From 140776734baf776bfc596dcebb5a5a3d9e7bcecc Mon Sep 17 00:00:00 2001
From: Chris Hoffman <christopher.hoffman@gmail.com>
Date: Thu, 19 Jul 2018 10:24:55 -0400
Subject: [PATCH] Adding information on required azure permissions (#4956)

---
 website/source/docs/auth/azure.html.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/website/source/docs/auth/azure.html.md b/website/source/docs/auth/azure.html.md
index 39ec891d67..356670b967 100644
--- a/website/source/docs/auth/azure.html.md
+++ b/website/source/docs/auth/azure.html.md
@@ -26,6 +26,10 @@ The following documentation assumes that the method has been
 * A configured [Azure AD application](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications) which is used as the resource for generating MSI access tokens.
 * Client credentials (shared secret) for accessing the Azure Resource Manager with read access to compute endpoints. See [Azure AD Service to Service Client Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)
 
+Required Azure API permissions to be granted to Vault user:
+* Microsoft.Compute/virtualMachines/*/read
+* Microsoft.Compute/virtualMachineScaleSets/*/read
+
 If Vault is hosted on Azure, Vault can use MSI to access Azure instead of a shared secret.  MSI must be [enabled](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/qs-configure-portal-windows-vm) on the VMs hosting Vault. 
 
 The next sections review how the authN/Z workflows work. If you