Merge pull request #267595 from roygara/clarifyUpdate

prmerger-automator[bot] · web-flow · commit 3b26ef9e2bf7 · 2024-02-28T21:55:00.000Z
Clarifying PV2 / Ultra Restriction with CMK
diff --git a/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md b/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md
@@ -4,15 +4,17 @@
  author: roygara
  ms.service: azure-disk-storage
  ms.topic: include
- ms.date: 02/22/2023
+ ms.date: 02/28/2024
  ms.author: rogarana
  ms.custom: include file
 ---
 - If this feature is enabled for a disk with incremental snapshots, it can't be disabled on that disk or its snapshots.
     To work around this, copy all the data to an entirely different managed disk that isn't using customer-managed keys. You can do that with either the [Azure CLI](../articles/virtual-machines/linux/disks-upload-vhd-to-managed-disk-cli.md#copy-a-managed-disk) or the [Azure PowerShell module](../articles/virtual-machines/windows/disks-upload-vhd-to-managed-disk-powershell.md#copy-a-managed-disk).
 - Only [software and HSM RSA keys](../articles/key-vault/keys/about-keys.md) of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
     - [HSM](../articles/key-vault/keys/hsm-protected-keys.md) keys require the **premium** tier of Azure Key vaults.
-- For Ultra Disks and Premium SSD v2 disks only: Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
+- For Ultra Disks and Premium SSD v2 disks only:
+    - Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
+    - User-assigned managed identities aren't supported for Ultra Disks and Premium SSD v2 disks encrypted with customer-managed keys.
 - Most resources related to your customer-managed keys (disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
     - Azure Key Vaults may be used from a different subscription but must be in the same region as your disk encryption set. As a preview, you can use Azure Key Vaults from [different Microsoft Entra tenants](../articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md).
 - Disks encrypted with customer-managed keys can only move to another resource group if the VM they are attached to is deallocated.
