diff --git a/2-WebApp-graph-user/2-5-HybridFlow/AppCreationScripts-withCert/sample.json b/2-WebApp-graph-user/2-5-HybridFlow/AppCreationScripts-withCert/sample.json
index 8e6e0899..18844126 100644
--- a/2-WebApp-graph-user/2-5-HybridFlow/AppCreationScripts-withCert/sample.json
+++ b/2-WebApp-graph-user/2-5-HybridFlow/AppCreationScripts-withCert/sample.json
@@ -18,7 +18,7 @@
   },
   "ReadmeScenario": {
     "IncludeFilePath": "../ReadmeFiles/ReadmeScenario.md",
-    "Image": "../ReadmeFiles/topology.png",
+    "Image": "./ReadmeFiles/topology.png",
     "AdditionalNotes": ""
   },
   "ReadmePrerequirements": {
diff --git a/2-WebApp-graph-user/2-5-HybridFlow/AppCreationScripts/sample.json b/2-WebApp-graph-user/2-5-HybridFlow/AppCreationScripts/sample.json
index 9256a4f8..48b7f475 100644
--- a/2-WebApp-graph-user/2-5-HybridFlow/AppCreationScripts/sample.json
+++ b/2-WebApp-graph-user/2-5-HybridFlow/AppCreationScripts/sample.json
@@ -18,7 +18,7 @@
   },
   "ReadmeScenario": {
     "IncludeFilePath": "../ReadmeFiles/ReadmeScenario.md",
-    "Image": "../ReadmeFiles/topology.png",
+    "Image": "./ReadmeFiles/topology.png",
     "AdditionalNotes": ""
   },
 
diff --git a/2-WebApp-graph-user/2-5-HybridFlow/README.md b/2-WebApp-graph-user/2-5-HybridFlow/README.md
index a05e279e..48401c62 100644
--- a/2-WebApp-graph-user/2-5-HybridFlow/README.md
+++ b/2-WebApp-graph-user/2-5-HybridFlow/README.md
@@ -32,11 +32,12 @@ Table Of Contents
 
  Use the hybrid-SPA code flow to obtain an Access token for your Web API in he backend and use it in the client SPA [without re-authenticating the user]
 
- 1. The client ASP.NET Core Web App uses the [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) to sign-in and obtain a JWT [Access Tokens](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) from **Azure AD** as well as an additional [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) to be passed to a client-side single page application.
- 1. The [Access Tokens](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) is used as a bearer token to call the **Microsoft Graph API**.
- 1. The [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) is passed to the razor single page application to be exchanged for an access token client side.
+ 1. The client ASP.NET Core Web App uses the [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) to sign-in and obtain a JWT [Access Token](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) from **Azure AD** as well as an additional [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) to be passed to a client-side single page application.
+ 1. The [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) is passed to the client-side application using the session configuration for the application.
+ 1. The [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) is exchanged for another [Access Token](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) in the client-side application.
+ 1. The [Access Token](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) is used by the client-side application as a bearer token to call the **Microsoft Graph API**.
 
-![Scenario Image](../ReadmeFiles/topology.png)
+![Scenario Image](./ReadmeFiles/topology.png)
 ## Prerequisites
 
 * Either [Visual Studio](https://visualstudio.microsoft.com/downloads/) or [Visual Studio Code](https://code.visualstudio.com/download) and [.NET Core SDK](https://www.microsoft.com/net/learn/get-started)
diff --git a/2-WebApp-graph-user/2-5-HybridFlow/ReadmeFiles/ReadmeScenario.md b/2-WebApp-graph-user/2-5-HybridFlow/ReadmeFiles/ReadmeScenario.md
index ad1d93f3..0b53ae77 100644
--- a/2-WebApp-graph-user/2-5-HybridFlow/ReadmeFiles/ReadmeScenario.md
+++ b/2-WebApp-graph-user/2-5-HybridFlow/ReadmeFiles/ReadmeScenario.md
@@ -2,6 +2,7 @@
 
  Use the hybrid-SPA code flow to obtain an Access token for your Web API in he backend and use it in the client SPA [without re-authenticating the user]
 
- 1. The client ASP.NET Core Web App uses the [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) to sign-in and obtain a JWT [Access Tokens](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) from **Azure AD** as well as an additional [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) to be passed to a client-side single page application.
- 1. The [Access Tokens](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) is used as a bearer token to call the **Microsoft Graph API**.
- 1. The [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) is passed to the razor single page application to be exchanged for an access token client side.
+ 1. The client ASP.NET Core Web App uses the [Microsoft.Identity.Web](https://aka.ms/microsoft-identity-web) to sign-in and obtain a JWT [Access Token](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) from **Azure AD** as well as an additional [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) to be passed to a client-side single page application.
+ 1. The [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) is passed to the client-side application using the session configuration for the application.
+ 1. The [Spa Authorization Code](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/SPA-Authorization-Code) is exchanged for another [Access Token](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) in the client-side application.
+ 1. The [Access Token](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) is used by the client-side application as a bearer token to call the **Microsoft Graph API**.