Merge pull request #303573 from EdB-MSFT/customer-managed-keys-limitation

v-ccolin · web-flow · commit 63b6e57ecf89 · 2025-07-30T11:15:13.000+01:00
limitation for customer managed keys
diff --git a/articles/sentinel/datalake/sentinel-lake-onboarding.md b/articles/sentinel/datalake/sentinel-lake-onboarding.md
@@ -65,6 +65,8 @@ To onboard to the Microsoft Sentinel data lake Public Preview, you must be an ex
 + You must have a Microsoft Sentinel primary workspace and other workspaces in the same region as your tenant’s home region.
 + You must have read privileges to the primary and other workspaces so they can be attached to the data lake. For public preview, attaching a primary and all workspaces to the data lake is only supported if they're in the same region as your tenant home region.
 
+[!INCLUDE [Customer-managed keys limitation](../includes/customer-managed-keys-limitation.md)]
+
 The following roles that are required to set up billing and authorize ingestion of asset data into the data lake:
 
 + Azure Subscription owner for billing setup.
diff --git a/articles/sentinel/datalake/sentinel-lake-service-limits.md b/articles/sentinel/datalake/sentinel-lake-service-limits.md
@@ -17,10 +17,10 @@ ms.author: edbaynash
 
 The following service parameters and limits apply to the Microsoft Sentinel data lake service.
 
-[!INCLUDE [Service limits for VS Code notebooks](../includes/service-limits-notebooks.md)]
-
 [!INCLUDE [Service limits for tables, data management and ingestion](../includes/service-limits-table-manaement-ingestion.md)]
 
+[!INCLUDE [Service limits for VS Code notebooks](../includes/service-limits-notebooks.md)]
+
 [!INCLUDE [Service limits for KQL queries against the data lake](../includes/service-limits-kql-queries.md)]
 
 [!INCLUDE [Service limits for KQL jobs](../includes/service-limits-kql-jobs.md)]
diff --git a/articles/sentinel/includes/customer-managed-keys-limitation.md b/articles/sentinel/includes/customer-managed-keys-limitation.md
@@ -0,0 +1,8 @@
+---
+author: EdB-MSFT
+ms.author: edbayansh
+ms.topic: include
+ms.date: 07/30/2025
+---
+> [!IMPORTANT]
+> For Microsoft Sentinel customers using Customer-Managed Keys (CMK) for data encryption, we advise against onboarding to the Microsoft Sentinel data lake during the preview. Due to current preview limitations, certain data lake components don't support encryption using CMK. As a result, onboarding to the Microsoft Sentinel data lake at this stage may lead to noncompliance with your organization's encryption policies or data protection requirements. We recommend waiting until full CMK support is available across all Microsoft Sentinel data lake layers before proceeding.
diff --git a/articles/sentinel/includes/service-limits-table-manaement-ingestion.md b/articles/sentinel/includes/service-limits-table-manaement-ingestion.md
@@ -10,6 +10,8 @@ ms.date: 07/15/2025
 > [!NOTE] 
 > During preview Microsoft Sentinel data lake uses a single region. Your primary and other workspaces must be in the same region as your tenant’s home region. Only workspaces in the same region as your tenant’s home region can be attached to the data lake.
 
+[!INCLUDE [Customer-managed keys limitation](../includes/customer-managed-keys-limitation.md)]
+  
 The following table lists the service parameters and limits for the Microsoft Sentinel data lake (preview) service related to table management, data ingestion, and retention. These limits include, but aren't limited to, Azure Resource Graph data, Microsoft 365 data, and data mirroring.
 
 | Category                                         | Parameter/limit                              |
