Merge pull request #213899 from roygara/encryptionUpdates

JamesJBarnett · web-flow · commit c9e82e129ada · 2022-10-12T16:43:05.000-07:00
Correcting limitations
diff --git a/articles/virtual-machines/TOC.yml b/articles/virtual-machines/TOC.yml
@@ -1120,8 +1120,8 @@
         - name: CLI
           href: linux/disks-enable-customer-managed-keys-cli.md
           displayname: Server side encryption, encryption, ADE
-      - name: Enable cross-tenant customer-managed keys
-        href: disks-cross-tenant-cmk.md
+      - name: Use customer-managed keys across Azure AD tenants
+        href: disks-cross-tenant-customer-managed-keys.md
         displayname: Server side encryption, encryption, ADE
       - name: Enable encryption at host
         items:
diff --git a/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md b/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md
@@ -5,7 +5,7 @@
  author: roygara
  ms.service: virtual-machines
  ms.topic: include
- ms.date: 03/16/2022
+ ms.date: 10/12/2022
  ms.author: rogarana
  ms.custom: include file
 ---
@@ -14,8 +14,9 @@
 - Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.
 - Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
 - Most resources related to your customer-managed keys (disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
-    - Azure Key Vaults may be used from a different subscription but must be in the same region and tenant as your disk encryption set.
-- Disks, snapshots, and images encrypted with customer-managed keys cannot move to another resource group and subscription.
+    - Azure Key Vaults may be used from a different subscription but must be in the same region as your disk encryption set. As a preview, you can use Azure Key Vaults from [different Azure Active Directory tenants](../articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md).
+- Disks encrypted with customer-managed keys can only move to another resource group if the VM they are attached to is deallocated.
+- Disks, snapshots, and images encrypted with customer-managed keys cannot be moved between subscriptions.
 - Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.
-- Can only create up to 1000 disk encryption sets per region per subscription.
+- Can only create up to 5000 disk encryption sets per region per subscription.
 - For information about using customer-managed keys with shared image galleries, see [Preview: Use customer-managed keys for encrypting images](../articles/virtual-machines/image-version-encryption.md).
