AVD shc add Key Vault firewall requirement for AD domain join

The key vault containing the domain join credentials (username & password) must have it's firewall set to "Allow public access from all networks" or the session host will be unable to retrieve the domain join configuration.

If the key vault is to either "Allow public access from specific virtual networks and IP addresses" or "Disable public access" the domain join process will fail.

Author: Thomas-Butterfield

articles/virtual-desktop/session-host-update-configure.md

@@ -63,6 +63,8 @@ Before you update session hosts using session host update, you need:
 
 - A key vault containing the secrets you want to use for your virtual machine local administrator account credentials and, if you're joining session hosts to an Active Directory domain, your domain join account credentials. You need one secret for each username and password. The virtual machine local administrator password must meet the [password requirements when creating a VM](/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
 
+   - If you’re joining session hosts to an Active Directory domain, you must set the Firewall of the Key Vault to [Allow public access from all networks](https://learn.microsoft.com/en-us/azure/key-vault/general/how-to-azure-key-vault-network-security).
+
    - You need to provide the Azure Virtual Desktop service principal the ability to read the secrets. Your key vault can be configured to use either:
 
       - [The Azure RBAC permission model](/azure/key-vault/general/rbac-guide) with the role [Key Vault Secrets User](../role-based-access-control/built-in-roles.md#key-vault-secrets-user) assigned to the Azure Virtual Desktop service principal.