Merge pull request #96210 from jacwil/patch-2

Jak-MS · web-flow · commit 17773e046e88 · 2022-09-26T13:33:22.000-07:00
Update key-vault-windows.md
diff --git a/articles/virtual-machines/extensions/key-vault-windows.md b/articles/virtual-machines/extensions/key-vault-windows.md
@@ -88,8 +88,8 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio
           "observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: "https://myvault.vault.azure.net/secrets/mycertificate"
         },
         "authenticationSettings": {
-                "msiEndpoint":  <Optional MSI endpoint e.g.: "http://169.254.169.254/metadata/identity">,
-                "msiClientId":  <Optional MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619">
+          "msiEndpoint":  <Required when msiClientId is provided. MSI endpoint e.g. for most Azure VMs: "http://169.254.169.254/metadata/identity">,
+          "msiClientId":  <Required when VM has any user assigned identities. MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619".>
         }
        }
       }
@@ -102,7 +102,7 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio
 > This is because the `/secrets` path returns the full certificate, including the private key, while the `/certificates` path does not. More information about certificates can be found here: [Key Vault Certificates](../../key-vault/general/about-keys-secrets-certificates.md)
 
 > [!IMPORTANT]
-> The 'authenticationSettings' property is **required** only for VMs with **user assigned identities**.
+> The 'authenticationSettings' property is **required** for VMs with any **user assigned identities**. Even if you want to use a system-assigned identity, this is still required; otherwise the VM extension will not know which identity to use. Without this section, a VM with user-assigned identities will result in the Key Vault extension failing and being unable to download certificates.
 > It specifies identity to use for authentication to Key Vault.
 
 > [!IMPORTANT]

Original file line number	Diff line number	Diff line change
`@@ -88,8 +88,8 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio`
`88`	`88`	`"observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: "https://myvault.vault.azure.net/secrets/mycertificate"`
`89`	`89`	`},`
`90`	`90`	`"authenticationSettings": {`
`91`		`- "msiEndpoint": <Optional MSI endpoint e.g.: "http://169.254.169.254/metadata/identity">,`
`92`		`- "msiClientId": <Optional MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619">`
	`91`	`+ "msiEndpoint": <Required when msiClientId is provided. MSI endpoint e.g. for most Azure VMs: "http://169.254.169.254/metadata/identity">,`
	`92`	`+ "msiClientId": <Required when VM has any user assigned identities. MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619".>`
`93`	`93`	`}`
`94`	`94`	`}`
`95`	`95`	`}`
`@@ -102,7 +102,7 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio`
`102`	`102`	> This is because the `/secrets` path returns the full certificate, including the private key, while the `/certificates` path does not. More information about certificates can be found here: [Key Vault Certificates](../../key-vault/general/about-keys-secrets-certificates.md)
`103`	`103`
`104`	`104`	`> [!IMPORTANT]`
`105`		`-> The 'authenticationSettings' property is required only for VMs with user assigned identities.`
	`105`	`+> The 'authenticationSettings' property is required for VMs with any user assigned identities. Even if you want to use a system-assigned identity, this is still required; otherwise the VM extension will not know which identity to use. Without this section, a VM with user-assigned identities will result in the Key Vault extension failing and being unable to download certificates.`
`106`	`106`	`> It specifies identity to use for authentication to Key Vault.`
`107`	`107`
`108`	`108`	`> [!IMPORTANT]`