fix typo

Author: genlin

support/entra/entra-id/app-integration/bundle-consent-application-registrations.md

@@ -12,30 +12,30 @@ This article explains how to configure bundled consent for Microsoft Entra ID ap
 
 ## Symptoms
 
-You have a custom client app and a custom API app， and you create app registrations for the both apps in Microsoft Entra ID. You configure bundle the consent for these two apps. In this scenario, you might receive one of the following errors when you try to sign into the app:
+You have a custom client app and a custom API app, and you create app registrations for both apps in Microsoft Entra ID. You configure bundle consent for these two apps. In this scenario, you might receive one of the following errors when you try to sign into the app:
 
-- AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope
+- AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope.
 
-- AADSTS650052: The app is trying to access a service\”{app_id}\”(\”app_name\”) that your organization %\”{organization}\” lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal
+- AADSTS650052: The app is trying to access a service\”{app_id}\”(\”app_name\”) that your organization %\”{organization}\” lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
 
 ## Solution
 
-## Step 1: Configure knownClientApplications for the API app registration
+### Step 1: Configure knownClientApplications for the API app registration
 
 Add the custom client app ID to the custom API app registration's `knownClientApplications` property. For more information, see [knownClientApplications attribute](/entra/identity-platform/reference-app-manifest#knownclientapplications-attribute).
 
-## Step 2: Configure API permissions
+### Step 2: Configure API permissions
 
 Make sure that:
 
 - All required API permissions are correctly configured on both the custom client and custom API app registrations.
 - The custom client app registration includes the API permissions that are defined in the custom API app registration.
 
-## Step 3: The sign-in request
+### Step 3: The sign-in request
 
-Your authentication request must use the `.default` scope for Microsoft Graph. For Microsoft accounts, the scope must be for the custom API. 
+Your authentication request must use the `.default` scope for Microsoft Graph. For Microsoft accounts, the scope must be for the custom API.
 
-### Example Request for Microsoft accounts and Work or school accounts
+**Example Request for Microsoft accounts and Work or school accounts**
 
 ```HTTP
 https://login.microsoftonline.com/common/oauth2/v2.0/authorize
@@ -45,10 +45,11 @@ https://login.microsoftonline.com/common/oauth2/v2.0/authorize
 &scope=openid profile offline_access app_uri_id1/.default
 &prompt=consent
 ```
-> [NOTE!]
+
+> [!NOTE]
 > The client will not appear as having permission for the API. This is expected because the client is listed as a knownClientApplication.
 
-### Example request for Work or school accounts only
+**Example request for Work or school accounts only**
 
 If you are not supporting Microsoft Accounts:
 
@@ -60,12 +61,11 @@ GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize
 &redirect_uri=https://localhost
 &scope=openid profile offline_access User.Read https://graph.microsoft.com/.default
 &prompt=consent
-
 ```
 
-### Implementation with MSAL.NET
+#### Implementation with MSAL.NET
 
-```http
+```csharp
 String[] consentScope = { "api://ae5a0bbe-d6b3-4a20-867b-c8d9fd442160/.default" };
 var loginResult = await clientApp.AcquireTokenInteractive(consentScope)
     .WithAccount(account)
@@ -75,7 +75,7 @@ var loginResult = await clientApp.AcquireTokenInteractive(consentScope)
 
 Consent propagation for new service principals and permissions may take time. Your application should handle this delay.
 
-### Acquire Tokens for multiple resources
+#### Acquire tokens for multiple resources
 
 If your client app needs to acquire tokens for another resource such as Microsoft Graph, you must implement logic to handle potential delays after users consent to application. Here are some recommendations:
 
@@ -85,7 +85,7 @@ If your client app needs to acquire tokens for another resource such as Microsof
 
 Currently, if `AcquireTokenSilent` fails, MSAL requires a successful interactive authentication before allowing another silent token acquisition. This restriction applies even if a valid refresh token is available.
 
-Here is a sample code about retry logic:
+Here is a sample code about the retry logic:
 
 ```csharp
     public static async Task<AuthenticationResult> GetTokenAfterConsentAsync(string[] resourceScopes)
@@ -148,7 +148,7 @@ Here is a sample code about retry logic:
         }
 ```
 
-### On the custom API using the On-behalf-of flow
+#### On the custom API using the On-behalf-of flow
 
 Similar to the client app, when your custom API tries to acquire tokens for another resource using the On-Behalf-Of (OBO) flow, it may fail immediately after consent. To resolve this issue, you can implement retry logic and scope tracking as the following sample:
 
@@ -174,7 +174,7 @@ while (result == null && retryCount >= 6)
 If (result==null) return new HttpStatusCodeResult(HttpStatusCode.Forbidden, "Need Consent");
 ```
 
-If all retries fail, return an error and throw an error and instruct the client to initial a full consent process.
+If all retries fail, return an error and instruct the client to initial a full consent process.
 
 **Example of client code that assumes your API throws a 403**
 
@@ -199,7 +199,7 @@ if(apiResult.StatusCode==HttpStatusCode.Forbidden)
 
 Ideally, you should create a separate flow that guides users through the consent process, provisions your app and API in their tenant or Microsoft account, and completes consent in a single step that separate from signing in.
 
-If you don’t separate this flow and instead combine it with your app’s sign-in experience, the process can become confusing. Users may encounter multiple consent prompts. To improve the experience, consider adding a message in your app that informs users they might be asked to consent more than once：
+If you don't separate this flow and instead combine it with your app's sign-in experience, the process can become confusing. Users may encounter multiple consent prompts. To improve the experience, consider adding a message in your app that informs users they might be asked to consent more than once：
 
 - For Microsoft accounts, expect at least two consent prompts: one for the client app and one for the API.
 - For work or school accounts, typically only one consent prompt is required.