From c8cc81d98c2b98f30090cd543027856a2a3667ec Mon Sep 17 00:00:00 2001
From: Anish Ramasekar <anish.ramasekar@gmail.com>
Date: Wed, 8 Feb 2023 17:01:38 -0800
Subject: [PATCH] docs: add note about disconnected env in faq (#747)

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
---
 docs/book/src/faq.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/book/src/faq.md b/docs/book/src/faq.md
index a3cc4908c..9fea84927 100644
--- a/docs/book/src/faq.md
+++ b/docs/book/src/faq.md
@@ -61,4 +61,8 @@ You can refer to [this link](https://learn.microsoft.com/en-us/azure/aks/workloa
 tl;dr:
 
 1. If you use DefaultAzureCredential in your workload, you can update the azure identity sdk version to the latest that supports workload identity (ref: [link](https://azure.github.io/azure-workload-identity/docs/topics/language-specific-examples/azure-identity-sdk.html)).
-2. If you still have workloads that get managed identity token from IMDS, you can annotate the pod to get a proxy sidecar injected, that'll do the token exchange with the new flow.
\ No newline at end of file
+2. If you still have workloads that get managed identity token from IMDS, you can annotate the pod to get a proxy sidecar injected, that'll do the token exchange with the new flow.
+
+## Does Workload Identity work in disconnected environments?
+
+No, Workload Identity doesn't work in completely disconnected environments. The AAD token is valid for 24 hours, so the workload needs to be connected to the network at least once every 24 hours to refresh the token.