From b2375a61e11a607e6c69218c0e82188dd2d1f356 Mon Sep 17 00:00:00 2001
From: Matthew Christopher <matthchr@users.noreply.github.com>
Date: Mon, 2 Oct 2023 21:47:54 -0700
Subject: [PATCH] Clarify MySQL AAD requirements (#3349)

---
 v2/samples/dbformysql/v1api/v1_user_aad.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/v2/samples/dbformysql/v1api/v1_user_aad.yaml b/v2/samples/dbformysql/v1api/v1_user_aad.yaml
index 31f5829bb8c..14f4247a7a2 100644
--- a/v2/samples/dbformysql/v1api/v1_user_aad.yaml
+++ b/v2/samples/dbformysql/v1api/v1_user_aad.yaml
@@ -1,5 +1,12 @@
 apiVersion: dbformysql.azure.com/v1
 kind: User
+# IMPORTANT: Before creating an AAD user on MySQL you must ensure that the MySQL Flexible Server is configured
+# correctly to accept AAD users. See https://learn.microsoft.com/azure/mysql/flexible-server/how-to-azure-ad#grant-permissions-to-user-assigned-managed-identity.
+# The key points are:
+#   * The Flexible Server MUST be assigned a user-assigned identity.
+#   * That user-assigned identity MUST have the following Graph permissions: User.Read.All, GroupMember.Read.All, and Application.Read.ALL
+#   * The FlexibleServer must have an AAD Administrator configured. The identity of the administrator must be the identity
+#     used by ASO to provision the user (so that ASO is connecting to the MySQL Flexible Server as the admin).
 metadata:
   name: sampleaaduser
   namespace: default