Merge pull request #191895 from roygara/subKeyClarity

ShannonLeavitt · web-flow · commit bc45053175ce · 2022-03-16T14:46:19.000-06:00
Clarity on key vault use.
diff --git a/includes/virtual-machines-disks-encryption-create-key-vault-cli.md b/includes/virtual-machines-disks-encryption-create-key-vault-cli.md
@@ -17,7 +17,7 @@
 When creating the Key Vault, you must enable purge protection. Purge protection ensures that a deleted key cannot be permanently deleted until the retention period lapses. These settings protect you from losing data due to accidental deletion. These settings are mandatory when using a Key Vault for encrypting managed disks.
 
 > [!IMPORTANT]
-> Do not camel case the region, if you do so you may experience problems when assigning additional disks to the resource in the Azure portal.
+> Don't camel case the region, if you do so, you may experience problems when assigning additional disks to the resource in the Azure portal.
 
 ```azurecli
 subscriptionId=yourSubscriptionID
diff --git a/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md b/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md
@@ -5,15 +5,16 @@
  author: roygara
  ms.service: virtual-machines
  ms.topic: include
- ms.date: 08/24/2020
+ ms.date: 03/16/2022
  ms.author: rogarana
  ms.custom: include file
 ---
 - Only [software and HSM RSA keys](../articles/key-vault/keys/about-keys.md) of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
     - [HSM](../articles/key-vault/keys/hsm-protected-keys.md) keys require the **premium** tier of Azure Key vaults.
 - Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.
 - Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
-- All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
+- Most resources related to your customer-managed keys (disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
+    - Azure Key Vaults may be used from a different subscription but must be in the same region and tenant as your disk encryption set.
 - Disks, snapshots, and images encrypted with customer-managed keys cannot move to another resource group and subscription.
 - Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.
 - Can only create up to 1000 disk encryption sets per region per subscription.
