Merge pull request #211234 from khdownie/kendownie091422-2

prmerger-automator[bot] · web-flow · commit 8a30ab356d93 · 2022-09-14T19:06:17.000Z
clarifying region and tenant limitations
diff --git a/articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md b/articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md
@@ -37,7 +37,7 @@ If you have any questions about cross-tenant customer-managed keys with managed
 
 ## Limitations
 
-Currently this feature is only available in the West Central US region. This feature doesn't support Ultra Disks or Azure Premium SSD v2 managed disks.
+Currently this feature is only available in the West Central US region. Managed Disks and the customer's Key Vault must be in the same Azure region, but they can be in different subscriptions. This feature doesn't support Ultra Disks or Azure Premium SSD v2 managed disks.
 
 [!INCLUDE [active-directory-msi-cross-tenant-cmk-overview](../../includes/active-directory-msi-cross-tenant-cmk-overview.md)]
 
diff --git a/includes/virtual-machines-managed-disks-description-customer-managed-keys.md b/includes/virtual-machines-managed-disks-description-customer-managed-keys.md
@@ -5,7 +5,7 @@
  author: roygara
  ms.service: virtual-machines
  ms.topic: include
- ms.date: 03/02/2021
+ ms.date: 09/14/2022
  ms.author: rogarana
  ms.custom: include file
 ---
@@ -18,7 +18,7 @@ You must use one of the following Azure key stores to store your customer-manage
 
 You can either import [your RSA keys](../articles/key-vault/keys/hsm-protected-keys.md) to your Key Vault or generate new RSA keys in Azure Key Vault. Azure managed disks handles the encryption and decryption in a fully transparent fashion using envelope encryption. It encrypts data using an [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) 256 based data encryption key (DEK), which is, in turn, protected using your keys. The Storage service generates data encryption keys and encrypts them with customer-managed keys using RSA encryption. The envelope encryption allows you to rotate (change) your keys periodically as per your compliance policies without impacting your VMs. When you rotate your keys, the Storage service re-encrypts the data encryption keys with the new customer-managed keys. 
 
-Managed Disks and the key vault or managed HSM must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.
+Managed Disks and the Key Vault or managed HSM must be in the same Azure region, but they can be in different subscriptions. They must also be in the same Azure Active Directory (Azure AD) tenant, unless you're using [Encrypt managed disks with cross-tenant customer-managed keys (preview)](../articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md).
 
 #### Full control of your keys
 
