update

msmbaldwin · msmbaldwin · commit 7585c38e0bd5 · 2024-03-14T09:47:07.000-07:00
diff --git a/articles/key-vault/managed-hsm/disaster-recovery-guide.md b/articles/key-vault/managed-hsm/disaster-recovery-guide.md
@@ -95,33 +95,61 @@ az keyvault security-domain upload --hsm-name ContosoMHSM2 --sd-exchange-key Con
 
 Now both the source HSM (ContosoMHSM) and the destination HSM (ContosoMHSM2) have the same security domain. We can now restore a full backup from the source HSM into the destination HSM.
 
-## Create a backup (as a restore point) of your new HSM
+## Backup and restore
 
-It's always a good idea to take a full backup before you execute a full HSM restore, so that you have a restore point in case something goes wrong with the restore.
+It's always a good idea to take a full backup before you execute a full HSM restore, so that you have a restore point in case something goes wrong with the restore. You can do this using one of two methods: user assigned managed identity, or SAS tokens.
+
+### Create a backup (as a restore point) of your new HSM
 
 To create an HSM backup, you'll need:
 - A storage account where the backup will be stored
 - A blob storage container in this storage account where the backup process will create a new folder to store encrypted backup
+- A user assigned managed identity that has the Storage Blob Data Contributor role on the storage account OR storage container SAS token with permissions 'crdw'
+
+We use az keyvault backup command to the HSM backup in the storage container **mhsmbackupcontainer**, which is in the storage account **mhsmdemobackup** in the following examples.
+
+### [User assigned managed identity](#tab/uami)
 
-We use `az keyvault backup` command to the HSM backup in the storage container **mhsmbackupcontainer**, which is in the storage account **mhsmdemobackup** in the following example. We create a SAS token that expires in 30 minutes and provide that to Managed HSM to write the backup.
+If using the user assigned managed identity method, we specify the user assigned managed identity with the `--mi-user-assigned` parameter and associate that to the Managed HSM before writing the backup in the below example.
+
+```azurecli-interactive
+az keyvault update-hsm --hsm-name ContosoMHSM2 --mi-user-assigned "/subscriptions/subid/resourcegroups/mhsmrgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/userassignedidentityname"
+az keyvault backup start --use-managed-identity true --hsm-name ContosoMHSM2 --storage-account-name mhsmdemobackup --blob-container-name mhsmbackupcontainer
+```
+
+### [SAS token](#tab/sas)
+
+If using the SAS token method, we create a SAS token that expires in 30 minutes and provide that to Managed HSM to write the backup in the below example.
 
 ```azurecli-interactive
 end=$(date -u -d "500 minutes" '+%Y-%m-%dT%H:%MZ')
 skey=$(az storage account keys list --query '[0].value' -o tsv --account-name mhsmdemobackup)
 az storage container create --account-name  mhsmdemobackup --name mhsmbackupcontainer  --account-key $skey
 sas=$(az storage container generate-sas -n mhsmbackupcontainer --account-name mhsmdemobackup --permissions crdw --expiry $end --account-key $skey -o tsv)
 az keyvault backup start --hsm-name ContosoMHSM2 --storage-account-name mhsmdemobackup --blob-container-name mhsmbackupcontainer --storage-container-SAS-token $sas
-
 ```
 
-## Restore backup from source HSM
+---
 
-For this step you need:
+### Restore backup from source HSM
 
+For this step you need:
 - The storage account and the blob container in which the source HSM's backups are stored.
 - The folder name from where you want to restore the backup. If you create regular backups, there will be many folders inside this container.
 
-We use `az keyvault restore` command to the new HSM **ContosoMHSM2**, using the backup of the source MHSM we are trying to restore, which is in the folder name **mhsm-ContosoMHSM-2020083120161860** found in the storage container **mhsmdemobackupcontainer** of the storage account **ContosoBackup** in the following example. We create a SAS token that expires in 30 minutes and provide that to Managed HSM to write the restore.
+We use az keyvault restore command to the new HSM ContosoMHSM2, using the backup of the source MHSM we are trying to restore, which is in the folder name **mhsm-ContosoMHSM-2020083120161860** found in the storage container **mhsmdemobackupcontainer** of the storage account **ContosoBackup** in the following example.
+
+### [User assigned managed identity](#tab/uami)
+
+If using the user assigned managed identity method, we set the `--use-managed-identity` pramater to "true".
+
+```azurecli-interactive
+az keyvault restore start --hsm-name ContosoMHSM2 --storage-account-name ContosoBackup --blob-container-name mhsmdemobackupcontainer --backup-folder mhsm-ContosoMHSM-2020083120161860 --use-managed-identity true
+```
+
+### [SAS token](#tab/sas)
+
+If using the SAS token method, we create a SAS token that expires in 30 minutes and provide that to Managed HSM to write the restore.
 
 ```azurecli-interactive
 end=$(date -u -d "500 minutes" '+%Y-%m-%dT%H:%MZ')
@@ -130,8 +158,11 @@ sas=$(az storage container generate-sas -n mhsmdemobackupcontainer --account-nam
 az keyvault restore start --hsm-name ContosoMHSM2 --storage-account-name ContosoBackup --blob-container-name mhsmdemobackupcontainer --storage-container-SAS-token $sas --backup-folder mhsm-ContosoMHSM-2020083120161860
 ```
 
+---
+
 Now you've completed a full disaster recovery process. The contents of the source HSM when the backup was taken are copied to the destination HSM, including all the keys, versions, attributes, tags, and role assignments.
 
+
 ## Next steps
 
 - Learn more about Security Domain see [About Managed HSM Security Domain](security-domain.md)
