diff --git a/deploy-manage/users-roles/_snippets/external-realms.md b/deploy-manage/users-roles/_snippets/external-realms.md
index ab1876a1e..6302563a4 100644
--- a/deploy-manage/users-roles/_snippets/external-realms.md
+++ b/deploy-manage/users-roles/_snippets/external-realms.md
@@ -1,20 +1,20 @@
 ldap
-:   Uses an external LDAP server to authenticate the users. This realm supports an authentication token in the form of username and password, and requires explicit configuration in order to be used. See [LDAP user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md).
+:   Uses an external LDAP server to authenticate the users. This realm supports an authentication token in the form of username and password, and requires explicit configuration in order to be used. LDAP is not available on {{ech}} deployments. For more information, refer to [LDAP user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md).
 
 active_directory
-:   Uses an external Active Directory Server to authenticate the users. With this realm, users are authenticated by usernames and passwords. See [Active Directory user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md).
+:   Uses an external Active Directory Server to authenticate the users. With this realm, users are authenticated by usernames and passwords. Active Directory is not available on {{ech}} deployments. For more information, refer to [Active Directory user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md).
 
 pki
-:   Authenticates users using Public Key Infrastructure (PKI). This realm works in conjunction with SSL/TLS and identifies the users through the Distinguished Name (DN) of the client’s X.509 certificates. See [PKI user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md).
+:   Authenticates users using Public Key Infrastructure (PKI). This realm works in conjunction with SSL/TLS and identifies the users through the Distinguished Name (DN) of the client’s X.509 certificates. PKI is not available on {{ech}} deployments. For more information, refer to [PKI user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md).
 
 saml
-:   Facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through {{kib}} and is not intended for use in the REST API. See [SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md).
+:   Facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through {{kib}} and is not intended for use in the REST API. For more information, refer to [SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md).
 
 kerberos
-:   Authenticates a user using Kerberos authentication. Users are authenticated on the basis of Kerberos tickets. See [Kerberos authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kerberos.md).
+:   Authenticates a user using Kerberos authentication. Users are authenticated on the basis of Kerberos tickets. For more information, refer to [Kerberos authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kerberos.md).
 
 oidc
-:   Facilitates authentication using OpenID Connect. It enables {{es}} to serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO) support in {{kib}}. See [Configuring single sign-on to the {{stack}} using OpenID Connect](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md).
+:   Facilitates authentication using OpenID Connect. It enables {{es}} to serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO) support in {{kib}}. For more information, refer to [Configuring single sign-on to the {{stack}} using OpenID Connect](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md).
 
 jwt
-:   Facilitates using JWT identity tokens as authentication bearer tokens. Compatible tokens are OpenID Connect ID Tokens, or custom JWTs containing the same claims. See [JWT authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md).
\ No newline at end of file
+:   Facilitates using JWT identity tokens as authentication bearer tokens. Compatible tokens are OpenID Connect ID Tokens, or custom JWTs containing the same claims. For more information, refer to [JWT authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md).
\ No newline at end of file
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md b/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md
index b67e83210..c8be9a6f1 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md
@@ -12,6 +12,11 @@ navigation_title: "Active Directory"
 
 # Active Directory user authentication [active-directory-realm]
 
+:::{{warning}}
+This type of user authentication cannot be configured on {{ech}} deployments.
+:::
+
+
 You can configure {{stack}} {{security-features}} to communicate with Active Directory to authenticate users.
 
 :::{{tip}}
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md b/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
index 3ca3b4065..2c1ba71ba 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
@@ -12,6 +12,10 @@ navigation_title: LDAP
 
 # LDAP user authentication [ldap-realm]
 
+:::{{warning}}
+This type of user authentication cannot be configured on {{ech}} deployments.
+:::
+
 You can configure the {{stack}} {{security-features}} to communicate with a Lightweight Directory Access Protocol (LDAP) server to authenticate users. See [Configuring an LDAP realm](../../../deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md#ldap-realm-configuration).
 
 To integrate with LDAP, you configure an `ldap` realm and map LDAP groups to user roles.
@@ -313,4 +317,4 @@ By default, when you configure {{es}} to connect to an LDAP server using SSL/TLS
 
 The LDAP security realm uses the {{kib}}-provided [basic authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md#basic-authentication) login form. Basic authentication is enabled by default.
 
-You can also use LDAP with [token authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md#token-authentication) in {{kib}}.
\ No newline at end of file
+You can also use LDAP with [token authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md#token-authentication) in {{kib}}.
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md b/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
index ade02b04b..e77b9d4af 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
@@ -10,6 +10,10 @@ applies_to:
 
 # PKI [pki-realm]
 
+:::{{warning}}
+This type of user authentication cannot be configured on {{ech}} deployments.
+:::
+
 You can configure {{es}} to use Public Key Infrastructure (PKI) certificates to authenticate users. In this scenario, clients connecting directly to {{es}} must present X.509 certificates. First, the certificates must be accepted for authentication on the SSL/TLS layer on {{es}}. Then they are optionally further validated by a PKI realm. See [PKI authentication for clients connecting directly to {{es}}](#pki-realm-for-direct-clients).
 
 You can also use PKI certificates to authenticate to {{kib}}, however this requires some additional configuration. On {{es}}, this configuration enables {{kib}} to act as a proxy for SSL/TLS authentication and to submit the client certificates to {{es}} for further validation by a PKI realm. See [PKI authentication for clients connecting to {{kib}}](#pki-realm-for-proxied-clients).