Add extra notes on Azure authentication to README

Signed-off-by: Jim Enright <[email protected]>

README.md

@@ -69,6 +69,19 @@ Configure Terraform Provider for AWS or Azure
   * For **AWS** access keys are required to be able to create the Cloud resources via the Terraform aws provider. See the [AWS Terraform Provider Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration).
   * For **Azure**, authentication with the Azure subscription is required. There are a number of ways to do this outlined in the [Azure Terraform Provider Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure).
 
+### Notes on Azure authentication
+
+* Where you have more than one Azure Subscription the id to use can be passed via the the `ARM_SUBSCRIPTION_ID` environment variable.
+
+* When using a Service Principal (SP) to authenticate with Azure, it is not possible to authenticate with azuread Terraform Provider (the provider used to create the Azure Cross Account AD Application) with the command az login --service-principal. We found the the best way to authenticate using an SP is by setting environment variables. Details of required environment variables are in the [azuread docs](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_client_secret#environment-variables) and [azurerm docs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret#configuring-the-service-principal-in-terraform) and summarized below.
+```bash
+export ARM_CLIENT_ID="<sp_client_id>"
+export ARM_CLIENT_SECRET="<sp_client_secret>"
+export ARM_TENANT_ID="<sp_tenant_id>"
+export ARM_SUBSCRIPTION_ID="<sp_subscription_id>" 
+```
+
+
 ## Local Development Environment
 
 See the [DEVELOPMENT.md](./DEVELOPMENT.md) file for instructions on how to set up an environment for local development of modules.