CLI samples

Author: tamram

articles/storage/blobs/TOC.yml

@@ -404,7 +404,7 @@ items:
                   href: ../common/customer-managed-keys-configure-new-account.md?toc=/azure/storage/blobs/toc.json
                 - name: Configure keys for an existing account
                   href: ../common/customer-managed-keys-configure-existing-account.md?toc=/azure/storage/blobs/toc.json
-              - name: Configure keys and storage account in a different tenant
+              - name: Configure keys and storage account in different tenants
                 items:
                 - name: Configure customer-managed keys for a new account
                   href: ../common/customer-managed-keys-configure-cross-tenant-new-account.md?toc=/azure/storage/blobs/toc.json

articles/storage/common/customer-managed-keys-configure-cross-tenant-new-account.md

@@ -141,7 +141,38 @@ New-AzStorageAccount -ResourceGroupName $rgName `
 
 ### [Azure CLI](#tab/azure-cli)
 
-To configure cross-tenant customer-managed keys for a new storage account in Azure CLI, call [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
+To configure cross-tenant customer-managed keys for a new storage account with Azure CLI, first install the [storage-preview](https://github.com/Azure/azure-cli-extensions/tree/main/src/storage-preview) extension. For more information about installing Azure CLI extensions, see [How to install and manage Azure CLI extensions](/cli/azure/azure-cli-extensions-overview).
+
+Next, call [az storage account create](/cli/azure/storage/account#az-storage-account-create), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Provide the key vault URI and key name from the customer's key vault.
+
+Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
+
+```azurecli
+accountName="<storage-account>"
+kvUri="<key-vault-uri>"
+keyName="<key-name>"
+multiTenantAppId="<multi-tenant-app-id>"
+
+# Get the resource ID for the user-assigned managed identity.
+identityResourceId=$(az identity show --name $managedIdentity \
+    --resource-group $isvRgName \
+    --query id \
+    --output tsv)
+
+az storage account create \
+    --name $accountName \
+    --resource-group $isvRgName \
+    --location $isvLocation \
+    --sku Standard_LRS \
+    --kind StorageV2 \
+    --identity-type SystemAssigned,UserAssigned \
+    --user-identity-id $identityResourceId \
+    --encryption-key-vault $kvUri \
+    --encryption-key-name $keyName \
+    --encryption-key-source Microsoft.Keyvault \
+    --key-vault-user-identity-id $identityResourceId \
+    --key-vault-federated-client-id $multiTenantAppId
+```
 
 ---