From 7daea41d0150260b19900f2dd69bbe3cf5ff146e Mon Sep 17 00:00:00 2001
From: Vighnesh Shenoy <vighneshq@gmail.com>
Date: Fri, 11 Mar 2022 14:07:24 +0530
Subject: [PATCH] Restructure.

Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com>
---
 content/docs/2.7/concepts/authentication.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/content/docs/2.7/concepts/authentication.md b/content/docs/2.7/concepts/authentication.md
index d2689a478..1106ae40a 100644
--- a/content/docs/2.7/concepts/authentication.md
+++ b/content/docs/2.7/concepts/authentication.md
@@ -223,11 +223,14 @@ hashiCorpVault:                                     # Optional.
 
 ### Azure Key Vault secret(s)
 
-You can pull secrets from Azure Key Vault into the trigger by using the `azureKeyVault` key. Users need to register an application
-with Azure Active Directory, and give permissions to it for accessing the key vault. The `clientId` and `tenantId` for the application
-are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a secret on the cluster.
+You can pull secrets from Azure Key Vault into the trigger by using the `azureKeyVault` key. 
+
 The `secrets` list defines the mapping between the key vault secret and the authentication parameter.
 
+Users need to register an application with Azure Active Directory, and grant "read secret" permissions on the Azure Key Vault. Learn more in the Azure Key Vault [documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal).
+
+The `clientId` and `tenantId` for the application are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a secret on the cluster.
+
 ```yaml
 azureKeyVault:                                      # Optional
   vaultURI: {key-vault-address}                     # Required