Feat Insomnia Add scopes required

Author: TuannasCodeCatastrophe

app/insomnia/external-vault.md

@@ -157,11 +157,26 @@ For HashiCorp, the environment variables to define for Inso CLI depend on the pl
 
 ## Azure Key Vault
 
+When you connect Insomnia to Azure Key Vault, Azure prompts for OAuth consent in a browser. The requested scopes define the permissions Insomnia uses to authenticate and access secrets.
+
+Use the following required scopes:
+- `openid`: Support sign-in with Microsoft Entra ID.
+- `profile`: Provide basic account information that's required for authentication.
+- `offline_access`: Allow authentication to persist without repeated sign-in.
+- `user_impersonation`: Grant delegated access to Azure Key Vault and allow secret retrieval using the signed-in user’s existing permissions.
+
+Azure enforces these permissions during consent and applies Key Vault access control based on the user’s assigned roles. For more information about required scopes, go to [Scopes and permissions](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc).
+
+To choose Azure Key Vault:
 1. Navigate to **Preferences > Cloud Credentials**.
 1. Click **Add Credentials**, select **Azure**.
 1. You will be redirected to authorize Insomnia in your browser.
 1. After authorization, you'll return to Insomnia with your Azure account credential added.
 
+{:.info}
+> Azure Key Vault access uses delegated permissions. The Azure account that you sign in with in Insomnia, the Azure app registration, and the Azure Key Vault must belong to the same Azure organization, unless cross-organization access is explicitly configured in Azure. If these are in different organizations, Azure can deny access even when the correct scopes are granted.
+
+
 ## Using secrets
 
 External vault secrets can be referenced anywhere in Insomnia requests using [template tags](/insomnia/template-tags/). In the field of your choice: