chore(docs): Refine the examples

Author: irby

docs/ambient-providers/azure.md

@@ -12,9 +12,9 @@ This documentation is for instructions on using ambient credentials within Azure
 
 There are two types of [managed identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview#managed-identity-types) that your Azure AKS workload may use:
 - System-assigned managed identity (MSI)
-    - Automatically created and managed by Azure at the cluster level. This identity **can not** be shared with other Azure resources.
+    - Automatically created and managed by Azure at the cluster level. This identity **can not** be shared with other Azure resources. This is used by default.
 - User-assigned managed identity (UAMI)
-    - Created and managed by you. Identity **can** be shared with other Azure resources and associated with Kubernetes ServiceAccounts via Azure AD Workload Identity.
+    - Created and managed by you. Identity **can** be shared with other Azure resources and associated with Kubernetes ServiceAccounts via Azure AD Workload Identity. Requires explicit workload identity configuration (show below).
 
 Since you are using ambient credentials generated by your Azure AKS workload and targeting these credentials for your Command instance, you will need to create an [Azure App Registration](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app). We will walk through App Registration configuration in this document.
 
@@ -27,7 +27,12 @@ By default, your AKS cluster is configured to use system-assigned managed identi
 1. Create an Azure App Registration. [Installation steps](#azure-app-registration)
 1. Deploy Issuer or ClusterIssuer Resource. [Installation steps](../../README.md#creating-issuer-and-clusterissuer-resources)
     - To use ambient credentials, do not supply a `commandSecretName` to your issuer's specification.
-    - **IMPORTANT**: Fill in the `scopes` in your issuer's specification with the Application ID URI of your App Registration, suffixed with `./default`. (i.e. `scopes: api://your-app-registration-endpoint/.default`)
+    - **IMPORTANT**: Fill in the `scopes` in your issuer's specification with the Application ID URI of your App Registration, suffixed with `./default`. Example:
+        ```yaml
+        # Example issuer configuration
+        spec:
+            scopes: "api://your-app-registration-id/.default"
+        ```
 1. Add the system-assigned managed identity object ID to a security claim in Keyfactor Command
     ```bash
     export AKS_CLUSTER_RESOURCE_GROUP="" # the resource group your AKS cluster is deployed to
@@ -46,6 +51,8 @@ By default, your AKS cluster is configured to use system-assigned managed identi
     echo "Authority: https://login.microsoftonline.com/$CURRENT_TENANT/v2.0"
     ```
 
+    > **Note**: AKS workloads inherit the kubelet's managed identity, not the cluster's control plane identity. This is why we use `identityProfile.kubeletidentity.objectId` rather than `identity.principalId`.
+
     You can map the object ID to an OAuth Subject or OAuth Object ID security claim in Keyfactor Command. Make sure the [security claim is associated to a security role](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/SecurityOverview.htm?Highlight=Security%20Roles) with the required permissions. Please refer to the [Configuring Command](../../README.md#configuring-command) **Configure Command Security Roles and Claims** section for security role requirements.
 
     Make sure an identity provider is configured in Keyfactor Command with the authority set to the authority output above.
@@ -156,7 +163,12 @@ User-assigned managed identity configuration is more involved, but allows the id
 1. Create an Azure App Registration. [Installation steps](#azure-app-registration)
 1. Deploy Issuer or ClusterIssuer Resource. [Installation steps](../../README.md#creating-issuer-and-clusterissuer-resources)
     - To use ambient credentials, do not supply a `commandSecretName` to your issuer's specification.
-    - **IMPORTANT**: Fill in the `scopes` in your issuer's specification with the Application ID URI of your App Registration, suffixed with `./default`. (i.e. `scopes: api://your-app-registration-endpoint/.default`)
+    - **IMPORTANT**: Fill in the `scopes` in your issuer's specification with the Application ID URI of your App Registration, suffixed with `./default`. Example:
+        ```yaml
+        # Example issuer configuration
+        spec:
+            scopes: "api://your-app-registration-id/.default"
+        ```
 1. Add the user-assigned managed identity principal ID to a security claim in Keyfactor Command
     ```shell
     export UAMI_PRINCIPAL_ID=$(az identity show --name $UAMI_IDENTITY_NAME --resource-group $AKS_CLUSTER_RESOURCE_GROUP --query principalId --output tsv)