hashicorp · robmonte · Nov 6, 2025 · Nov 10, 2025 · Nov 10, 2025
@@ -287,6 +287,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
 a role name for some entity. It verifies the JWT signature to authenticate that
 entity and then authorizes the entity for the given role.
 
+The `role` and `jwt` parameters are required. When using
+`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the
+information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When
+using other `bound_*` parameters, calls to Azure APIs will be made and
+`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required
+and can be obtained through instance metadata.
+
 | Method | Path                |
 | :----- | :------------------ |
 | `POST` | `/auth/azure/login` |
@@ -298,10 +305,10 @@ entity and then authorizes the entity for the given role.
 - `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT)
   from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)
   for details on how to acquire a JWT access token through instance metadata.
-- `subscription_id` `(string: <required>)` - The subscription ID for the machine that
+- `subscription_id` `(string: "")` - The subscription ID for the machine that
   generated the MSI token. This information can be obtained through instance
   metadata.
-- `resource_group_name` `(string: <required>)` - The resource group for the machine that
+- `resource_group_name` `(string: "")` - The resource group for the machine that
   generated the MSI token. This information can be obtained through instance
   metadata.
 - `vm_name` `(string: "")` - The virtual machine name for the machine that

@@ -23,16 +23,20 @@ please update your API calls accordingly.
 
 ## Token validation ((#token-validation))
 
-Vault validates the resource group (`resource_group_name`), VM name (`vm_name`)
-and VM scale set name (`vmss_name`) parameters against token claims. Depending
-on the identities attached to the machine generating the MSI token, the
-associated claims must include at least one of the following claims
-to pass validation: "xms_mirid" or "xms_az_rid".
-
-System-assigned management identity | "xms_mirid"                                                                                                                                | "xms_az_rid"
------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| ---------------
-Enabled                             | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist
-Not enabled                         | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`
+When using a first-party Azure resource, Vault validates the resource group
+(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`)
+parameters against token claims. Depending on the identities attached to the
+machine generating the MSI token, the associated claims must include at least one
+of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These 
+claims are not present on the token when using a custom resource or a resource
+URI that begins with `api://` and so cannot be used.
+
+Resource type                         | System-assigned management identity | "xms_mirid"                                                                                                                                         | "xms_az_rid"
+------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| ---------------
+First-party Azure resource            | Enabled                             | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`                          | Does not exist
+First-party Azure resource            | Not enabled                         | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`
+Custom resource or API (`api://{id}`) | Enabled                             | Does not exist                                                                                                                                                      | Does not exist
+Custom resource or API (`api://{id}`) | Not enabled                         | Does not exist                                                                                                                                                      | Does not exist
 
 See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and
 [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens.

@@ -297,6 +297,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
 a role name for some entity. It verifies the JWT signature to authenticate that
 entity and then authorizes the entity for the given role.
 
+The `role` and `jwt` parameters are required. When using
+`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the
+information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When
+using other `bound_*` parameters, calls to Azure APIs will be made and
+`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required
+and can be obtained through instance metadata.
+
 | Method | Path                |
 | :----- | :------------------ |
 | `POST` | `/auth/azure/login` |
@@ -308,10 +315,10 @@ entity and then authorizes the entity for the given role.
 - `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT)
   from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)
   for details on how to acquire a JWT access token through instance metadata.
-- `subscription_id` `(string: <required>)` - The subscription ID for the machine that
+- `subscription_id` `(string: "")` - The subscription ID for the machine that
   generated the MSI token. This information can be obtained through instance
   metadata.
-- `resource_group_name` `(string: <required>)` - The resource group for the machine that
+- `resource_group_name` `(string: "")` - The resource group for the machine that
   generated the MSI token. This information can be obtained through instance
   metadata.
 - `vm_name` `(string: "")` - The virtual machine name for the machine that

@@ -23,16 +23,20 @@ please update your API calls accordingly.
 
 ## Token validation ((#token-validation))
 
-Vault validates the resource group (`resource_group_name`), VM name (`vm_name`)
-and VM scale set name (`vmss_name`) parameters against token claims. Depending
-on the identities attached to the machine generating the MSI token, the
-associated claims must include at least one of the following claims
-to pass validation: "xms_mirid" or "xms_az_rid".
-
-System-assigned management identity | "xms_mirid"                                                                                                                                | "xms_az_rid"
------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| ---------------
-Enabled                             | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist
-Not enabled                         | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`
+When using a first-party Azure resource, Vault validates the resource group
+(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`)
+parameters against token claims. Depending on the identities attached to the
+machine generating the MSI token, the associated claims must include at least one
+of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These 
+claims are not present on the token when using a custom resource or a resource
+URI that begins with `api://` and so cannot be used.
+
+Resource type                         | System-assigned management identity | "xms_mirid"                                                                                                                                         | "xms_az_rid"
+------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| ---------------
+First-party Azure resource            | Enabled                             | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`                          | Does not exist
+First-party Azure resource            | Not enabled                         | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`
+Custom resource or API (`api://{id}`) | Enabled                             | Does not exist                                                                                                                                                      | Does not exist
+Custom resource or API (`api://{id}`) | Not enabled                         | Does not exist                                                                                                                                                      | Does not exist
 
 See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and
 [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens.

@@ -297,6 +297,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
 a role name for some entity. It verifies the JWT signature to authenticate that
 entity and then authorizes the entity for the given role.
 
+The `role` and `jwt` parameters are required. When using
+`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the
+information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When
+using other `bound_*` parameters, calls to Azure APIs will be made and
+`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required
+and can be obtained through instance metadata.
+
 | Method | Path                |
 | :----- | :------------------ |
 | `POST` | `/auth/azure/login` |
@@ -308,10 +315,10 @@ entity and then authorizes the entity for the given role.
 - `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT)
   from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)
   for details on how to acquire a JWT access token through instance metadata.
-- `subscription_id` `(string: <required>)` - The subscription ID for the machine that
+- `subscription_id` `(string: "")` - The subscription ID for the machine that
   generated the MSI token. This information can be obtained through instance
   metadata.
-- `resource_group_name` `(string: <required>)` - The resource group for the machine that
+- `resource_group_name` `(string: "")` - The resource group for the machine that
   generated the MSI token. This information can be obtained through instance
   metadata.
 - `vm_name` `(string: "")` - The virtual machine name for the machine that

@@ -23,16 +23,20 @@ please update your API calls accordingly.
 
 ## Token validation ((#token-validation))
 
-Vault validates the resource group (`resource_group_name`), VM name (`vm_name`)
-and VM scale set name (`vmss_name`) parameters against token claims. Depending
-on the identities attached to the machine generating the MSI token, the
-associated claims must include at least one of the following claims
-to pass validation: "xms_mirid" or "xms_az_rid".
-
-System-assigned management identity | "xms_mirid"                                                                                                                                | "xms_az_rid"
------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------| ---------------
-Enabled                             | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}` | Does not exist
-Not enabled                         | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`
+When using a first-party Azure resource, Vault validates the resource group
+(`resource_group_name`), VM name (`vm_name`) and VM scale set name (`vmss_name`)
+parameters against token claims. Depending on the identities attached to the
+machine generating the MSI token, the associated claims must include at least one
+of the following claims to pass validation: "xms_mirid" or "xms_az_rid". These 
+claims are not present on the token when using a custom resource or a resource
+URI that begins with `api://` and so cannot be used.
+
+Resource type                         | System-assigned management identity | "xms_mirid"                                                                                                                                         | "xms_az_rid"
+------------------------------------- | ------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------| ---------------
+First-party Azure resource            | Enabled                             | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`                          | Does not exist
+First-party Azure resource            | Not enabled                         | `/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity}` |`/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{virtual-machine-name}`
+Custom resource or API (`api://{id}`) | Enabled                             | Does not exist                                                                                                                                                      | Does not exist
+Custom resource or API (`api://{id}`) | Not enabled                         | Does not exist                                                                                                                                                      | Does not exist
 
 See [Azure managed identity REST endpoint reference](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference) and
 [Managed identities for Azure resources frequently asked questions](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request) for more details on how to request MSI tokens.

@@ -299,6 +299,13 @@ Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and
 a role name for some entity. It verifies the JWT signature to authenticate that
 entity and then authorizes the entity for the given role.
 
+The `role` and `jwt` parameters are required. When using
+`bound_service_principal_ids` and `bound_group_ids` in the token roles, all the
+information is required in the JWT (except for `vm_name`, `vmss_name`, `resource_id`). When
+using other `bound_*` parameters, calls to Azure APIs will be made and
+`subscription_id`, `resource_group_name`, and `vm_name`/`vmss_name` are all required
+and can be obtained through instance metadata.
+
 | Method | Path                |
 | :----- | :------------------ |
 | `POST` | `/auth/azure/login` |
@@ -310,10 +317,10 @@ entity and then authorizes the entity for the given role.
 - `jwt` `(string: <required>)` - Signed [JSON Web Token](https://tools.ietf.org/html/rfc7519) (JWT)
   from Azure MSI. See [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)
   for details on how to acquire a JWT access token through instance metadata.
-- `subscription_id` `(string: <required>)` - The subscription ID for the machine that
+- `subscription_id` `(string: "")` - The subscription ID for the machine that
   generated the MSI token. This information can be obtained through instance
   metadata.
-- `resource_group_name` `(string: <required>)` - The resource group for the machine that
+- `resource_group_name` `(string: "")` - The resource group for the machine that
   generated the MSI token. This information can be obtained through instance
   metadata.
 - `vm_name` `(string: "")` - The virtual machine name for the machine that