Merge pull request #216883 from msmbaldwin/akv-misc

Akv misc

Author: prmerger-automator[bot]

articles/key-vault/general/authentication.md

@@ -19,7 +19,7 @@ A security principal is an object that represents a user, group, service, or app
 
 * A **group** security principal identifies a set of users created in Azure Active Directory. Any roles or permissions assigned to the group are granted to all of the users within the group.
 
-* A **service principal** is a type of security principal that identifies an application or service, which is to say, a piece of code rather than a user or group. A service principal's object ID is known as its **client ID** and acts like its username. The service principal's **client secret** acts like its password.
+* A **service principal** is a type of security principal that identifies an application or service, which is to say, a piece of code rather than a user or group. A service principal's object ID acts like its username; the service principal's **client secret** acts like its password.
 
 For applications, there are two ways to obtain a service principal:
 

articles/key-vault/keys/byok-specification.md

@@ -72,6 +72,9 @@ Use the **az keyvault key create** command to create KEK with key operations set
 az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --vault-name ContosoKeyVaultHSM
 ```
 
+> [!NOTE]
+> Services support different KEK lengths; Azure SQL, for instance, only supports key lengths of [2048 or 3072 bytes](/azure/azure-sql/database/transparent-data-encryption-byok-overview#requirements-for-configuring-customer-managed-tde). Consult the documentation for your service for specifics.
+
 ### Step 2: Retrieve the public key of the KEK
 
 Download the public key portion of the KEK and store it into a PEM file.