcore/security/authorization/secure-data/_static/rick.png b/aspnetcore/security/authorization/secure-data/_static/rick.png
index c7c271abdbcd..6fb2a22ee1d9 100644
Binary files a/aspnetcore/security/authorization/secure-data/_static/rick.png and b/aspnetcore/security/authorization/secure-data/_static/rick.png differ
