diff --git a/content/guides/authentication/client-credentials/index.md b/content/guides/authentication/client-credentials/index.md
index eca3abede..23e66fa77 100644
--- a/content/guides/authentication/client-credentials/index.md
+++ b/content/guides/authentication/client-credentials/index.md
@@ -46,12 +46,23 @@ If you would like to authenticate as the application's [Service Account][sa]:
- set `box_subject_type` to `enterprise`
- set `box_subject_id` to the enterprise ID
-If you would like to authenticate as a Managed User:
+
+
+If you would like to authenticate as an admin or a managed user:
- set `box_subject_type` to `user`
- set `box_subject_id` to the user ID
+- enable **App + Enterprise Access** and **Generate User Access Tokens** Box [Developer Console][devconsole]
-
+
+
+If you would like to authenticate as any application user:
+
+- set `box_subject_type` to `user`
+- set `box_subject_id` to the user ID
+- enable **Generate User Access Tokens** in the Box [Developer Console][devconsole]
+
+
## Common Errors
@@ -69,7 +80,13 @@ This error indicates either:
- the client ID and client secret passed are incorrect or are not for the same application,
-- the `box_subject_id` cannot be used based on the selected [application access][aa]. For example, if you send in a `box_subject_type` of `enterprise` and your application is configured for App Access Only, the `grant credentials are invalid` error will be returned,
+- the `box_subject_id` cannot be used based on the selected [application access][aa].
+
+
+
+A CCG app with App Access Only can send in the `box_subject_type` of `enterprise` to authenticate as its service account, but it can't authenticate as a managed user or an admin.
+
+
- to use a `box_subject_type` of `user`, your application should be configured to generate user access tokens in the **Advanced Features** section of the **Configuration tab**.