diff --git a/sdk/keyvault/keyvault-admin/CHANGELOG.md b/sdk/keyvault/keyvault-admin/CHANGELOG.md
index 1c541a10ce52..205062f266ba 100644
--- a/sdk/keyvault/keyvault-admin/CHANGELOG.md
+++ b/sdk/keyvault/keyvault-admin/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.2.2 (2022-08-09)
 
diff --git a/sdk/keyvault/keyvault-admin/test/internal/challengeAuthenticationCallbacks.spec.ts b/sdk/keyvault/keyvault-admin/test/internal/challengeAuthenticationCallbacks.spec.ts
index 5a5a3da2ebd6..6271f4db4efc 100644
--- a/sdk/keyvault/keyvault-admin/test/internal/challengeAuthenticationCallbacks.spec.ts
+++ b/sdk/keyvault/keyvault-admin/test/internal/challengeAuthenticationCallbacks.spec.ts
@@ -161,7 +161,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -179,7 +179,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -199,9 +199,7 @@ describe("Challenge based authentication tests", function () {
     });
 
     it("does not throw if the resource URI host does not match the request but verifyChallengeResource is false", async () => {
-      challengeCallbacks = createChallengeCallbacks({
-        disableChallengeResourceVerification: true,
-      });
+      challengeCallbacks = createChallengeCallbacks({ disableChallengeResourceVerification: true });
       await challengeCallbacks.authorizeRequestOnChallenge!({
         getAccessToken: () => Promise.resolve(null),
         request: createPipelineRequest({ url: "https://foo.bar" }),
diff --git a/sdk/keyvault/keyvault-certificates/CHANGELOG.md b/sdk/keyvault/keyvault-certificates/CHANGELOG.md
index 4c7f0636c1dd..a4a2043bb6da 100644
--- a/sdk/keyvault/keyvault-certificates/CHANGELOG.md
+++ b/sdk/keyvault/keyvault-certificates/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.5.0 (2022-08-09)
 
diff --git a/sdk/keyvault/keyvault-certificates/test/internal/challengeAuthenticationCallbacks.spec.ts b/sdk/keyvault/keyvault-certificates/test/internal/challengeAuthenticationCallbacks.spec.ts
index 5a5a3da2ebd6..6271f4db4efc 100644
--- a/sdk/keyvault/keyvault-certificates/test/internal/challengeAuthenticationCallbacks.spec.ts
+++ b/sdk/keyvault/keyvault-certificates/test/internal/challengeAuthenticationCallbacks.spec.ts
@@ -161,7 +161,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -179,7 +179,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -199,9 +199,7 @@ describe("Challenge based authentication tests", function () {
     });
 
     it("does not throw if the resource URI host does not match the request but verifyChallengeResource is false", async () => {
-      challengeCallbacks = createChallengeCallbacks({
-        disableChallengeResourceVerification: true,
-      });
+      challengeCallbacks = createChallengeCallbacks({ disableChallengeResourceVerification: true });
       await challengeCallbacks.authorizeRequestOnChallenge!({
         getAccessToken: () => Promise.resolve(null),
         request: createPipelineRequest({ url: "https://foo.bar" }),
diff --git a/sdk/keyvault/keyvault-common/src/challengeBasedAuthenticationPolicy.ts b/sdk/keyvault/keyvault-common/src/challengeBasedAuthenticationPolicy.ts
index c01b0d325309..d8f165434dd8 100644
--- a/sdk/keyvault/keyvault-common/src/challengeBasedAuthenticationPolicy.ts
+++ b/sdk/keyvault/keyvault-common/src/challengeBasedAuthenticationPolicy.ts
@@ -58,7 +58,7 @@ function verifyChallengeResource(scope: string, request: PipelineRequest): void
 
   if (!requestUrl.hostname.endsWith(`.${scopeAsUrl.hostname}`)) {
     throw new Error(
-      `Challenge resource host '${scopeAsUrl.hostname}' does not match request domain`
+      `The challenge resource '${scopeAsUrl.hostname}' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.`
     );
   }
 }
diff --git a/sdk/keyvault/keyvault-keys/CHANGELOG.md b/sdk/keyvault/keyvault-keys/CHANGELOG.md
index 1765caaed936..42b855602463 100644
--- a/sdk/keyvault/keyvault-keys/CHANGELOG.md
+++ b/sdk/keyvault/keyvault-keys/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.5.0 (2022-08-09)
 
diff --git a/sdk/keyvault/keyvault-keys/test/internal/challengeAuthenticationCallbacks.spec.ts b/sdk/keyvault/keyvault-keys/test/internal/challengeAuthenticationCallbacks.spec.ts
index dc9b75e3b45c..6271f4db4efc 100644
--- a/sdk/keyvault/keyvault-keys/test/internal/challengeAuthenticationCallbacks.spec.ts
+++ b/sdk/keyvault/keyvault-keys/test/internal/challengeAuthenticationCallbacks.spec.ts
@@ -161,7 +161,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -179,7 +179,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
diff --git a/sdk/keyvault/keyvault-secrets/CHANGELOG.md b/sdk/keyvault/keyvault-secrets/CHANGELOG.md
index 6b7f507794d4..8dd86aea9922 100644
--- a/sdk/keyvault/keyvault-secrets/CHANGELOG.md
+++ b/sdk/keyvault/keyvault-secrets/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.5.1 (2022-08-15)
 
diff --git a/sdk/keyvault/keyvault-secrets/test/internal/challengeAuthenticationCallbacks.spec.ts b/sdk/keyvault/keyvault-secrets/test/internal/challengeAuthenticationCallbacks.spec.ts
index dc9b75e3b45c..6271f4db4efc 100644
--- a/sdk/keyvault/keyvault-secrets/test/internal/challengeAuthenticationCallbacks.spec.ts
+++ b/sdk/keyvault/keyvault-secrets/test/internal/challengeAuthenticationCallbacks.spec.ts
@@ -161,7 +161,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -179,7 +179,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });