update to fix pr blocking issues

Author: ceperezb

learn-pr/wwl-sci/design-solutions-identity-access-management/includes/3-design-solution-external-identities.md

@@ -24,15 +24,15 @@ External ID addresses two primary scenarios through different tenant configurati
 | **B2B collaboration** | Workforce tenant | Partners, vendors, and contractors accessing your organization's Microsoft 365 apps, SharePoint, Teams, and line-of-business applications |
 | **Customer identity (CIAM)** | External tenant | Consumers and business customers accessing your custom applications with branded sign-in experiences |
 
-:::image type="content" source="../media/external-id-tenant-configurations.png" alt-text="Diagram showing a representation of the two external ID scenarios and the corresponding tenant type. Collaboration with business guests uses a workforce tenant configuration. External facing apps use an external tenant configuration.":::
+:::image type="content" source="../media/external-id-tenant-configurations.png" lightbox="../media/external-id-tenant-configurations.png" alt-text="Diagram showing a representation of the two external ID scenarios and the corresponding tenant type. Collaboration with business guests uses a workforce tenant configuration. External facing apps use an external tenant configuration.":::
 
 ### B2B collaboration in workforce tenants
 
 B2B collaboration enables your workforce to work securely with external business partners. You invite guests to sign in to your Microsoft Entra organization using their own credentials, granting them access to the apps and resources you choose to share.
 
 With B2B collaboration, the partner uses their own identity management solution. You don't manage external accounts, sync accounts, or handle password resets. Guest users authenticate with their home organization or identity provider, while your organization controls resource access through policies. This means B2B guests are subject to your Conditional Access policies, MFA requirements, terms of use, and other security controls—just like your internal users.
 
-:::image type="content" source="../media/b2b-collaboration-overview.png" alt-text="Diagram showing a representation of B2B collaboration.":::
+:::image type="content" source="../media/b2b-collaboration-overview.png" lightbox="../media/b2b-collaboration-overview.png" alt-text="Diagram showing a representation of B2B collaboration.":::
 
 #### Authentication with B2B collaboration
 
@@ -78,7 +78,7 @@ Both organizations must mutually enable B2B direct connect through cross-tenant
 
 When building applications for consumers or business customers, Microsoft Entra External ID in an external tenant provides customer identity and access management (CIAM) capabilities. This configuration isolates customer identities from your workforce directory.
 
-:::image type="content" source="../media/overview-ciam.png" alt-text="Diagram showing a representation of External ID in an external tenant.":::
+:::image type="content" source="../media/customer-identity-access-management.png" lightbox="../media/customer-identity-access-management.png" alt-text="Diagram showing a representation of External ID in an external tenant.":::
 
 #### External tenant characteristics
 

learn-pr/wwl-sci/design-solutions-identity-access-management/includes/5-align-conditional-access-zero-trust.md

@@ -97,31 +97,36 @@ The assume breach principle acknowledges that compromise can occur and focuses o
 Use this checklist to validate your Conditional Access configuration against Zero Trust requirements:
 
 **Identity controls**
-- [ ] MFA required for all users
-- [ ] Legacy authentication blocked
-- [ ] Risk-based policies enabled
-- [ ] Phishing-resistant authentication for privileged accounts
+
+☐ MFA required for all users<br>
+☐ Legacy authentication blocked<br>
+☐ Risk-based policies enabled<br>
+☐ Phishing-resistant authentication for privileged accounts
 
 **Device controls**
-- [ ] Device compliance required for corporate resource access
-- [ ] Device filters configured for appropriate targeting
-- [ ] Unmanaged device access restricted appropriately
+
+☐ Device compliance required for corporate resource access<br>
+☐ Device filters configured for appropriate targeting<br>
+☐ Unmanaged device access restricted appropriately
 
 **Network controls**
-- [ ] Named locations defined for trusted networks
-- [ ] Geographic restrictions applied
-- [ ] Enhanced controls for external network access
+
+☐ Named locations defined for trusted networks<br>
+☐ Geographic restrictions applied<br>
+☐ Enhanced controls for external network access
 
 **Application controls**
-- [ ] Conditional Access App Control enabled for sensitive applications
-- [ ] Session controls configured appropriately
-- [ ] Application-specific policies for high-value targets
+
+☐ Conditional Access App Control enabled for sensitive applications<br>
+☐ Session controls configured appropriately<br>
+☐ Application-specific policies for high-value targets
 
 **Monitoring and response**
-- [ ] CAE enabled where supported
-- [ ] Identity Protection risk policies active
-- [ ] Sign-in logs monitored
-- [ ] Alerts configured for policy exceptions
+
+☐ CAE enabled where supported<br>
+☐ Identity Protection risk policies active<br>
+☐ Sign-in logs monitored<br>
+☐ Alerts configured for policy exceptions
 
 ## Common misalignments