diff --git a/book/src/accounts/account_policy.md b/book/src/accounts/account_policy.md
index 024006cf9..c6c5674bf 100644
--- a/book/src/accounts/account_policy.md
+++ b/book/src/accounts/account_policy.md
@@ -188,6 +188,23 @@ account policy for a group. For example, to set the allowlist for all persons, r
 kanidm group account-policy webauthn-attestation-ca-list idm_all_persons trusted-authenticators
 ```
 
+### Setting Primary Credential Fallback
+
+The primary credential fallback enables behavior which allows authenticating
+using the primary account password when logging in via LDAP.
+
+If both an LDAP and primary password are specified, Kanidm will only accept the LDAP password.
+
+```bash
+kanidm group account-policy allow-primary-cred-fallback <group name> <enabled>
+```
+
+to disable it for a group you would run:
+
+```bash
+kanidm group account-policy allow-primary-cred-fallback <group name> false
+```
+
 ## Global Settings
 
 There are a small number of account policy settings that are set globally rather than on a per group