diff --git a/docs/auto-discovery/cloud-auto-discovery/azure-autodiscovery.md b/docs/auto-discovery/cloud-auto-discovery/azure-autodiscovery.md
index b4100846..0938d8bb 100644
--- a/docs/auto-discovery/cloud-auto-discovery/azure-autodiscovery.md
+++ b/docs/auto-discovery/cloud-auto-discovery/azure-autodiscovery.md
@@ -23,21 +23,20 @@ Select **Certificates & Secrets**, then **New Client Secret**. Give your secret
 
 Device42 allows you to discover by Tenant or Subscription level. Using the Tenant discovery is best suited for customers with large numbers of Azure Subscriptions, whereas if you only have a few Subscriptions, you may find that preferable. 
 
-#### Subscription Level
+Please note that the assignable scope in the policy below assumes you are performing subscription level discovery. 
 
-We will create a role with limited permissions that will be applied to this application. If you haven't set up your roles yet, [this documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition) can help. This will allow Device42 to use the application for discovery purposes while adhering to the principle of least privilege. Navigate to the Subscriptions service in the portal and select the Subscription you would like to allow this application to discover. Make note of the **Subscription ID** as it will be used later for Device42 discovery.
+If you are performing tenant level discovery, be sure to change the assignable scope to:
+`/providers/Microsoft.Management/managementGroups/root-management-group-id-goes-here`
 
-Navigate to **Subscriptions > Select your Subscription > Access Control (IAM) >  Roles > Add > Add Custom Role**. Give the custom role a name, and an optional description, then select either **Start from scratch** or **Start from JSON**.
 
-1. If using the **Start from scratch** option, you will need to manually select each permission needed for this application to access the desired resources. The permissions needed are available in Device42 documentation [here](auto-discovery/cloud-auto-discovery/index.mdx). Select **Add permissions**, search for and select the desired permission, check the relevant box, and choose **Add**. Repeat this for any desired permissions.
-2. If using the **Start from JSON** option, copy and paste the JSON data below, to pull in the necessary permissions from the list in the Discovery section, and save it as a .json file. Upload this file on the **Basics** page when creating the role, and the permissions will be automatically defined.
+#### Subscription Level
 
-#### Tenant Level
+We will create a role with limited permissions that will be applied to this application. If you haven't set up your roles yet, [this documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition) can help. This will allow Device42 to use the application for discovery purposes while adhering to the principle of least privilege. Navigate to the Subscriptions service in the portal and select the Subscription you would like to allow this application to discover. Make note of the **Subscription ID** as it will be used later for Device42 discovery.
 
-If using the Tenant ID for discovery, you'll create a Single Role at the Tenant level. Navigate to **Management Groups > Select your Azure Tenant Group > Access Control (IAM) > Roles > Add > Add Custom Role**. Give the custom role a name, and an description, then select **Start from scratch** or 88.
+Navigate to **Subscriptions > Select your Subscription > Access Control (IAM) >  Roles > Add > Add Custom Role**. Give the custom role a name, and an optional description, then select either **Start from scratch** or **Start from JSON**.
 
 1. If using the **Start from scratch** option, you will need to manually select each permission needed for this application to access the desired resources. The permissions needed are available in Device42 documentation [here](auto-discovery/cloud-auto-discovery/index.mdx). Select **Add permissions**, search for and select the desired permission, check the relevant box, and choose **Add**. Repeat this for any desired permissions.
-2. If using the **Start from JSON** option, copy and paste the below JSON data, pulling in the necessary permissions from the list in the Discovery section, and save it as a .json file. Upload this file on the Basics page when creating the role, and the permissions will be automatically defined.
+2. If using the **Start from JSON** option, copy and paste the JSON data below, to pull in the necessary permissions from the list in the Discovery section, and save it as a `.json` file. Upload this file on the **Basics** page when creating the role, and the permissions will be automatically defined.
 
 ```
 {
@@ -99,6 +98,13 @@ If using the Tenant ID for discovery, you'll create a Single Role at the Tenant
 }
 ```
 
+#### Tenant Level
+
+If using the Tenant ID for discovery, you'll create a Single Role at the Tenant level. Navigate to **Management Groups > Select your Azure Tenant Group > Access Control (IAM) > Roles > Add > Add Custom Role**. Give the custom role a name, and an description, then select **Start from scratch** or 88.
+
+1. If using the **Start from scratch** option, you will need to manually select each permission needed for this application to access the desired resources. The permissions needed are available in Device42 documentation [here](auto-discovery/cloud-auto-discovery/index.mdx). Select **Add permissions**, search for and select the desired permission, check the relevant box, and choose **Add**. Repeat this for any desired permissions.
+2. If using the **Start from JSON** option, copy and paste the in the JSON data, pulling in the necessary permissions from the list in the Discovery section, and save it as a `.json` file. If you are performing tenant level discovery, be sure to change the assignable scope to `/providers/Microsoft.Management/managementGroups/root-management-group-id-goes-here`. Then, upload this file on the Basics page when creating the role, and the permissions will be automatically defined.
+
 After defining the permissions, select **Next** to define the scope this application will have access to. This can be done at the subscription level or any nested resource groups; we’ll be using the subscription in this example. Select Next to review and/or copy the JSON > Next > Create.
 
 To apply the role, go back to the **Access Control (IAM) > Add > Add Role Assignment**. Select your newly created role and choose **Next** to bring you to the **Members** tab. Choose the **User, group, or service principal > Select members**, and choose the application created in the previous steps above. Select **Next** and then **Review + Assign**. Your custom role is now applied to your new application and can be used for discovering Azure Resources.