CMK portal

Author: orspod

articles/data-explorer/customer-managed-keys-csharp.md

@@ -12,11 +12,14 @@ ms.date: 01/06/2020
 # Configure customer-managed-keys using C#
 
 > [!div class="op_single_selector"]
+> * [Portal](customer-managed-keys-portal.md)
 > * [C#](customer-managed-keys-csharp.md)
 > * [Azure Resource Manager template](customer-managed-keys-resource-manager.md)
 
 [!INCLUDE [data-explorer-configure-customer-managed-keys](../../includes/data-explorer-configure-customer-managed-keys.md)]
 
+[!INCLUDE [data-explorer-configure-customer-managed-keys part 2](../../includes/data-explorer-configure-customer-managed-keys-b.md)]
+
 ## Configure encryption with customer-managed keys
 
 This section shows you how to configure customer-managed keys encryption using the Azure Data Explorer C# client. 

articles/data-explorer/customer-managed-keys-portal.md

@@ -6,7 +6,7 @@ ms.author: orspodek
 ms.reviewer: itsagui
 ms.service: data-explorer
 ms.topic: conceptual
-ms.date: 03/17/2020
+ms.date: 03/25/2020
 ---
 
 # Configure customer-managed-keys using the Azure Portal
@@ -18,21 +18,16 @@ ms.date: 03/17/2020
 
 [!INCLUDE [data-explorer-configure-customer-managed-keys](../../includes/data-explorer-configure-customer-managed-keys.md)]
 
-## Configure encryption with customer-managed keys
+## Enable customer-managed keys in the Azure Portal
 
-This section shows you how to configure customer-managed keys encryption using the Azure portal. 
+This section shows you how to enable customer-managed keys encryption using the Azure portal. 
 
 ### Prerequisites
 
 * An Azure subscription. Create a [free Azure account](https://azure.microsoft.com/free/).
 * [A cluster and database](create-cluster-database-portal.md).
 * [Configure managed identities for your Azure Data Explorer cluster](managed-identities.md)
 
-### Authentication
-\\Needed?
-
-To run the examples in this article, [create an Azure AD application](/azure/active-directory/develop/howto-create-service-principal-portal) and service principal that can access resources. You can add role assignment at the subscription scope and get the required `Directory (tenant) ID`, `Application ID`, and `Client Secret`.
-
 ### Configure cluster
 
 By default, Azure Data Explorer encryption uses Microsoft-managed keys. Configure your Azure Data Explorer cluster to use customer-managed keys and specify the key to associate with the cluster.
@@ -43,7 +38,9 @@ You can configure customer-managed keys for your Azure Data Explorer cluster.
 1. In the Azure portal, go to your Azure Data Explorer cluster resource. Under the Settings heading, select Encryption.
 2. In the Encryption window, select **On** for the Customer-managed key setting.
 3. Click Select Key
-ToDo\\ screenshot
+
+![Show databases command](media/customer-managed-key-portal/.png)
+
 4. In the **Select key from Azure Key Vault** screen you can either create a new Key Vault or select an existing one.
     1. If you choose to create a new Key Vault you'll be routed to the **Create Key Vault** screen where you can create a new Key Vault resource following these instructions. (link to create a key vault)
     2. If you choose an existing Key Vault you need to either create a new key select an existing key.

articles/data-explorer/customer-managed-keys-resource-manager.md

@@ -12,11 +12,14 @@ ms.date: 01/06/2020
 # Configure customer-managed-keys using the Azure Resource Manager template
 
 > [!div class="op_single_selector"]
+> * [Portal](customer-managed-keys-portal.md)
 > * [C#](customer-managed-keys-csharp.md)
 > * [Azure Resource Manager template](customer-managed-keys-resource-manager.md)
 
 [!INCLUDE [data-explorer-configure-customer-managed-keys](../../includes/data-explorer-configure-customer-managed-keys.md)]
 
+[!INCLUDE [data-explorer-configure-customer-managed-keys part 2](../../includes/data-explorer-configure-customer-managed-keys-b.md)]
+
 ## Configure encryption with customer-managed keys
 
 In this section, you configure customer-managed keys using Azure Resource Manager templates. By default, Azure Data Explorer encryption uses Microsoft-managed keys. In this step, configure your Azure Data Explorer cluster to use customer-managed keys and specify the key to associate with the cluster.

articles/data-explorer/media/customer-managed-keys-portal/cmk-before-save.png

@@ -182,6 +182,8 @@
       href: managed-identities.md
     - name: Configure customer-managed-keys
       items:
+        - name: Portal
+          href: customer-managed-keys-portal.md
         - name: C#
           href: customer-managed-keys-csharp.md
         - name: Azure Resource Manager template

articles/data-explorer/media/customer-managed-keys-portal/cmk-encryption setting.png

@@ -0,0 +1,38 @@
+---
+author: orspod
+ms.service: data-explorer
+ms.topic: include
+ms.date: 03/25/2020
+ms.author: orspodek
+---
+
+## Create a new key vault
+
+To create a new key vault using PowerShell, call [New-AzKeyVault](/powershell/module/az.keyvault/new-azkeyvault). The key vault that you use to store customer-managed keys for Azure Data Explorer encryption must have two key protection settings enabled, **Soft Delete** and **Do Not Purge**. Replace the placeholder values in brackets with your own values in example below.
+
+```azurepowershell-interactive
+$keyVault = New-AzKeyVault -Name <key-vault> `
+    -ResourceGroupName <resource_group> `
+    -Location <location> `
+    -EnableSoftDelete `
+    -EnablePurgeProtection
+```
+
+## Configure the key vault access policy
+
+Next, configure the access policy for the key vault so that the cluster has permissions to access it. In this step, you'll use the system-assigned managed identity that you previously assigned to the cluster. To set the access policy for the key vault, call [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy). Replace the placeholder values in brackets with your own values and use the variables defined in the previous examples.
+
+```azurepowershell-interactive
+Set-AzKeyVaultAccessPolicy `
+    -VaultName $keyVault.VaultName `
+    -ObjectId $cluster.Identity.PrincipalId `
+    -PermissionsToKeys wrapkey,unwrapkey,get,recover
+```
+
+## Create a new key
+
+Next, create a new key in the key vault. To create a new key, call [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey). Replace the placeholder values in brackets with your own values and use the variables defined in the previous examples.
+
+```azurepowershell-interactive
+$key = Add-AzKeyVaultKey -VaultName $keyVault.VaultName -Name <key> -Destination 'Software'
+```

articles/data-explorer/media/customer-managed-keys-portal/cmk-key-vault.png

@@ -6,44 +6,19 @@ ms.date: 01/07/2020
 ms.author: orspodek
 ---
 
-Azure Data Explorer encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for data encryption. Customer-managed keys must be stored in an [Azure Key Vault](/azure/key-vault/key-vault-overview). You can create your own keys and store them in a key vault, or you can use an Azure Key Vault API to generate keys. The Azure Data Explorer cluster and the key vault must be in the same region, but they can be in different subscriptions. For a detailed explanation on customer-managed keys, see [customer-managed keys with Azure Key Vault](/azure/storage/common/storage-service-encryption). This article shows you how to configure customer-managed keys.
+Azure Data Explorer encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for data encryption. 
 
-To configure customer-managed keys with Azure Data Explorer, you must [set two properties on the key vault](/azure/key-vault/key-vault-ovw-soft-delete): **Soft Delete** and **Do Not Purge**. These properties aren't enabled by default. To enable these properties, use [PowerShell](/azure/key-vault/key-vault-soft-delete-powershell) or [Azure CLI](/azure/key-vault/key-vault-soft-delete-cli). Only RSA keys and key size 2048 are supported.
+Customer-managed keys must be stored in an [Azure Key Vault](/azure/key-vault/key-vault-overview). You can create your own keys and store them in a key vault, or you can use an Azure Key Vault API to generate keys. The Azure Data Explorer cluster and the key vault must be in the same region, but they can be in different subscriptions. For a detailed explanation on customer-managed keys, see [customer-managed keys with Azure Key Vault](/azure/storage/common/storage-service-encryption). 
 
-> [!NOTE]
-> Data encryption using customer managed keys is not supported on [leader and follower clusters](/azure/data-explorer/follower). 
-
-## Assign an identity to the cluster
-
-To enable customer-managed keys for your cluster, first assign a system-assigned managed identity to the cluster. You'll use this managed identity to grant the cluster permissions to access the key vault. To configure system-assigned managed identities, see [managed identities](/azure/data-explorer/managed-identities).
-
-## Create a new key vault
+This article shows you how to configure customer-managed keys.
 
-To create a new key vault using PowerShell, call [New-AzKeyVault](/powershell/module/az.keyvault/new-azkeyvault). The key vault that you use to store customer-managed keys for Azure Data Explorer encryption must have two key protection settings enabled, **Soft Delete** and **Do Not Purge**. Replace the placeholder values in brackets with your own values in example below.
+## Configure Azure Key Vault
 
-```azurepowershell-interactive
-$keyVault = New-AzKeyVault -Name <key-vault> `
-    -ResourceGroupName <resource_group> `
-    -Location <location> `
-    -EnableSoftDelete `
-    -EnablePurgeProtection
-```
+To configure customer-managed keys with Azure Data Explorer, you must [set two properties on the key vault](/azure/key-vault/key-vault-ovw-soft-delete): **Soft Delete** and **Do Not Purge**. These properties aren't enabled by default. To enable these properties, perform **Enabling soft-delete** and **Enabling Purge Protection** in [PowerShell](/azure/key-vault/key-vault-soft-delete-powershell) or [Azure CLI](/azure/key-vault/key-vault-soft-delete-cli) on a new or existing key vault. Only RSA keys of size 2048 are supported. For more information about keys, see [Key Vault keys](/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys).
 
-## Configure the key vault access policy
-
-Next, configure the access policy for the key vault so that the cluster has permissions to access it. In this step, you'll use the system-assigned managed identity that you previously assigned to the cluster. To set the access policy for the key vault, call [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy). Replace the placeholder values in brackets with your own values and use the variables defined in the previous examples.
-
-```azurepowershell-interactive
-Set-AzKeyVaultAccessPolicy `
-    -VaultName $keyVault.VaultName `
-    -ObjectId $cluster.Identity.PrincipalId `
-    -PermissionsToKeys wrapkey,unwrapkey,get,recover
-```
-
-## Create a new key
+> [!NOTE]
+> Data encryption using customer managed keys is not supported on [leader and follower clusters](/azure/data-explorer/follower). 
 
-Next, create a new key in the key vault. To create a new key, call [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey). Replace the placeholder values in brackets with your own values and use the variables defined in the previous examples.
+## Assign an identity to the cluster
 
-```azurepowershell-interactive
-$key = Add-AzKeyVaultKey -VaultName $keyVault.VaultName -Name <key> -Destination 'Software'
-```
+To enable customer-managed keys for your cluster, first assign a system-assigned managed identity to the cluster. You'll use this managed identity to grant the cluster permissions to access the key vault. To configure system-assigned managed identities, see [managed identities](/azure/data-explorer/managed-identities).