Consul Docs: Azure auto-join MSI clarification

[nphilbrook]

Description

While figuring out how to use Azure auto-join from VMs with both a System-managed identity and a User-managed identity, when I needed to use the User-managed identity, I stumbled on some serious pain. This is probably not the best way to explain it, but I wanted others to benefit from my journey of pain. I will happily accept any suggestions on wording, organization, or verbiage. The 2 main points I want to get across that I discovered from reading both the go-discover code and the Azure/go-autorest code are that:

• client_id, client_secret, and tenant_id must ALL be specified for any of them to be respected. If you omit any of them, none of them are respected and MSI is used. Code reference from go-discover
• Once you fall back to MSI, to specify a specific client_id, you have to use AZURE_CLIENT_ID and NOT ARM_CLIENT_ID. Code references from Azure/go-autorest:
  • https://github.com/Azure/go-autorest/blob/c2958ac74c65c138045daa60f149c5f9d949d743/autorest/azure/auth/auth.go#L43
  • https://github.com/Azure/go-autorest/blob/c2958ac74c65c138045daa60f149c5f9d949d743/autorest/azure/auth/auth.go#L198

Contributor checklists

Review urgency:

• ASAP: Bug fixes, broken content, imminent releases
• 3 days: Small changes, easy reviews
• 1 week: Default expectation
• Best effort: No urgency

Pull request:

• Verify that the PR is set to merge into the correct base branch
• Verify that all status checks passed
• Verify that the preview environment deployed successfully
• Add additional reviewers if they are not part of assigned groups

Content:

• I added redirects for any moved or removed pages
• I followed the Education style guide
• I looked at the local or Vercel build to make sure the content rendered correctly

Reviewer checklist

• This PR is set to merge into the correct base branch.
• The content does not contain technical inaccuracies.
• The content follows the Education content and style guides.
• I have verified and tested changes to instructions for end users.

[github-actions]

Vercel Previews Deployed

Name	Status	Preview	Updated (UTC)
Dev Portal	✅ Ready (Inspect)	Visit Preview	Thu Nov 20 13:24:58 UTC 2025
Unified Docs API	✅ Ready (Inspect)	Visit Preview	Thu Nov 20 13:18:18 UTC 2025

[github-actions]

Broken Link Checker

No broken links found! 🎉

[boruszak]

Please implement suggestions for style guide alignment.

[boruszak]

Suggested change

	<Note>
	If any of the tentant, client, or client_secret arguments are omitted, then Consul will fall back to Managed Service Identities (see below) and
	any client_id that _was_ specified will be ignored for the purposes of MSI. To pass a specific client_id to MSI (for example,
	to use a User-Managed identity on a VM that also has a System-Managed identity, you must use the environment variable `AZURE_CLIENT_ID` (reference the [Azure autorest package documentation](https://github.com/Azure/go-autorest/blob/autorest/v0.11.29/autorest/azure/auth/auth.go#L43)
	</Note>
	If you omit any of the `TENANT`, `CLIENT`, or `CLIENT_SECRET` arguments, then Consul defaults to Managed Service Identities instead. Any client identification that was specified is ignored for the purposes of MSI. To pass client identity to MSI, you must use the `AZURE_CLIENT_ID` environment variable. For more information, refer to the [Azure autorest package documentation](https://github.com/Azure/go-autorest/blob/autorest/v0.11.29/autorest/azure/auth/auth.go#L43).

Style guide alignments and sentence simplification.