diff --git a/modules/installation-azure-service-principal.adoc b/modules/installation-azure-service-principal.adoc
index ae5ebcd26b..f7b59a5f92 100644
--- a/modules/installation-azure-service-principal.adoc
+++ b/modules/installation-azure-service-principal.adoc
@@ -147,10 +147,16 @@ Retrying role assignment creation: 4/36
 . Record the values of the `appId` and `password` parameters from the previous
 output. You need these values during {product-title} installation.
 
-. Grant additional permissions to the service principal. The service principal
-requires the legacy `Azure Active Directory Graph -> Application.ReadWrite.OwnedBy`
-permission and the `User Access Administrator` role for the cluster to assign
-credentials for its components.
+. Grant additional permissions to the service principal.
++
+--
+** You must always add the `Contributor` and `User Access Administrator` roles to the app registration service principal so the cluster can assign credentials for its components.
+** To operate the Cloud Credential Operator (CCO) in _mint mode_, the app registration service principal also requires the `Azure Active Directory Graph/Application.ReadWrite.OwnedBy` API permission.
+** To operate the CCO in _passthrough mode_, the app registration service principal does not require additional API permissions.
+--
++
+For more information about CCO modes, see the *Cloud Credential Operator* entry in the *Red Hat Operators reference* content.
+
 .. To assign the `User Access Administrator` role, run the following command:
 +
 [source,terminal]