Update concepts-data-encryption.md

Author: GennadNY

articles/postgresql/flexible-server/concepts-data-encryption.md

@@ -49,6 +49,8 @@ The DEKs, encrypted with the KEKs, are stored separately. Only an entity with ac
 
 :::image type="content" source="./media/concepts-data-encryption/postgresql-data-encryption-overview.png" alt-text ="Diagram that shows an overview of Bring Your Own Key." :::
 
+Azure Active Directory [user- assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) will be used to connect and retrieve customer-managed key. Follow this [tutorial](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) to create identity.
+
 For a PostgreSQL server to use customer-managed keys stored in Key Vault for encryption of the DEK, a Key Vault administrator gives the following access rights to the server:
 
 - **get**: For retrieving the public part and properties of the key in the key Vault.