Merge pull request #112011 from Blackmist/changing-template

PRMerger12 · web-flow · commit d045b1276fae · 2020-04-20T12:24:27.000-07:00
notes
diff --git a/articles/machine-learning/how-to-create-workspace-template.md b/articles/machine-learning/how-to-create-workspace-template.md
@@ -77,7 +77,9 @@ The following example template demonstrates how to create a workspace with three
 
 * Enable high confidentiality settings for the workspace
 * Enable encryption for the workspace
-* Uses an existing Azure Key Vault
+* Uses an existing Azure Key Vault to retrieve customer-managed keys
+
+For more information, see [Encryption at rest](concept-enterprise-security.md#encryption-at-rest).
 
 ```json
 {
@@ -117,7 +119,7 @@ The following example template demonstrates how to create a workspace with three
         "description": "Specifies the sku, also referred to as 'edition' of the Azure Machine Learning workspace."
       }
     },
-    "confidential_data":{
+    "high_confidentiality":{
       "type": "string",
       "defaultValue": "false",
       "allowedValues": [
@@ -252,28 +254,32 @@ The following example template demonstrates how to create a workspace with three
                     "keyIdentifier": "[parameters('resource_cmk_uri')]"
                   }
             },
-        "hbiWorkspace": "[parameters('confidential_data')]"
+        "hbiWorkspace": "[parameters('high_confidentiality')]"
       }
     }
   ]
 }
 ```
 
-To get the ID of the Key Vault, and the key URI needed by this template, you can use the Azure CLI. The following command is an example of using the Azure CLI to get the Key Vault resource ID and URI:
+To get the ID of the Key Vault, and the key URI needed by this template, you can use the Azure CLI. The following command gets the Key Vault ID:
 
 ```azurecli-interactive
-az keyvault show --name mykeyvault --resource-group myresourcegroup --query "[id, properties.vaultUri]"
+az keyvault show --name mykeyvault --resource-group myresourcegroup --query "id"
 ```
 
-This command returns a value similar to the following text. The first value is the ID and the second is the URI:
+This command returns a value similar to `"/subscriptions/{subscription-guid}/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvault"`.
+
+To get the URI for the customer managed key, use the following command:
 
-```text
-[
-  "/subscriptions/{subscription-guid}/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvault",
-  "https://mykeyvault.vault.azure.net/"
-]
+```azurecli-interactive
+az keyvault key show --vault-name mykeyvault --name mykey --query "key.kid"
 ```
 
+This command returns a value similar to `"https://mykeyvault.vault.azure.net/keys/mykey/{guid}"`.
+
+> [!IMPORTANT]
+> Once a workspace has been created, you cannot change the settings for confidential data, encryption, key vault ID, or key identifiers. To change these values, you must create a new workspace using the new values.
+
 ## Use the Azure portal
 
 1. Follow the steps in [Deploy resources from custom template](https://docs.microsoft.com/azure/azure-resource-manager/resource-group-template-deploy-portal#deploy-resources-from-custom-template). When you arrive at the __Edit template__ screen, paste in the template from this document.
