Merge pull request #104203 from VanMSFT/tdeakv

Adding information on permission delay

Author: v-albemi

articles/sql-database/includes/sql-database-akv-permission-delay.md

@@ -0,0 +1,2 @@
+> [!NOTE]
+> It may take around 10 minutes for any permission changes to take effect for the key vault. This includes revoking access permissions to the TDE protector in AKV, and users within this time frame may still have access permissions.

articles/sql-database/transparent-data-encryption-byok-azure-sql-remove-tde-protector.md

@@ -10,7 +10,7 @@ ms.topic: conceptual
 author: jaszymas
 ms.author: jaszymas
 ms.reviewer: vanto
-ms.date: 03/12/2019
+ms.date: 02/12/2020
 ---
 # Remove a Transparent Data Encryption (TDE) protector using PowerShell
 
@@ -175,6 +175,8 @@ For command reference, see the [Azure CLI keyvault](/cli/azure/keyvault/key).
 2. Back up the key material of the TDE protector in Key Vault.
 3. Remove the potentially compromised key from Key Vault
 
+[!INCLUDE [sql-database-akv-permission-delay](includes/sql-database-akv-permission-delay.md)]
+
 ## Next steps
 
 - Learn how to rotate the TDE protector of a server to comply with security requirements: [Rotate the Transparent Data Encryption protector Using PowerShell](transparent-data-encryption-byok-azure-sql-key-rotation.md)

articles/sql-database/transparent-data-encryption-byok-azure-sql.md

@@ -10,7 +10,7 @@ ms.topic: conceptual
 author: jaszymas
 ms.author: jaszymas
 ms.reviewer: vanto
-ms.date: 02/03/2019
+ms.date: 02/12/2020
 ---
 # Azure SQL Transparent Data Encryption with customer-managed key
 
@@ -59,6 +59,7 @@ When needed, server sends protected DEK to the key vault for decryption.
 
 Auditors can use Azure Monitor to review key vault AuditEvent logs, if logging is enabled.
 
+[!INCLUDE [sql-database-akv-permission-delay](includes/sql-database-akv-permission-delay.md)]
 
 ## Requirements for configuring customer-managed TDE