Fix list formatting (#20076)

website/content/docs/auth/jwt/oidc-providers/azuread.mdx

@@ -20,13 +20,15 @@ Reference: [Azure Active Directory v2.0 and the OpenID Connect protocol](https:/
 
 1. Add Redirect URIs with the "Web" type. You may include two redirect URIs,
    one for CLI access another one for Vault UI access.
-  - `http://localhost:8250/oidc/callback`
-  - `https://hostname:port_number/ui/vault/auth/oidc/oidc/callback`
+
+    - `http://localhost:8250/oidc/callback`
+    - `https://hostname:port_number/ui/vault/auth/oidc/oidc/callback`
 
 1. Record the "Application (client) ID" as you will need it as the `oidc_client_id`.
 
 1. Under **Endpoints**, copy the OpenID Connect metadata document URL, omitting the `/well-known...` portion.
-  - The endpoint URL (`oidc_discovery_url`) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0
+
+   - The endpoint URL (`oidc_discovery_url`) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0
 
 1. Under **Certificates & secrets**,
    [add a client secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)
@@ -59,13 +61,15 @@ You should set up a [Vault policy](https://learn.hashicorp.com/tutorials/vault/p
       oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0"
    ```
 
-1. Configure the [OIDC Role](/api-docs/auth/jwt#create-role) with the following:
-  - `user_claim` should be `"sub"` or `"oid"` following the
-  [recommendation](https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#using-claims-to-reliably-identify-a-user-subject-and-object-id)
+1. Configure the [OIDC Role](/vault/api-docs/auth/jwt#create-role) with the following:
+
+   - `user_claim` should be `"sub"` or `"oid"` following the
+   [recommendation](https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#using-claims-to-reliably-identify-a-user-subject-and-object-id)
   from Azure.
-  - `allowed_redirect_uris` should be the two redirect URIs for Vault CLI and UI access.
-  - `groups_claim` should be set to `"groups"`.
-  - `oidc_scopes` should be set to `"https://graph.microsoft.com/.default"`.
+   - `allowed_redirect_uris` should be the two redirect URIs for Vault CLI and UI access.
+   - `groups_claim` should be set to `"groups"`.
+   - `oidc_scopes` should be set to `"https://graph.microsoft.com/.default"`.
+
    ```shell
    vault write auth/oidc/role/your_default_role \
       user_claim="sub" \
@@ -117,27 +121,34 @@ which will be used by Vault to retrieve the groups for the user:
 - In Azure, under the applications **API Permissions**, grant the following permissions:
   - Microsoft Graph API permission [Directory.Read.All](https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-19)
 
-- In Vault, set `"provider_config"` to Azure.
-  ```shell
-  vault write auth/oidc/config -<<"EOH"
-  {
+1. Locate the application under "App Registrations" in Azure
+1. Navigate to the "API Permissions" page for the application
+1. Add a permission
+1. Select "Microsoft Graph"
+1. Select "Delegated permissions"
+1. Add the [User.Read](https://learn.microsoft.com/en-us/graph/permissions-reference#delegated-permissions-86) permission
+1. Check the "Grant admin consent for Default Directory" checkbox
+1. Configure the OIDC auth method in Vault by setting `"provider_config"` to Azure.
+   ```shell
+   vault write auth/oidc/config -<<"EOH"
+   {
      "oidc_client_id": "your_client_id",
      "oidc_client_secret": "your_client_secret",
      "default_role": "your_default_role",
      "oidc_discovery_url": "https://login.microsoftonline.com/tenant_id/v2.0",
      "provider_config": {
         "provider": "azure"
      }
-  }
-  EOH
-  ```
-
-- In Vault, add `"profile"` to `oidc_scopes` so the user's id comes back on the JWT.
-  ```shell
-  vault write auth/oidc/role/your_default_role \
-   user_claim="email" \
-   allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
-   groups_claim="groups" \
-   oidc_scopes="profile" \
-   policies="default"
-  ```
+   }
+   EOH
+   ```
+
+1. Add `"profile"` to `oidc_scopes` so the user's ID comes back on the JWT.
+   ```shell
+   vault write auth/oidc/role/your_default_role \
+    user_claim="email" \
+    allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
+    groups_claim="groups" \
+    oidc_scopes="profile" \
+    policies="default"
+   ```