diff --git a/docs/docs/getting-started/install.md b/docs/docs/getting-started/install.md
index 5d4c43efd..7f94324b2 100644
--- a/docs/docs/getting-started/install.md
+++ b/docs/docs/getting-started/install.md
@@ -138,7 +138,7 @@ To [create a Constellation cluster](../workflows/create.md#the-create-step), you
 * `Microsoft.Network/virtualNetworks/subnets/*`
 * `Microsoft.Compute/virtualMachineScaleSets/*`
 * `Microsoft.ManagedIdentity/userAssignedIdentities/*`
-* `Microsoft.Attestation/attestationProviders/*`
+* `Microsoft.Attestation/attestationProviders/*` \[2]
 
 The built-in `Contributor` role is a superset of these permissions.
 
@@ -146,6 +146,8 @@ Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/az
 
 1: You can omit `*/register/Action` if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration.
 
+2: You can omit `Microsoft.Attestation/attestationProviders/*` if `EnforceIDKeyDigest` is set to `MAAFallback` in the [config file](../workflows/config.md#configure-your-cluster).
+
 </tabItem>
 <tabItem value="gcp" label="GCP">