MicrosoftDocs
diff --git a/‎articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md
Lines changed: 55 additions & 40 deletions b/‎articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md
Lines changed: 55 additions & 40 deletions
diff --git a/‎articles/virtual-machines/media/disks-cross-tenant-customer-managed-keys/create-disk-encryption-set.png
39.5 KB b/‎articles/virtual-machines/media/disks-cross-tenant-customer-managed-keys/create-disk-encryption-set.png
39.5 KB
@@ -4,7 +4,7 @@ description: Learn how to use customer-managed keys with your Azure disks in dif
 author: roygara
 ms.service: storage
 ms.topic: how-to
-ms.date: 11/11/2022
+ms.date: 11/30/2022
 ms.author: rogarana
 ms.subservice: disks
 ---
@@ -29,13 +29,62 @@ If you have questions about cross-tenant customer-managed keys with managed disk
 
 ## Create a disk encryption set
 
-Now that you've created your Azure Key Vault and performed the required Azure AD configurations, deploy a disk encryption set configured to work across tenants and associate it with a key in the key vault. You can do this using an ARM template, REST API, Azure PowerShell, or Azure CLI.
+Now that you've created your Azure Key Vault and performed the required Azure AD configurations, deploy a disk encryption set configured to work across tenants and associate it with a key in the key vault. You can do this using the Azure portal, Azure PowerShell, or Azure CLI. You can also use an [ARM template](#use-an-arm-template) or [REST API](#use-rest-api).
 
-# [ARM/REST](#tab/azure-portal)
+# [Portal](#tab/azure-portal)
 
-Use an ARM template or REST API.
+To use the Azure portal, sign in to the portal and follow these steps.
 
-### ARM
+1. Select **+ Create a resource**, search for **Disk encryption set**, and select **Create > Disk encryption set**.
+1. Under **Project details**, select the subscription and resource group in which to create the disk encryption set.
+1. Under **Instance details**, provide a name for the disk encryption set.
+
+    :::image type="content" source="media/disks-cross-tenant-customer-managed-keys/create-disk-encryption-set.png" alt-text="Screenshot showing how to enter the project and instance details to create a new disk encryption set." border="true":::
+
+1. Select the **Region** in which to create the disk encryption set.
+1. For **Encryption type**, select **Encryption at-rest with a customer-managed key**.
+1. Under **Encryption key**, select the **Enter key from URI** radio button, and then enter the Key URI of the key created in the customer's tenant.
+1. Under **User-assigned identity**, select **Select an identity**.
+1. Select the user-assigned managed identity that you created previously in the ISV's tenant, and then select **Add**.
+1. Under **Multi-tenant application**, select **Select an application**.
+1. Select the multi-tenant registered application that you created previously in the ISV's tenant, and click **Select**.
+1. Select **Review + create**.
+
+# [PowerShell](#tab/azure-powershell)
+
+To use Azure PowerShell, install the latest Az module or the Az.Storage module. For more information about installing PowerShell, see [Install Azure PowerShell on Windows with PowerShellGet](/powershell/azure/install-Az-ps).
+
+[!INCLUDE [azure-powershell-requirements-no-header.md](../../includes/azure-powershell-requirements-no-header.md)]
+
+In the script below, `-FederatedClientId` should be the application ID (client ID) of the multi-tenant application. You'll also need to provide the subscription ID, resource group name, and identity name.
+
+```azurepowershell-interactive
+$userAssignedIdentities = @{"/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName" = @{}};
+
+$config = New-AzDiskEncryptionSetConfig `
+   -Location 'westcentralus' `
+   -KeyUrl "https://vault1.vault.azure.net:443/keys/key1/mykey" `
+   -IdentityType 'UserAssigned' `
+   -RotationToLatestKeyVersionEnabled $True `
+   -UserAssignedIdentity $userAssignedIdentities `
+   -FederatedClientId "00000000-0000-0000-0000-000000000000" `
+   $config `
+   | New-AzDiskEncryptionSet -ResourceGroupName 'rg1' -Name 'enc1'
+```
+
+# [Azure CLI](#tab/azure-cli)
+
+[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](../../includes/azure-cli-prepare-your-environment-no-header.md)]
+
+In the command below, `myAssignedId` should be the resource ID of the user-assigned managed identity that you created earlier, and `myFederatedClientId` should be the application ID (client ID) of the multi-tenant application.
+
+```azurecli-interactive
+az disk-encryption-set create --resource-group MyResourceGroup --name MyDiskEncryptionSet --key-url MyKey --mi-user-assigned myAssignedId --federated-client-id myFederatedClientId --location westcentralus
+```
+
+---
+
+### Use an ARM template
 
 ```json
 {
@@ -92,7 +141,7 @@ Use an ARM template or REST API.
 }
 ```
 
-### REST API
+### Use REST API
 
 Use bearer token as authorization header and application/JSON as content type in BODY. (Network tab, filter to management.azure while performing any ARM request on portal.)
 
@@ -123,40 +172,6 @@ Content-Type: application/json
 }
 ```
 
-# [PowerShell](#tab/azure-powershell)
-
-To use Azure PowerShell, install the latest Az module or the Az.Storage module. For more information about installing PowerShell, see [Install Azure PowerShell on Windows with PowerShellGet](/powershell/azure/install-Az-ps).
-
-[!INCLUDE [azure-powershell-requirements-no-header.md](../../includes/azure-powershell-requirements-no-header.md)]
-
-In the script below, `-FederatedClientId` should be the application ID (client ID) of the multi-tenant application. You'll also need to provide the subscription ID, resource group name, and identity name.
-
-```azurepowershell-interactive
-$userAssignedIdentities = @{"/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName" = @{}};
-
-$config = New-AzDiskEncryptionSetConfig `
-   -Location 'westcentralus' `
-   -KeyUrl "https://vault1.vault.azure.net:443/keys/key1/mykey" `
-   -IdentityType 'UserAssigned' `
-   -RotationToLatestKeyVersionEnabled $True `
-   -UserAssignedIdentity $userAssignedIdentities `
-   -FederatedClientId "00000000-0000-0000-0000-000000000000" `
-   $config `
-   | New-AzDiskEncryptionSet -ResourceGroupName 'rg1' -Name 'enc1'
-```
-
-# [Azure CLI](#tab/azure-cli)
-
-[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](../../includes/azure-cli-prepare-your-environment-no-header.md)]
-
-In the command below, `myAssignedId` should be the resource ID of the user-assigned managed identity that you created earlier, and `myFederatedClientId` should be the application ID (client ID) of the multi-tenant application.
-
-```azurecli-interactive
-az disk-encryption-set create --resource-group MyResourceGroup --name MyDiskEncryptionSet --key-url MyKey --mi-user-assigned myAssignedId --federated-client-id myFederatedClientId --location westcentralus
-```
-
----
-
 ## Next steps
 
 See also: