Update Azure Static Secrets docs

content/vault/v1.21.x/content/api-docs/secret/azure.mdx

@@ -46,9 +46,6 @@ plugin workload identity federation (WIF).
   environment variable. If not specified, Vault will use Azure Public Cloud.
 - `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
   rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format).
-- `metadata` (`map[string]string: {}`) - A map of string to string key/value pairs that will be stored
-  as metadata for the mount. This can be used to store additional information about the
-  mount for reference purposes.
 
 @include 'rotationfields.mdx'
 
@@ -465,22 +462,22 @@ Create or update static role definitions used to manage pre-existing
    as time suffixed strings (`"1h"`) or an integer number of
    seconds. Leave `ttl` unset or set to `0` to use the default value
    of 2 years (`17520h`).
-- `metadata` (`map[string]string: {}`) - A map of string to string key/value pairs that will be stored
-  as metadata for the mount. This can be used to store additional information about the
-  mount for reference purposes. The data stored here is displayed in the response of
-  `/azure/static-roles/:name` and `/azure/static-creds/:name` in the `metadata` field.
-  When also setting the `metadata` parameter on `/azure/static-creds/:name`, the two
-  maps will be merged in the response of `/azure/static-creds/:name`, with the values from `/azure/static-roles/:name`
-  taking precedence in the event of key collisions.
+- `metadata` (`map[string]string: {}`) - A map of key/value pairs associated with the static role.
+   You can read metadata values from both the `/azure/static-roles/:name` and `/azure/static-creds/:name`
+   endpoints. When credentials are fetched, role metadata is merged with any metadata provided in the request,
+   and role metadata always takes precedence if keys overlap.
 - `secret_id` (`string: ""`) - The secret ID of the Azure password credential you want to import.
    Required if you provide `client_secret` or `expiration`.
 - `client_secret` (`string: ""`) - The plaintext secret value of the credential you want to import.
    If unset, you must rotate the imported credential before you can use it with Vault.
 - `expiration` (`string: ""`) - A future expiration time for the imported
    credential, in RFC3339 format.
-- `skip_import_rotation` (`bool: false`) – If set to true, Vault stores the
-   imported credential values without automatically rotating them. You cannot
-   read the imported credentials until you manually rotate them.
+- `skip_import_rotation` (`bool`, `false`) - Determines whether Vault should generate credentials
+   automatically when creating a role. Set `skip_import_rotation` to `true` if you do not
+   want Vault to create initial credentials on role creation. If you skip credential creation,
+   you can generate them later manually by rotating the role using `/rotate-role` endpoint or by importing.
+   If you omit `skip_import_rotation` or set it to `false`, Vault automatically provisions the
+   first set of credentials during role creation.
 
 ### Sample payload
 
@@ -600,13 +597,11 @@ Generate credentials associated with the named static role.
 ### Path parameters
 
 - `name` `(string: <required>)` – Name of the static role to get credentials for.
-- `metadata` (`map[string]any: {}`) -  A map of string to string key/value pairs that will be stored
-  as metadata for the mount. This can be used to store additional information about the
-  mount for reference purposes. The data stored here is displayed in the response of
-  `/azure/static-roles/:name` and `/azure/static-creds/:name` in the `metadata` field.
-  When also setting the `metadata` parameter on `/azure/static-creds/:name`, the two
-  maps will be merged in the response of `/azure/static-creds/:name`, with the values from `/azure/static-roles/:name`
-  taking precedence in the event of key collisions.
+- `metadata` (`map: {}`) - Key/value pairs attached to the credential request.
+   Vault merges the request metadata with the role’s stored metadata, with role metadata taking
+   precedence when keys overlap.  Key/value pairs appear as strings separated by the `=` symbol
+   (e.g. `key=value`). When using the Vault CLI, you can provide multiple tags in the role
+   configuration by adding multiple `metadata` assignments in the same command.
 
 ### Sample request
 

content/vault/v1.21.x/content/docs/secrets/azure.mdx

@@ -490,9 +490,9 @@ lifecycle controls.
 
 You can import credentials in the following ways:
 
-- Metadata import - Provide the `secret_id` and an optional `expiration` for the
-  credential. Vault records the metadata but blocks reads until you explicitly
-  rotate the role to generate a valid secret.
+- Metadata import - Provide the `secret_id`, `skip_import_rotation=true`,
+  and an optional `expiration` for the credential. Vault records the metadata
+  but blocks reads until you explicitly rotate the role to generate a valid secret.
 - Full import - Provide the `secret_id`, `client_secret`, and an optional
   `expiration`. You can use the imported credential immediately in Vault.
 - Rotate on import - Provide the `secret_id` and leave `skip_import_rotation`