Update Key Rotation tutorial to improve performance KPIs

jlichwa · jlichwa · commit e295942d6ef5 · 2022-06-02T12:38:38.000-07:00
diff --git a/articles/key-vault/keys/how-to-configure-key-rotation.md b/articles/key-vault/keys/how-to-configure-key-rotation.md
@@ -15,10 +15,15 @@ ms.author: mbaldwin
 
 ## Overview
 
-Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual
-key. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.
+Automated key rotation in [Key Vault](../general/overview.md) allows users to configure Key Vault to automatically generate a new key version at a specified frequency. For more information about how keys are versioned, see [Key Vault objects, identifiers, and versioning](../general/about-keys-secrets-certificates.md#objects-identifiers-and-versioning). 
 
-This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers end-to-end rotation.
+You can use rotation policy to configure rotation for each individual key. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices. 
+
+This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers end-to-end rotation. 
+
+For more information about data encryption in Azure, see:
+- [Azure Encryption at Rest](../../security/fundamentals/encryption-atrest.md#azure-encryption-at-rest-components)
+- [Azure services data encryption support table](../../security/fundamentals/encryption-models.md#supporting-services)
 
 ## Pricing
 
@@ -50,6 +55,9 @@ Key rotation policy settings:
 
 :::image type="content" source="../media/keys/key-rotation/key-rotation-1.png" alt-text="Rotation policy configuration":::
 
+> [!IMPORTANT]
+> Key rotation generates a new key version of an existing key with new key material. Ensure that your data encryption solution uses versioned key uri to point to the same key material for encrypt/decrypt, wrap/unwrap operations to avoid disruption to your services. All Azure services are currently following that pattern for data encryption.
+
 ## Configure key rotation policy
 
 Configure key rotation policy during key creation.
@@ -90,7 +98,8 @@ Save  key rotation policy to a file. Key rotation policy example:
   }
 }
 ```
-Set rotation policy on a key passing previously saved file. 
+
+Set rotation policy on a key passing previously saved file using Azure CLI [az keyvault key rotation-policy update](/cli/azure/keyvault/key/rotation-policy) command. 
 
 ```azurecli
 az keyvault key rotation-policy update --vault-name <vault-name> --name <key-name> --value </path/to/policy.json>
@@ -106,6 +115,9 @@ Click 'Rotate Now' to invoke rotation.
 :::image type="content" source="../media/keys/key-rotation/key-rotation-4.png" alt-text="Rotation on-demand":::
 
 ### Azure CLI
+
+Use Azure CLI [az keyvault key rotate](/cli/azure/keyvault/key#az-keyvault-key-rotate) command to rotate key.
+
 ```azurecli
 az keyvault key rotate --vault-name <vault-name> --name <key-name>
 ```
