QP doesn't support CMK

yossi-y · yossi-y · commit 33a861a0167c · 2023-12-11T12:19:29.000+02:00
diff --git a/articles/azure-monitor/logs/customer-managed-keys.md b/articles/azure-monitor/logs/customer-managed-keys.md
@@ -278,11 +278,13 @@ When linking your Storage Account for saved queries, the service stores saved-qu
 
 **Considerations before setting Customer-managed key for queries**
 * You need to have "write" permissions on your workspace and Storage Account.
-* Make sure to create your Storage Account in the same region as your Log Analytics workspace is located.
-* The saves queries in storage is considered as service artifacts and their format may change.
-* Linking a Storage Account for queries removed existing saves queries from your workspace. Copy saves queries that you need before this configuration. You can view your saved queries using  [PowerShell](/powershell/module/az.operationalinsights/get-azoperationalinsightssavedsearch).
+* Make sure to create your Storage Account in the same region as your Log Analytics workspace is located, with Customer-managed key encryption. This is important since saved queries are stored in table storage and it can only be encrypted at Storage Account creation.
+* Queries saved in [query pack](./query-packs.md) aren't encrypted with Customer-managed key. Select **Save as Legacy query** when saving queries instead, to protect them with Customer-managed key.
+* Saves queries in storage are considered service artifacts and their format may change.
+* Linking a Storage Account for queries removes existing saves queries from your workspace. Copy saves queries that you need before this configuration. You can view your saved queries using [PowerShell](/powershell/module/az.operationalinsights/get-azoperationalinsightssavedsearch).
 * Query 'history' and 'pin to dashboard' aren't supported when linking Storage Account for queries.
-* You can link a single Storage Account to a workspace, which can be used for both saved queries and log alerts queries.
+* You can link a single Storage Account to a workspace for both saved queries and log alerts queries.
+* Log alerts are saved in blob storage and Customer-managed key encryption can be configured at Storage Account creation, or later.
 * Fired log alerts won't contain search results or alert query. You can use [alert dimensions](../alerts/alerts-unified-log.md#split-by-alert-dimensions) to get context in the fired alerts.
 
 **Configure BYOS for saved queries**
diff --git a/articles/azure-monitor/logs/private-storage.md b/articles/azure-monitor/logs/private-storage.md
@@ -61,8 +61,8 @@ The storage account and the key vault must be in the same region, but they also
 To configure your Azure Storage account to use CMKs with Key Vault, use the [Azure portal](../../storage/common/customer-managed-keys-configure-key-vault.md?toc=%252fazure%252fstorage%252fblobs%252ftoc.json), [PowerShell](../../storage/common/customer-managed-keys-configure-key-vault.md?toc=%252fazure%252fstorage%252fblobs%252ftoc.json), or the [Azure CLI](../../storage/common/customer-managed-keys-configure-key-vault.md?toc=%252fazure%252fstorage%252fblobs%252ftoc.json).
 
 > [!NOTE]
-> - When linking Storage Account for query, existing saved queries in workspace are deleted permanently for privacy. You can copy existing saved queries before storage link using a template as described in [Workspace move procedure](./move-workspace-region.md).
-> - Queries saved in [query pack](./query-packs.md) aren't encrypted with Customer-managed key. Select **Save as Legacy query** when saving queries instead to protect them with Customer-managed key.
+> - When linking Storage Account for query, existing saved queries in workspace are deleted permanently for privacy. You can copy existing saved queries before storage link using [PowerShell](/powershell/module/az.operationalinsights/get-azoperationalinsightssavedsearch).
+> - Queries saved in [query pack](./query-packs.md) aren't encrypted with Customer-managed key. Select **Save as Legacy query** when saving queries instead, to protect them with Customer-managed key.
 > - Saved queries are stored in table storage and encrypted with Customer-managed key when encryption is configured at Storage Account creation.
 > - Log alerts are saved in blob storage where configuration of Customer-managed key encryption can be at Storage Account creation, or later.
 > - You can use a single Storage Account for all purposes, query, alert, custom log and IIS logs. Linking storage for custom log and IIS logs might require more Storage Accounts for scale, depending on the ingestion rate and storage limits. You can link up to five Storage Accounts to a workspace.
diff --git a/articles/azure-monitor/logs/query-packs.md b/articles/azure-monitor/logs/query-packs.md
@@ -6,7 +6,7 @@ ms.topic: conceptual
 author: guywi-ms
 ms.author: guywild
 ms.reviewer: roygal
-ms.date: 06/22/2022
+ms.date: 12/11/2023
 
 ---
 
@@ -50,6 +50,9 @@ To add query packs to your Log Analytics workspace:
 ## Create a query pack
 You can create a query pack by using the REST API or from the **Log Analytics query packs** pane in the Azure portal. To open the **Log Analytics query packs** pane in the portal, select **All services** > **Other**.
 
+> [!NOTE]
+> Queries saved in [query pack](./query-packs.md) aren't encrypted with Customer-managed key. Select **Save as Legacy query** when saving queries instead, to protect them with Customer-managed key.
+
 ### Create a token
 You must have a token for authentication of the API request. There are multiple methods to get a token. One method is to use `armclient`.
 
