Update key-vault-linux.md

Jack Williams · web-flow · commit 89cf711507cb · 2022-07-25T16:00:38.000-07:00
Clarity. Any field that says "optional" is assumed to be optional. Updating the docs to be precise about what scenario it is optional and when its required. Also stating the outcome if failing to provide the field when in a scenario its required.
diff --git a/articles/virtual-machines/extensions/key-vault-linux.md b/articles/virtual-machines/extensions/key-vault-linux.md
@@ -100,8 +100,8 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio
           "observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: ["https://myvault.vault.azure.net/secrets/mycertificate", "https://myvault.vault.azure.net/secrets/mycertificate2"]>
         },
         "authenticationSettings": {
-                "msiEndpoint":  <Optional MSI endpoint e.g.: "http://169.254.169.254/metadata/identity">,
-                "msiClientId":  <Optional MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619">
+          "msiEndpoint":  <Required when msiClientId is provided. MSI endpoint e.g. for most Azure VMs: "http://169.254.169.254/metadata/identity">,
+          "msiClientId":  <Required when VM has any user assigned identities. MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619".>
         }
        }
       }
@@ -114,7 +114,7 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio
 > This is because the `/secrets` path returns the full certificate, including the private key, while the `/certificates` path does not. More information about certificates can be found here: [Key Vault Certificates](../../key-vault/general/about-keys-secrets-certificates.md)
 
 > [!IMPORTANT]
-> The 'authenticationSettings' property is **required** for VMs with **user assigned identities**.
+> The 'authenticationSettings' property is **required** for VMs with any **user assigned identities**. Even if you want to use a system assigned identity this is still required otherwise the VM extension will not know which identity to use. Without this section, a VM with user assigned identities will result in the Key Vault extension failing and being unable to download certificates.
 > Set msiClientId to the identity that will authenticate to Key Vault.
 > 
 > Also **required** for **Azure Arc-enabled VMs**.

Original file line number	Diff line number	Diff line change
`@@ -100,8 +100,8 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio`
`100`	`100`	`"observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: ["https://myvault.vault.azure.net/secrets/mycertificate", "https://myvault.vault.azure.net/secrets/mycertificate2"]>`
`101`	`101`	`},`
`102`	`102`	`"authenticationSettings": {`
`103`		`- "msiEndpoint": <Optional MSI endpoint e.g.: "http://169.254.169.254/metadata/identity">,`
`104`		`- "msiClientId": <Optional MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619">`
	`103`	`+ "msiEndpoint": <Required when msiClientId is provided. MSI endpoint e.g. for most Azure VMs: "http://169.254.169.254/metadata/identity">,`
	`104`	`+ "msiClientId": <Required when VM has any user assigned identities. MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619".>`
`105`	`105`	`}`
`106`	`106`	`}`
`107`	`107`	`}`
`@@ -114,7 +114,7 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio`
`114`	`114`	> This is because the `/secrets` path returns the full certificate, including the private key, while the `/certificates` path does not. More information about certificates can be found here: [Key Vault Certificates](../../key-vault/general/about-keys-secrets-certificates.md)
`115`	`115`
`116`	`116`	`> [!IMPORTANT]`
`117`		`-> The 'authenticationSettings' property is required for VMs with user assigned identities.`
	`117`	`+> The 'authenticationSettings' property is required for VMs with any user assigned identities. Even if you want to use a system assigned identity this is still required otherwise the VM extension will not know which identity to use. Without this section, a VM with user assigned identities will result in the Key Vault extension failing and being unable to download certificates.`
`118`	`118`	`> Set msiClientId to the identity that will authenticate to Key Vault.`
`119`	`119`	`>`
`120`	`120`	`> Also required for Azure Arc-enabled VMs.`