From 2e6686cc188267dec3973234d76f7b4acff59579 Mon Sep 17 00:00:00 2001
From: benz0 <benz0@benz0.com>
Date: Thu, 30 May 2019 21:25:30 -0500
Subject: [PATCH] Explain owner role requirement (#6801)

---
 website/source/docs/secrets/azure/index.html.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/website/source/docs/secrets/azure/index.html.md b/website/source/docs/secrets/azure/index.html.md
index a52c1aa33..177bdcd44 100644
--- a/website/source/docs/secrets/azure/index.html.md
+++ b/website/source/docs/secrets/azure/index.html.md
@@ -170,6 +170,11 @@ The following Azure roles and Azure Active Directory (AAD) permissions are requi
 - "Read and write all applications" permission in AAD
 
 These permissions can be configured through the Azure Portal, CLI tool, or PowerShell.
+In your Azure subscription, your account must have `Microsoft.Authorization/*/Write`
+access to assign an AD app to a role. This action is granted through the [Owner](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner) role or
+[User Access Administrator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator) role. If your account is assigned to the Contributor role, you
+don't have adequate permission. You will receive an error when attempting to assign the service
+principal to a role.
 
 ## Choosing between dynamic or existing service principals