Update transparent-data-encryption-byok-overview.md

Author: shohamMSFT

articles/azure-sql/database/transparent-data-encryption-byok-overview.md

@@ -86,11 +86,16 @@ Auditors can use Azure Monitor to review key vault AuditEvent logs, if logging i
 > [!IMPORTANT]
 > Both **soft-delete** and **purge protection** must be enabled on the key vault when configuring customer-managed TDE on a new or existing server or managed instance.
 
-- [Soft-delete](../../key-vault/general/soft-delete-overview.md) and [purge protection](../../key-vault/general/soft-delete-overview.md#purge-protection) are important features of Azure Key Vault that allow recovery of deleted vaults and deleted key vault objects, reducing the risk of a user accidentally or maliciously deleting a key or a key vault.
+[Soft-delete](../../key-vault/general/soft-delete-overview.md) and [purge protection](../../key-vault/general/soft-delete-overview.md#purge-protection) are important features of Azure Key Vault that allow recovery of deleted vaults and deleted key vault objects, reducing the risk of a user accidentally or maliciously deleting a key or a key vault.
+
 - Soft-deleted resources are retained for 90 days, unless recovered or purged by the customer. The *recover* and *purge* actions have their own permissions associated in a key vault access policy. The soft-delete feature is on by default for new key vaults and can also be enabled using the Azure portal, [PowerShell](../../key-vault/general/key-vault-recovery.md?tabs=azure-powershell) or [Azure CLI](../../key-vault/general/key-vault-recovery.md?tabs=azure-cli).
+
 - Purge protection can be turned on using [Azure CLI](../../key-vault/general/key-vault-recovery.md?tabs=azure-cli) or [PowerShell](../../key-vault/general/key-vault-recovery.md?tabs=azure-powershell). When purge protection is enabled, a vault or an object in the deleted state cannot be purged until the retention period has passed. The default retention period is 90 days, but is configurable from 7 to 90 days through the Azure portal.
-- Azure SQL requires soft-delete and purge protection to be enabled on the key vault containing the encryption key being used as the TDE Protector for the server or managed instance. This helps prevent the scenario of accidental or malicious key vault or key deletion that can lead to the database going into *Inaccessible* state 
-- When configuring the TDE Protector on an existing server or during server creation, Azure SQL validates that the key vault being used has soft-delete and purge protection turned on. If soft-delete and purge protection are not enabled on the key vault, the TDE Protector setup fails with an error. In this case, soft-delete and purge protection must first be enabled on the key vault and then the TDE Protector setup should be performed.  
+
+- Azure SQL requires soft-delete and purge protection to be enabled on the key vault containing the encryption key being used as the TDE Protector for the server or managed instance. This helps prevent the scenario of accidental or malicious key vault or key deletion that can lead to the database going into *Inaccessible* state.
+
+- When configuring the TDE Protector on an existing server or during server creation, Azure SQL validates that the key vault being used has soft-delete and purge protection turned on. If soft-delete and purge protection are not enabled on the key vault, the TDE Protector setup fails with an error. In this case, soft-delete and purge protection must first be enabled on the key vault and then the TDE Protector setup should be performed.
+
 
 ### Requirements for configuring TDE protector