Restore PITR + CMK clarifications

Author: Thomas Weiss

articles/cosmos-db/continuous-backup-restore-introduction.md

@@ -99,14 +99,19 @@ For example, if you have 1-TB of data in two regions then:
 
 * Restore cost is calculated as (1000 * 0.15) = $150 per restore
 
+## Customer-managed keys
+
+See [How do customer-managed keys affect continuous backups?](./how-to-setup-cmk.md#how-do-customer-managed-keys-affect-continuous-backups) to learn:
+
+- How to configure your Azure Cosmos DB account when using customer-managed keys in conjunction with continuous backups.
+- How do customer-managed keys affect restores.
+
 ## Current limitations
 
 Currently the point in time restore functionality has the following limitations:
 
 * Only Azure Cosmos DB APIs for SQL and MongoDB are supported for continuous backup. Cassandra, Table, and Gremlin APIs are not yet supported.
 
-* Accounts with customer-managed keys are not supported to use continuous backup.
-
 * Multi-regions write accounts are not supported.
 
 * Azure Synapse Link and periodic backup mode can coexist in the same database account. However, analytical store data isn't included in backups and restores. When Synapse Link is enabled, Azure Cosmos DB will continue to automatically take backups of your data in the transactional store at a scheduled backup interval.

articles/cosmos-db/how-to-setup-cmk.md

@@ -4,7 +4,7 @@ description: Learn how to configure customer-managed keys for your Azure Cosmos
 author: ThomasWeiss
 ms.service: cosmos-db
 ms.topic: how-to
-ms.date: 10/15/2021
+ms.date: 01/24/2022
 ms.author: thweiss 
 ms.custom: devx-track-azurepowershell
 ---
@@ -404,6 +404,17 @@ The following conditions are necessary to successfully restore a periodic backup
 - The encryption key that you used at the time of the backup is required and must be available in Azure Key Vault. This means that no revocation was made and the version of the key that was used at the time of the backup is still enabled.
 - If you [used a system-assigned managed identity in the Azure Key Vault access policy](#to-use-a-system-assigned-managed-identity) of the source account, you must temporarily grant access to the Azure Cosmos DB first-party identity in that access policy as described [here](#add-access-policy) before restoring your data. Once the data is fully restored to the target account, you can remove the first-party identity from the Key Vault access policy and set your desired identity configuration.
 
+### How do customer-managed keys affect continuous backups?
+
+Azure Cosmos DB gives you the option to configure [continuous backups](./continuous-backup-restore-introduction.md) on your account. With continuous backups, you can restore your data to any point in time within the past 30 days. To use continuous backups on an account where customer-managed keys are enabled, you must [use a user-assigned managed identity](#to-use-a-user-assigned-managed-identity) in the Key Vault access policy; the Azure Cosmos DB first-party identity or a system-assigned managed identity aren't currently supported on accounts using continuous backups.
+
+The following conditions are necessary to successfully perform a point-in-time restore:
+- The encryption key that you used at the time of the backup is required and must be available in Azure Key Vault. This means that no revocation was made and the version of the key that was used at the time of the backup is still enabled.
+- You must ensure that the user-assigned managed identity originally used on the source account is still declared in the Key Vault access policy.
+
+> [!IMPORTANT]
+> If you revoke the encryption key before deleting your account, your account's backup may miss the data written after the revocation has been made.
+
 ### How do I revoke an encryption key?
 
 Key revocation is done by disabling the latest version of the key: