new tip

Author: Harikrishnan-M-B

articles/frontdoor/origin-authentication-with-managed-identities.md

@@ -109,3 +109,4 @@ Managed identities are specific to the Microsoft Entra tenant where your Azure s
 * After you enable origin authentication in origin group settings, you should not directly disable/delete the identities from the Identity settings under Front Door portal, nor directly delete the user-assigned managed identity under the Managed Identity portal. Doing so will cause origin authentication to fail immediately. Instead, if you want to stop using the origin authentication feature or want to delete/disable the identities, first disable the access restrictions under the Access Control (IAM) section of the origin resource so that the origin is accessible without the need of a managed identity or Entra ID token. Then disable origin authentication under Front Door origin group settings. Wait for some time for the configuration to be updated and then delete/disable the identity if required.
 * If your clients are already sending their own tokens under the Authorization header, the token value will be overwritten by AFD with the origin authentication token. If you want AFD to send the client token to the origin, you can configure an AFD rule using the server variable {http_req_header_Authorization} to send the token under a separate header.
     :::image type="content" source="media/managed-identity/rules-engine.png" alt-text="Screenshot of the rule for sending the client token to origin via a different header.":::
+* It is recommended that you use different managed identities for origin authentication and for AFD to Azure Key Vault authentication.