Add username clarification

Author: PatAltimore

articles/iot-operations/manage-mqtt-broker/howto-configure-authorization.md

@@ -96,7 +96,7 @@ resource brokerAuthorization 'Microsoft.IoTOperations/instances/brokers/authoriz
             {
               method: 'Publish'
               topics: [
-                '/telemetry/{principal.username}'
+                '/telemetry/{principal.clientId}'
                 '/telemetry/{principal.attributes.organization}'
               ]
             }
@@ -144,7 +144,7 @@ spec:
           - method: Connect
           - method: Publish
             topics:
-              - "/telemetry/{principal.username}"
+              - "/telemetry/{principal.clientId}"
               - "/telemetry/{principal.attributes.organization}"
           - method: Subscribe
             topics:
@@ -166,6 +166,14 @@ This broker authorization allows clients with usernames `temperature-sensor` or
   - `temperature-sensor` can subscribe to `/commands/contoso`.
   - `some-other-username` can subscribe to `/commands/contoso`.
 
+### Using username for authorization
+
+Here's a summary of how the username is used for authorization based on the authentication method:
+
+- **Kubernetes SAT** - Username shouldn't be used for authorization because is not verified for MQTTv5 with enhanced authentication.
+- **x.509** - Username matches the CN from certificate and can be used for authorization rules.
+- **Custom** - Username should only be used for authorization rules if custom authentication validates the username.
+
 ### Further limit access based on client ID
 
 Because the `principals` field is a logical OR, you can further restrict access based on client ID by adding the `clientIds` field to the `brokerResources` field. For example, to allow clients with client IDs that start with its building number to connect and publish telemetry to topics scoped with their building, use the following configuration: