From cab590fdcd8bd596a92968f4a8a17da26a5aa285 Mon Sep 17 00:00:00 2001
From: Jeana Routh <jeana@redhat.com>
Date: Fri, 9 Oct 2020 14:14:44 -0400
Subject: [PATCH] CO-924: Azure: Support passthrough of SP's without the
 Application.ReadWrite.OwnedBy permission

---
 modules/installation-azure-service-principal.adoc | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/modules/installation-azure-service-principal.adoc b/modules/installation-azure-service-principal.adoc
index ae5ebcd26b..f7b59a5f92 100644
--- a/modules/installation-azure-service-principal.adoc
+++ b/modules/installation-azure-service-principal.adoc
@@ -147,10 +147,16 @@ Retrying role assignment creation: 4/36
 . Record the values of the `appId` and `password` parameters from the previous
 output. You need these values during {product-title} installation.
 
-. Grant additional permissions to the service principal. The service principal
-requires the legacy `Azure Active Directory Graph -> Application.ReadWrite.OwnedBy`
-permission and the `User Access Administrator` role for the cluster to assign
-credentials for its components.
+. Grant additional permissions to the service principal.
++
+--
+** You must always add the `Contributor` and `User Access Administrator` roles to the app registration service principal so the cluster can assign credentials for its components.
+** To operate the Cloud Credential Operator (CCO) in _mint mode_, the app registration service principal also requires the `Azure Active Directory Graph/Application.ReadWrite.OwnedBy` API permission.
+** To operate the CCO in _passthrough mode_, the app registration service principal does not require additional API permissions.
+--
++
+For more information about CCO modes, see the *Cloud Credential Operator* entry in the *Red Hat Operators reference* content.
+
 .. To assign the `User Access Administrator` role, run the following command:
 +
 [source,terminal]