Merge pull request #214212 from tamram/tamram22-1011

xtenant CMK: add CLI samples

Author: Maggiemouse1

articles/storage/blobs/TOC.yml

@@ -398,13 +398,13 @@ items:
               href: ../common/storage-encryption-key-model-get.md?toc=/azure/storage/blobs/toc.json
             - name: Configure customer-managed keys in Azure Key Vault
               items:
-              - name: Configure customer-managed keys in the same tenant
+              - name: Configure keys and storage account in the same tenant
                 items:
-                - name: Configure customer-managed keys for a new account
+                - name: Configure keys for a new account
                   href: ../common/customer-managed-keys-configure-new-account.md?toc=/azure/storage/blobs/toc.json
-                - name: Configure customer-managed keys for an existing account
+                - name: Configure keys for an existing account
                   href: ../common/customer-managed-keys-configure-existing-account.md?toc=/azure/storage/blobs/toc.json
-              - name: Configure customer-managed keys in a different tenant
+              - name: Configure keys and storage account in different tenants
                 items:
                 - name: Configure customer-managed keys for a new account
                   href: ../common/customer-managed-keys-configure-cross-tenant-new-account.md?toc=/azure/storage/blobs/toc.json

articles/storage/common/customer-managed-keys-configure-cross-tenant-existing-account.md

@@ -7,7 +7,7 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 10/04/2022
+ms.date: 10/14/2022
 ms.author: tamram
 ms.reviewer: ozgun
 ms.subservice: common 
@@ -119,7 +119,7 @@ After you've specified the key from the key vault in the customer's tenant, the
 
 ### [PowerShell](#tab/azure-powershell)
 
-To configure cross-tenant customer-managed keys for a new storage account in PowerShell, first install the [Az.Storage PowerShell module](https://www.powershellgallery.com/packages/Az.Storage/4.4.2-preview), version 4.4.2-preview.
+To configure cross-tenant customer-managed keys for a new storage account with PowerShell, first install the [Az.Storage PowerShell module](https://www.powershellgallery.com/packages/Az.Storage/4.4.2-preview), version 4.4.2-preview.
 
 Next, call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Provide the key vault URI and key name from the customer's key vault.
 
@@ -128,7 +128,7 @@ Remember to replace the placeholder values in brackets with your own values and
 ```azurepowershell
 $accountName = "<storage-account>"
 $kvUri = "<key-vault-uri>"
-$keyName = "<keyName>"
+$keyName = "<key-name>"
 $multiTenantAppId = "<multi-tenant-app-id>"
 
 Set-AzStorageAccount -ResourceGroupName $rgName `

articles/storage/common/customer-managed-keys-configure-cross-tenant-new-account.md

@@ -7,7 +7,7 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 10/04/2022
+ms.date: 10/14/2022
 ms.author: tamram
 ms.reviewer: ozgun
 ms.subservice: common 
@@ -141,7 +141,38 @@ New-AzStorageAccount -ResourceGroupName $rgName `
 
 ### [Azure CLI](#tab/azure-cli)
 
-To configure cross-tenant customer-managed keys for a new storage account in Azure CLI, call [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
+To configure cross-tenant customer-managed keys for a new storage account with Azure CLI, first install the [storage-preview](https://github.com/Azure/azure-cli-extensions/tree/main/src/storage-preview) extension. For more information about installing Azure CLI extensions, see [How to install and manage Azure CLI extensions](/cli/azure/azure-cli-extensions-overview).
+
+Next, call [az storage account create](/cli/azure/storage/account#az-storage-account-create), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Provide the key vault URI and key name from the customer's key vault.
+
+Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
+
+```azurecli
+accountName="<storage-account>"
+kvUri="<key-vault-uri>"
+keyName="<key-name>"
+multiTenantAppId="<multi-tenant-app-id>"
+
+# Get the resource ID for the user-assigned managed identity.
+identityResourceId=$(az identity show --name $managedIdentity \
+    --resource-group $isvRgName \
+    --query id \
+    --output tsv)
+
+az storage account create \
+    --name $accountName \
+    --resource-group $isvRgName \
+    --location $isvLocation \
+    --sku Standard_LRS \
+    --kind StorageV2 \
+    --identity-type SystemAssigned,UserAssigned \
+    --user-identity-id $identityResourceId \
+    --encryption-key-vault $kvUri \
+    --encryption-key-name $keyName \
+    --encryption-key-source Microsoft.Keyvault \
+    --key-vault-user-identity-id $identityResourceId \
+    --key-vault-federated-client-id $multiTenantAppId
+```
 
 ---