[Storage] support FederatedIdentityClientId (#17365)

blueww · isra-fel · web-flow · commit e29b0df08e99 · 2022-04-11T16:40:43.000+08:00
* [Storage] support FederatedIdentityClientId

* Update src/Storage/Storage.Management/help/New-AzStorageAccount.md

Co-authored-by: Yeming Liu &lt;11371776+isra-fel@users.noreply.github.com&gt;

Co-authored-by: Yeming Liu &lt;11371776+isra-fel@users.noreply.github.com&gt;
diff --git a/src/Storage/Storage.Management/ChangeLog.md b/src/Storage/Storage.Management/ChangeLog.md
@@ -18,6 +18,9 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Supported create/upgrade storage account with Keyvault from another tenant and access Keyvault with FederatedClientId
+    -  `New-AzStorageAccount`
+    -  `Set-AzStorageAccount`
 * Supported create storage account with DnsEndpointType
     -  `New-AzStorageAccount`
 
diff --git a/src/Storage/Storage.Management/StorageAccount/NewAzureStorageAccount.cs b/src/Storage/Storage.Management/StorageAccount/NewAzureStorageAccount.cs
@@ -175,6 +175,12 @@ public bool EnableHttpsTrafficOnly
         [ValidateNotNull]
         public string KeyVaultUserAssignedIdentityId { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Set ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.")]
+        [ValidateNotNull]
+        public string KeyVaultFederatedClientId { get; set; }
+
         [Parameter(
             Mandatory = false,
             HelpMessage = "Storage Account encryption keySource KeyVault KeyName")]
@@ -750,7 +756,7 @@ public override void ExecuteCmdlet()
                     }
                 }
             }
-            if (this.KeyVaultUri !=null || this.KeyName != null || this.KeyVersion != null || this.KeyVaultUserAssignedIdentityId != null)
+            if (this.KeyVaultUri !=null || this.KeyName != null || this.KeyVersion != null || this.KeyVaultUserAssignedIdentityId != null || this.KeyVaultFederatedClientId != null)
             {
                 if ((this.KeyVaultUri != null && this.KeyName == null) || (this.KeyVaultUri == null && this.KeyName != null))
                 {
@@ -762,9 +768,9 @@ public override void ExecuteCmdlet()
                     throw new ArgumentException("KeyVersion can only be specified when specify KeyVaultUri and KeyName together.", "KeyVersion"); 
                 }
 
-                if (this.KeyVaultUserAssignedIdentityId != null && (this.KeyVaultUri == null || this.KeyName == null))
+                if ((this.KeyVaultUserAssignedIdentityId != null || this.KeyVaultFederatedClientId != null) && (this.KeyVaultUri == null || this.KeyName == null))
                 {
-                    throw new ArgumentException("KeyVaultUserAssignedIdentityId can only be specified when specify KeyVaultUri and KeyName together.", "KeyVaultUserAssignedIdentityId");
+                    throw new ArgumentException("KeyVaultUserAssignedIdentityId, KeyVaultFederatedClientId can only be specified when specify KeyVaultUri and KeyName together.", "KeyVaultUserAssignedIdentityId, KeyVaultFederatedClientId");
                 }
 
                 if (createParameters.Encryption == null)
@@ -785,10 +791,11 @@ public override void ExecuteCmdlet()
                     createParameters.Encryption.KeyVaultProperties = new KeyVaultProperties(this.KeyName, this.KeyVersion, this.KeyVaultUri);
                 }
 
-                if (this.KeyVaultUserAssignedIdentityId != null)
+                if (this.KeyVaultUserAssignedIdentityId != null || this.KeyVaultFederatedClientId != null)
                 {
                     createParameters.Encryption.EncryptionIdentity = new EncryptionIdentity();
                     createParameters.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity = this.KeyVaultUserAssignedIdentityId;
+                    createParameters.Encryption.EncryptionIdentity.EncryptionFederatedIdentityClientId = this.KeyVaultFederatedClientId;
                 }
             }
             if (this.minimumTlsVersion != null)
diff --git a/src/Storage/Storage.Management/StorageAccount/SetAzureStorageAccount.cs b/src/Storage/Storage.Management/StorageAccount/SetAzureStorageAccount.cs
@@ -189,6 +189,12 @@ public string KeyVaultUri
         [ValidateNotNull]
         public string KeyVaultUserAssignedIdentityId { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Set ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.")]
+        [ValidateNotNull]
+        public string KeyVaultFederatedClientId { get; set; }
+
         [Parameter(
             Mandatory = false,
             HelpMessage = "Set the new Storage Account Identity type, the idenetity is for use with key management services like Azure KeyVault.")]
@@ -626,17 +632,18 @@ public override void ExecuteCmdlet()
                         }
                     }
 
-                    if (StorageEncryption || ParameterSetName == KeyvaultEncryptionParameterSet || this.KeyVaultUserAssignedIdentityId != null)
+                    if (StorageEncryption || ParameterSetName == KeyvaultEncryptionParameterSet || this.KeyVaultUserAssignedIdentityId != null || this.KeyVaultFederatedClientId != null)
                     {
                         if (ParameterSetName == KeyvaultEncryptionParameterSet)
                         {
                             keyvaultEncryption = true;
                         }
                         updateParameters.Encryption = ParseEncryption(StorageEncryption, keyvaultEncryption, KeyName, KeyVersion, KeyVaultUri);
-                        if (this.KeyVaultUserAssignedIdentityId != null)
+                        if (this.KeyVaultUserAssignedIdentityId != null || this.KeyVaultFederatedClientId != null)
                         {
                             updateParameters.Encryption.EncryptionIdentity = new EncryptionIdentity();
                             updateParameters.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity = this.KeyVaultUserAssignedIdentityId;
+                            updateParameters.Encryption.EncryptionIdentity.EncryptionFederatedIdentityClientId = this.KeyVaultFederatedClientId;
                         }
                     }
                       
diff --git a/src/Storage/Storage.Management/help/New-AzStorageAccount.md b/src/Storage/Storage.Management/help/New-AzStorageAccount.md
@@ -18,9 +18,9 @@ Creates a Storage account.
 New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <String> [-Location] <String>
  [-Kind <String>] [-AccessTier <String>] [-CustomDomainName <String>] [-UseSubDomain <Boolean>]
  [-Tag <Hashtable>] [-EnableHttpsTrafficOnly <Boolean>] [-AssignIdentity] [-UserAssignedIdentityId <String>]
- [-IdentityType <String>] [-KeyVaultUserAssignedIdentityId <String>] [-KeyName <String>] [-KeyVersion <String>]
- [-KeyVaultUri <String>] [-NetworkRuleSet <PSNetworkRuleSet>] [-EnableSftp <Boolean>]
- [-EnableLocalUser <Boolean>] [-EnableHierarchicalNamespace <Boolean>]
+ [-IdentityType <String>] [-KeyVaultUserAssignedIdentityId <String>] [-KeyVaultFederatedClientId <String>]
+ [-KeyName <String>] [-KeyVersion <String>] [-KeyVaultUri <String>] [-NetworkRuleSet <PSNetworkRuleSet>]
+ [-EnableSftp <Boolean>] [-EnableLocalUser <Boolean>] [-EnableHierarchicalNamespace <Boolean>]
  [-EnableAzureActiveDirectoryDomainServicesForFile <Boolean>] [-EnableLargeFileShare]
  [-PublishMicrosoftEndpoint <Boolean>] [-PublishInternetEndpoint <Boolean>] [-AsJob]
  [-EncryptionKeyTypeForTable <String>] [-EncryptionKeyTypeForQueue <String>] [-RequireInfrastructureEncryption]
@@ -38,10 +38,10 @@ New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <
 New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <String> [-Location] <String>
  [-Kind <String>] [-AccessTier <String>] [-CustomDomainName <String>] [-UseSubDomain <Boolean>]
  [-Tag <Hashtable>] [-EnableHttpsTrafficOnly <Boolean>] [-AssignIdentity] [-UserAssignedIdentityId <String>]
- [-IdentityType <String>] [-KeyVaultUserAssignedIdentityId <String>] [-KeyName <String>] [-KeyVersion <String>]
- [-KeyVaultUri <String>] [-NetworkRuleSet <PSNetworkRuleSet>] [-EnableSftp <Boolean>]
- [-EnableLocalUser <Boolean>] [-EnableHierarchicalNamespace <Boolean>] [-EnableLargeFileShare]
- [-PublishMicrosoftEndpoint <Boolean>] [-PublishInternetEndpoint <Boolean>]
+ [-IdentityType <String>] [-KeyVaultUserAssignedIdentityId <String>] [-KeyVaultFederatedClientId <String>]
+ [-KeyName <String>] [-KeyVersion <String>] [-KeyVaultUri <String>] [-NetworkRuleSet <PSNetworkRuleSet>]
+ [-EnableSftp <Boolean>] [-EnableLocalUser <Boolean>] [-EnableHierarchicalNamespace <Boolean>]
+ [-EnableLargeFileShare] [-PublishMicrosoftEndpoint <Boolean>] [-PublishInternetEndpoint <Boolean>]
  [-EnableActiveDirectoryDomainServicesForFile <Boolean>] [-ActiveDirectoryDomainName <String>]
  [-ActiveDirectoryNetBiosDomainName <String>] [-ActiveDirectoryForestName <String>]
  [-ActiveDirectoryDomainGuid <String>] [-ActiveDirectoryDomainSid <String>]
@@ -313,9 +313,33 @@ AAD
 
 The command creates account with AllowedCopyScope as AAD.
 
-### Example 17: Create account with DnsEndpointType as AzureDnsZone
+### Example 17: Create a Storage account with Keyvault from another tenant (access Keyvault with FederatedClientId)
+```powershell
+# create Storage account with Keyvault encryption (access Keyvault with FederatedClientId), then show properties
+PS C:\> $account = New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -Kind StorageV2 -SkuName Standard_LRS -Location eastus2euap `
+                -IdentityType SystemAssignedUserAssigned  -UserAssignedIdentityId $useridentityId  `
+                -KeyVaultUri $keyVault.VaultUri -KeyName $keyname -KeyVaultUserAssignedIdentityId $useridentityId -KeyVaultFederatedClientId $federatedClientId
+
+PS C:\> $account.Encryption.EncryptionIdentity
+
+EncryptionUserAssignedIdentity                                                                                                      EncryptionFederatedIdentityClientId                                                                                                                 
+------------------------------                                                                                                      ----------------------------------- 
+/subscriptions/{subscription-id}/resourceGroups/myresourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuserid ********-****-****-****-************
+
+PS C:\> $account.Encryption.KeyVaultProperties
+
+KeyName                       : wrappingKey
+KeyVersion                    : 
+KeyVaultUri                   : https://mykeyvault.vault.azure.net:443
+CurrentVersionedKeyIdentifier : https://mykeyvault.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f
+LastKeyRotationTimestamp      : 3/3/2022 2:07:34 AM
 ```
-New-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -SkuName Standard_LRS  -Location centraluseuap -Kind StorageV2 -DnsEndpointType AzureDnsZone 
+
+This command creates a storage account with Keyvault from another tenant (access Keyvault with FederatedClientId).
+
+### Example 18: Create account with DnsEndpointType as AzureDnsZone
+```powershell
+New-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -SkuName Standard_LRS  -Location centraluseuap -Kind StorageV2 -DnsEndpointType AzureDnsZone
 ```
 
 The command creates account with DnsEndpointType as AzureDnsZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier.
@@ -900,6 +924,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -KeyVaultFederatedClientId
+Set ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -KeyVaultUri
 Storage Account encryption keySource KeyVault KeyVaultUri
 
diff --git a/src/Storage/Storage.Management/help/Set-AzStorageAccount.md b/src/Storage/Storage.Management/help/Set-AzStorageAccount.md
@@ -18,8 +18,9 @@ Modifies a Storage account.
 Set-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-Force] [-SkuName <String>]
  [-AccessTier <String>] [-CustomDomainName <String>] [-UseSubDomain <Boolean>] [-Tag <Hashtable>]
  [-EnableHttpsTrafficOnly <Boolean>] [-StorageEncryption] [-AssignIdentity] [-UserAssignedIdentityId <String>]
- [-KeyVaultUserAssignedIdentityId <String>] [-IdentityType <String>] [-NetworkRuleSet <PSNetworkRuleSet>]
- [-UpgradeToStorageV2] [-EnableAzureActiveDirectoryDomainServicesForFile <Boolean>] [-EnableLargeFileShare]
+ [-KeyVaultUserAssignedIdentityId <String>] [-KeyVaultFederatedClientId <String>] [-IdentityType <String>]
+ [-NetworkRuleSet <PSNetworkRuleSet>] [-UpgradeToStorageV2]
+ [-EnableAzureActiveDirectoryDomainServicesForFile <Boolean>] [-EnableLargeFileShare]
  [-PublishMicrosoftEndpoint <Boolean>] [-PublishInternetEndpoint <Boolean>] [-AllowBlobPublicAccess <Boolean>]
  [-MinimumTlsVersion <String>] [-AllowSharedKeyAccess <Boolean>] [-SasExpirationPeriod <TimeSpan>]
  [-KeyExpirationPeriodInDay <Int32>] [-AllowCrossTenantReplication <Boolean>]
@@ -35,8 +36,9 @@ Set-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-Force] [-S
  [-AccessTier <String>] [-CustomDomainName <String>] [-UseSubDomain <Boolean>] [-Tag <Hashtable>]
  [-EnableHttpsTrafficOnly <Boolean>] [-KeyvaultEncryption] -KeyName <String> [-KeyVersion <String>]
  -KeyVaultUri <String> [-AssignIdentity] [-UserAssignedIdentityId <String>]
- [-KeyVaultUserAssignedIdentityId <String>] [-IdentityType <String>] [-NetworkRuleSet <PSNetworkRuleSet>]
- [-UpgradeToStorageV2] [-EnableAzureActiveDirectoryDomainServicesForFile <Boolean>] [-EnableLargeFileShare]
+ [-KeyVaultUserAssignedIdentityId <String>] [-KeyVaultFederatedClientId <String>] [-IdentityType <String>]
+ [-NetworkRuleSet <PSNetworkRuleSet>] [-UpgradeToStorageV2]
+ [-EnableAzureActiveDirectoryDomainServicesForFile <Boolean>] [-EnableLargeFileShare]
  [-PublishMicrosoftEndpoint <Boolean>] [-PublishInternetEndpoint <Boolean>] [-AllowBlobPublicAccess <Boolean>]
  [-MinimumTlsVersion <String>] [-AllowSharedKeyAccess <Boolean>] [-SasExpirationPeriod <TimeSpan>]
  [-KeyExpirationPeriodInDay <Int32>] [-AllowCrossTenantReplication <Boolean>]
@@ -51,19 +53,19 @@ Set-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-Force] [-S
 Set-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-Force] [-SkuName <String>]
  [-AccessTier <String>] [-CustomDomainName <String>] [-UseSubDomain <Boolean>] [-Tag <Hashtable>]
  [-EnableHttpsTrafficOnly <Boolean>] [-AssignIdentity] [-UserAssignedIdentityId <String>]
- [-KeyVaultUserAssignedIdentityId <String>] [-IdentityType <String>] [-NetworkRuleSet <PSNetworkRuleSet>]
- [-UpgradeToStorageV2] [-EnableLargeFileShare] [-PublishMicrosoftEndpoint <Boolean>]
- [-PublishInternetEndpoint <Boolean>] -EnableActiveDirectoryDomainServicesForFile <Boolean>
- [-ActiveDirectoryDomainName <String>] [-ActiveDirectoryNetBiosDomainName <String>]
- [-ActiveDirectoryForestName <String>] [-ActiveDirectoryDomainGuid <String>]
- [-ActiveDirectoryDomainSid <String>] [-ActiveDirectoryAzureStorageSid <String>]
- [-ActiveDirectorySamAccountName <String>] [-ActiveDirectoryAccountType <String>]
- [-AllowBlobPublicAccess <Boolean>] [-MinimumTlsVersion <String>] [-AllowSharedKeyAccess <Boolean>]
- [-SasExpirationPeriod <TimeSpan>] [-KeyExpirationPeriodInDay <Int32>] [-AllowCrossTenantReplication <Boolean>]
- [-DefaultSharePermission <String>] [-PublicNetworkAccess <String>] [-ImmutabilityPeriod <Int32>]
- [-AllowProtectedAppendWrite <Boolean>] [-ImmutabilityPolicyState <String>] [-EnableSftp <Boolean>]
- [-EnableLocalUser <Boolean>] [-AllowedCopyScope <String>] [-AsJob] [-DefaultProfile <IAzureContextContainer>]
- [-RoutingChoice <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-KeyVaultUserAssignedIdentityId <String>] [-KeyVaultFederatedClientId <String>] [-IdentityType <String>]
+ [-NetworkRuleSet <PSNetworkRuleSet>] [-UpgradeToStorageV2] [-EnableLargeFileShare]
+ [-PublishMicrosoftEndpoint <Boolean>] [-PublishInternetEndpoint <Boolean>]
+ -EnableActiveDirectoryDomainServicesForFile <Boolean> [-ActiveDirectoryDomainName <String>]
+ [-ActiveDirectoryNetBiosDomainName <String>] [-ActiveDirectoryForestName <String>]
+ [-ActiveDirectoryDomainGuid <String>] [-ActiveDirectoryDomainSid <String>]
+ [-ActiveDirectoryAzureStorageSid <String>] [-ActiveDirectorySamAccountName <String>]
+ [-ActiveDirectoryAccountType <String>] [-AllowBlobPublicAccess <Boolean>] [-MinimumTlsVersion <String>]
+ [-AllowSharedKeyAccess <Boolean>] [-SasExpirationPeriod <TimeSpan>] [-KeyExpirationPeriodInDay <Int32>]
+ [-AllowCrossTenantReplication <Boolean>] [-DefaultSharePermission <String>] [-PublicNetworkAccess <String>]
+ [-ImmutabilityPeriod <Int32>] [-AllowProtectedAppendWrite <Boolean>] [-ImmutabilityPolicyState <String>]
+ [-EnableSftp <Boolean>] [-EnableLocalUser <Boolean>] [-AllowedCopyScope <String>] [-AsJob]
+ [-DefaultProfile <IAzureContextContainer>] [-RoutingChoice <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -394,7 +396,7 @@ True
 This command updates a Storage account by enable Sftp and localuser. 
 To run the command succssfully, the Storage account should already enable Hierarchical Namespace.
 
-### Example 21: Update a Storage account by set AllowedCopyScope as PrivateLink 
+### Example 21: Update a Storage account by set AllowedCopyScope as PrivateLink
 ```
 PS C:\> $account = Set-AzStorageAccount -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -AllowedCopyScope PrivateLink
 
@@ -404,6 +406,29 @@ PrivateLink
 
 The command updates a Storage account by set AllowedCopyScope as PrivateLink. 
 
+### Example 22: Update a Storage account with Keyvault from another tenant (access Keyvault with FederatedClientId)
+```powershell
+# create Storage account with Keyvault encryption (access Keyvault with FederatedClientId), then show properties
+PS C:\> $account = Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName  `
+                -KeyVaultUri $keyVault.VaultUri -KeyName $keyname -KeyVaultUserAssignedIdentityId $useridentityId -KeyVaultFederatedClientId $federatedClientId
+
+PS C:\> $account.Encryption.EncryptionIdentity
+
+EncryptionUserAssignedIdentity                                                                                                      EncryptionFederatedIdentityClientId                                                                                                                 
+------------------------------                                                                                                      ----------------------------------- 
+/subscriptions/{subscription-id}/resourceGroups/myresourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuserid ********-****-****-****-************
+
+PS C:\> $account.Encryption.KeyVaultProperties
+
+KeyName                       : wrappingKey
+KeyVersion                    : 
+KeyVaultUri                   : https://mykeyvault.vault.azure.net:443
+CurrentVersionedKeyIdentifier : https://mykeyvault.vault.azure.net/keys/wrappingKey/8e74036e0d534e58b3bd84b319e31d8f
+LastKeyRotationTimestamp      : 3/3/2022 2:07:34 AM
+```
+
+This command updates a storage account with Keyvault from another tenant (access Keyvault with FederatedClientId).
+
 ## PARAMETERS
 
 ### -AccessTier
@@ -905,6 +930,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -KeyVaultFederatedClientId
+Set ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -KeyVaultUri
 When using Key Vault Encryption by specifying the -KeyvaultEncryption parameter, use this option to specify the URI to the Key Vault.
 

Original file line number	Diff line number	Diff line change
`@@ -175,6 +175,12 @@ public bool EnableHttpsTrafficOnly`
`175`	`175`	`[ValidateNotNull]`
`176`	`176`	`public string KeyVaultUserAssignedIdentityId { get; set; }`
`177`	`177`
	`178`	`+ [Parameter(`
	`179`	`+ Mandatory = false,`
	`180`	`+ HelpMessage = "Set ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.")]`
	`181`	`+ [ValidateNotNull]`
	`182`	`+ public string KeyVaultFederatedClientId { get; set; }`
	`183`	`+`
`178`	`184`	`[Parameter(`
`179`	`185`	`Mandatory = false,`
`180`	`186`	`HelpMessage = "Storage Account encryption keySource KeyVault KeyName")]`
`@@ -750,7 +756,7 @@ public override void ExecuteCmdlet()`
`750`	`756`	`}`
`751`	`757`	`}`
`752`	`758`	`}`
`753`		`- if (this.KeyVaultUri !=null \|\| this.KeyName != null \|\| this.KeyVersion != null \|\| this.KeyVaultUserAssignedIdentityId != null)`
	`759`	`+ if (this.KeyVaultUri !=null \|\| this.KeyName != null \|\| this.KeyVersion != null \|\| this.KeyVaultUserAssignedIdentityId != null \|\| this.KeyVaultFederatedClientId != null)`
`754`	`760`	`{`
`755`	`761`	`if ((this.KeyVaultUri != null && this.KeyName == null) \|\| (this.KeyVaultUri == null && this.KeyName != null))`
`756`	`762`	`{`
`@@ -762,9 +768,9 @@ public override void ExecuteCmdlet()`
`762`	`768`	`throw new ArgumentException("KeyVersion can only be specified when specify KeyVaultUri and KeyName together.", "KeyVersion");`
`763`	`769`	`}`
`764`	`770`
`765`		`- if (this.KeyVaultUserAssignedIdentityId != null && (this.KeyVaultUri == null \|\| this.KeyName == null))`
	`771`	`+ if ((this.KeyVaultUserAssignedIdentityId != null \|\| this.KeyVaultFederatedClientId != null) && (this.KeyVaultUri == null \|\| this.KeyName == null))`
`766`	`772`	`{`
`767`		`- throw new ArgumentException("KeyVaultUserAssignedIdentityId can only be specified when specify KeyVaultUri and KeyName together.", "KeyVaultUserAssignedIdentityId");`
	`773`	`+ throw new ArgumentException("KeyVaultUserAssignedIdentityId, KeyVaultFederatedClientId can only be specified when specify KeyVaultUri and KeyName together.", "KeyVaultUserAssignedIdentityId, KeyVaultFederatedClientId");`
`768`	`774`	`}`
`769`	`775`
`770`	`776`	`if (createParameters.Encryption == null)`
`@@ -785,10 +791,11 @@ public override void ExecuteCmdlet()`
`785`	`791`	`createParameters.Encryption.KeyVaultProperties = new KeyVaultProperties(this.KeyName, this.KeyVersion, this.KeyVaultUri);`
`786`	`792`	`}`
`787`	`793`
`788`		`- if (this.KeyVaultUserAssignedIdentityId != null)`
	`794`	`+ if (this.KeyVaultUserAssignedIdentityId != null \|\| this.KeyVaultFederatedClientId != null)`
`789`	`795`	`{`
`790`	`796`	`createParameters.Encryption.EncryptionIdentity = new EncryptionIdentity();`
`791`	`797`	`createParameters.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity = this.KeyVaultUserAssignedIdentityId;`
	`798`	`+ createParameters.Encryption.EncryptionIdentity.EncryptionFederatedIdentityClientId = this.KeyVaultFederatedClientId;`
`792`	`799`	`}`
`793`	`800`	`}`
`794`	`801`	`if (this.minimumTlsVersion != null)`
Original file line number	Diff line number	Diff line change
`@@ -189,6 +189,12 @@ public string KeyVaultUri`
`189`	`189`	`[ValidateNotNull]`
`190`	`190`	`public string KeyVaultUserAssignedIdentityId { get; set; }`
`191`	`191`
	`192`	`+ [Parameter(`
	`193`	`+ Mandatory = false,`
	`194`	`+ HelpMessage = "Set ClientId of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.")]`
	`195`	`+ [ValidateNotNull]`
	`196`	`+ public string KeyVaultFederatedClientId { get; set; }`
	`197`	`+`
`192`	`198`	`[Parameter(`
`193`	`199`	`Mandatory = false,`
`194`	`200`	`HelpMessage = "Set the new Storage Account Identity type, the idenetity is for use with key management services like Azure KeyVault.")]`
`@@ -626,17 +632,18 @@ public override void ExecuteCmdlet()`
`626`	`632`	`}`
`627`	`633`	`}`
`628`	`634`
`629`		`- if (StorageEncryption \|\| ParameterSetName == KeyvaultEncryptionParameterSet \|\| this.KeyVaultUserAssignedIdentityId != null)`
	`635`	`+ if (StorageEncryption \|\| ParameterSetName == KeyvaultEncryptionParameterSet \|\| this.KeyVaultUserAssignedIdentityId != null \|\| this.KeyVaultFederatedClientId != null)`
`630`	`636`	`{`
`631`	`637`	`if (ParameterSetName == KeyvaultEncryptionParameterSet)`
`632`	`638`	`{`
`633`	`639`	`keyvaultEncryption = true;`
`634`	`640`	`}`
`635`	`641`	`updateParameters.Encryption = ParseEncryption(StorageEncryption, keyvaultEncryption, KeyName, KeyVersion, KeyVaultUri);`
`636`		`- if (this.KeyVaultUserAssignedIdentityId != null)`
	`642`	`+ if (this.KeyVaultUserAssignedIdentityId != null \|\| this.KeyVaultFederatedClientId != null)`
`637`	`643`	`{`
`638`	`644`	`updateParameters.Encryption.EncryptionIdentity = new EncryptionIdentity();`
`639`	`645`	`updateParameters.Encryption.EncryptionIdentity.EncryptionUserAssignedIdentity = this.KeyVaultUserAssignedIdentityId;`
	`646`	`+ updateParameters.Encryption.EncryptionIdentity.EncryptionFederatedIdentityClientId = this.KeyVaultFederatedClientId;`
`640`	`647`	`}`
`641`	`648`	`}`
`642`	`649`