Merge pull request #213405 from tamram/tamram22-1003

prmerger-automator[bot] · web-flow · commit 6ac58afdb17e · 2022-10-04T05:16:51.000Z
PSH samples for xtenant CMK - create account
diff --git a/articles/storage/common/customer-managed-keys-configure-cross-tenant-existing-account.md b/articles/storage/common/customer-managed-keys-configure-cross-tenant-existing-account.md
@@ -7,7 +7,7 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 09/14/2022
+ms.date: 10/03/2022
 ms.author: tamram
 ms.reviewer: ozgun
 ms.subservice: common 
diff --git a/articles/storage/common/customer-managed-keys-configure-cross-tenant-new-account.md b/articles/storage/common/customer-managed-keys-configure-cross-tenant-new-account.md
@@ -7,7 +7,7 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 09/14/2022
+ms.date: 10/03/2022
 ms.author: tamram
 ms.reviewer: ozgun
 ms.subservice: common 
@@ -111,11 +111,35 @@ To configure cross-tenant customer-managed keys for a new storage account in the
 
 ### [PowerShell](#tab/azure-powershell)
 
-N/A
+To configure cross-tenant customer-managed keys for a new storage account in PowerShell, first install the [Az.Storage PowerShell module](https://www.powershellgallery.com/packages/Az.Storage/4.4.2-preview), version 4.4.2-preview.
+
+Next, call [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
+
+```azurepowershell
+$accountName = "<account-name>"
+$keyVaultUri = "<key-vault-uri>"
+$keyName = "<keyName>"
+$location = "<location>"
+$multiTenantAppId = "<application-id>"
+
+$userIdentity = Get-AzUserAssignedIdentity -Name <user-assigned-identity> -ResourceGroupName $rgName
+
+New-AzStorageAccount -ResourceGroupName $rgName `
+    -Name $accountName `
+    -Kind StorageV2 `
+    -SkuName Standard_LRS `
+    -Location $location `
+    -UserAssignedIdentityId $userIdentity.Id `
+    -IdentityType SystemAssignedUserAssigned `
+    -KeyName $keyName `
+    -KeyVaultUri $keyVaultUri `
+    -KeyVaultUserAssignedIdentityId $userIdentity.Id `
+    -KeyVaultFederatedClientId $multiTenantAppId 
+```
 
 ### [Azure CLI](#tab/azure-cli)
 
-N/A
+To configure cross-tenant customer-managed keys for a new storage account in Azure CLI, call [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount), providing the resource ID for the user-assigned managed identity that you configured previously in the ISV's subscription, and the application (client) ID for the multi-tenant application that you configured previously in the ISV's subscription. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
 
 ---
 
diff --git a/includes/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault.md b/includes/active-directory-msi-cross-tenant-cmk-create-identities-authorize-key-vault.md
@@ -93,15 +93,18 @@ Create a user-assigned managed identity to be used as a federated identity crede
 $subscriptionId="aaaaaaaa-0000-aaaa-0000-aaaa0000aaaa"
 $tenantId="bbbbbbbb-0000-bbbb-0000-bbbb0000bbbb"
 $appName="XTCMKDemoApp"
-$uamiName="XTCMKDemoAppUA"
+$managedIdentity="XTCMKDemoAppUA"
 $rgName="XTCMKDemoAppRG"
 $location="westcentralus"
 
 Set-AzContext -Subscription $subscriptionId
 
 New-AzResourceGroup -Location $location -ResourceGroupName $rgName
 
-$uamiObject = New-AzUserAssignedIdentity -Name $uamiName -ResourceGroupName $rgName -Location $location -SubscriptionId $subscriptionId
+$uamiObject = New-AzUserAssignedIdentity -Name $managedIdentity `
+    -ResourceGroupName $rgName `
+    -Location $location `
+    -SubscriptionId $subscriptionId
 ```
 
 #### The service provider configures the user-assigned managed identity as a federated credential on the application
@@ -151,7 +154,7 @@ export subscriptionId="aaaaaaaa-0000-aaaa-0000-aaaa0000aaaa"
 export tenantId="bbbbbbbb-0000-bbbb-0000-bbbb0000bbbb"
 export appName="XTCMKDemoApp"
 
-export uamiName="XTCMKDemoAppUA"
+export managedIdentity="XTCMKDemoAppUA"
 export rgName="XTCMKDemoAppRG"
 export location="westcentralus"
 
@@ -162,7 +165,7 @@ export appId=$(az ad app show --id $appObjectId --query appId --output tsv)
 az group create --location $location --resource-group $rgName --subscription $subscriptionId
 echo "Created a new resource group with name = $rgName, location = $location in subscriptionid = $subscriptionId"
 
-export uamiObjectId=$(az identity create --name $uamiName --resource-group $rgName --location $location --subscription $subscriptionId --query principalId --out tsv)
+export uamiObjectId=$(az identity create --name $managedIdentity --resource-group $rgName --location $location --subscription $subscriptionId --query principalId --out tsv)
 ```
 
 #### The service provider configures the user-assigned managed identity as a federated credential on the application
@@ -286,15 +289,19 @@ New-AzResourceGroup -Location $location -ResourceGroupName $rgName
 
 # Create the service principal with the registered app's application ID (client ID)
 $serviceprincipalObject = New-AzADServicePrincipal -ApplicationId
-# $serviceprincipalObject = Get-AzADServicePrincipal -ApplicationId $addObject.Id
 ```
 
 #### The customer creates a key vault
 
 To create the key vault, the customer's account must be assigned the **Key Vault Contributor** role or another role that permits creation of a key vault.
 
 ```azurepowershell
-New-AzKeyVault -Location $location -Name $vaultName -ResourceGroupName $rgName -SubscriptionId $subscriptionId -EnablePurgeProtection -EnableRbacAuthorization
+New-AzKeyVault -Location $location `
+    -Name $vaultName `
+    -ResourceGroupName $rgName `
+    -SubscriptionId $subscriptionId `
+    -EnablePurgeProtection `
+    -EnableRbacAuthorization
 ```
 
 #### The customer assigns Key Vault Crypto Officer role to a user account
@@ -303,7 +310,9 @@ This step ensures that you can create the key vault and encryption keys.
 
 ```azurepowershell
 $currentUserObjectId="object-id-of-the-user"
-New-AzRoleAssignment -RoleDefinitionName "Key Vault Crypto Officer" -Scope /subscriptions/$subscriptionId/resourceGroups/$rgName/providers/Microsoft.KeyVault/vaults/$vaultName -ObjectId $currentUserObjectId
+New-AzRoleAssignment -RoleDefinitionName "Key Vault Crypto Officer" `
+    -Scope /subscriptions/$subscriptionId/resourceGroups/$rgName/providers/Microsoft.KeyVault/vaults/$vaultName `
+    -ObjectId $currentUserObjectId
 ```
 
 #### The customer creates an encryption key
@@ -319,7 +328,9 @@ Add-AzKeyVaultKey -Name mastercmkkey -VaultName $vaultName -Destination software
 Assign the Azure RBAC role **Key Vault Crypto Service Encryption User** to the service provider's registered application so that it can access the key vault.
 
 ```azurepowershell
-New-AzRoleAssignment -RoleDefinitionName "Key Vault Crypto Service Encryption User" -Scope /subscriptions/$subscriptionId/resourceGroups/$rgName/providers/Microsoft.KeyVault/vaults/$vaultName -ObjectId $serviceprincipalObject.Id
+New-AzRoleAssignment -RoleDefinitionName "Key Vault Crypto Service Encryption User" `
+    -Scope /subscriptions/$subscriptionId/resourceGroups/$rgName/providers/Microsoft.KeyVault/vaults/$vaultName `
+    -ObjectId $serviceprincipalObject.Id
 ```
 
 Now you can configure customer-managed keys with the key vault URI and key.
