Merge pull request #105291 from yossi-y/patch-48

PRMerger18 · web-flow · commit eb5d6684e1c1 · 2020-02-24T10:50:07.000-08:00
Updated CMK configuration with new API and process
diff --git a/articles/azure-monitor/platform/customer-managed-keys.md b/articles/azure-monitor/platform/customer-managed-keys.md
@@ -6,7 +6,7 @@ ms.subservice: logs
 ms.topic: conceptual
 author: yossi-y
 ms.author: yossiy
-ms.date: 02/05/2020
+ms.date: 02/24/2020
 
 ---
 # Azure Monitor customer-managed key configuration 
@@ -114,8 +114,8 @@ For Application Insights CMK configuration, follow the Appendix content for step
     feature
 2. Creating Azure Key Vault and storing key
 3. Create a *Cluster* resource
-4. Grant permissions to your Key Vault
-5. Azure Monitor data-store (ADX cluster) provisioning
+4. Azure Monitor data-store (ADX cluster) provisioning
+5. Grant permissions to your Key Vault
 6. Log Analytics workspaces association
 
 The procedure is not supported in the UI currently and the provisioning process is performed via REST API.
@@ -164,7 +164,7 @@ These settings are available via CLI and PowerShell:
 
 ### Create *Cluster* resource
 
-This resource is used as intermediate identity connection between your Key Vault and your workspaces. After you receive confirmation that your subscriptions were whitelisted, create a Log Analytics *Cluster* resource at the region where your workspaces are located. Application Insights and Log Analytics require separate Cluster resources. The type of the Cluster resource is defined at creation time by setting the “clusterType” property to either ‘LogAnalytics’, or ‘ApplicationInsights’. The Cluster resource type can’t be altered.
+This resource is used as intermediate identity connection between your Key Vault and your workspaces. After you receive confirmation that your subscriptions were whitelisted, create a Log Analytics *Cluster* resource at the region where your workspaces are located. Application Insights and Log Analytics require separate Cluster resources. The type of the *Cluster* resource is defined at creation time by setting the “clusterType” property to either ‘LogAnalytics’, or ‘ApplicationInsights’. The Cluster resource type can’t be altered.
 
 For Application Insights CMK configuration, follow the Appendix content for this step.
 
@@ -185,66 +185,78 @@ Content-type: application/json
    }
 }
 ```
+The identity is assigned to the *Cluster* resource at creation time.
 "clusterType" value is "ApplicationInsights" for Application Insights CMK.
 
 **Response**
 
-Identity is assigned to the *Cluster* resource at creation time.
+202 Accepted. This is a standard Resource Manager response for asynchronous operations.
+
+If you what to delete the *Cluster* resource for any reason -- for example, create it with a different name or clusterType, use this REST API:
 
+```rst
+DELETE
+https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.OperationalInsights/clusters/<cluster-name>?api-version=2019-08-01-preview
+```
+
+### Azure Monitor data-store (ADX cluster) provisioning
+
+During the early access period of the feature, the ADX cluster is
+provisioned manually by the product team once the previous steps are
+completed. Use the channel you have with Microsoft to provide the *Cluster* resource details. The JSON response can be retrieved using GET REST API:
+
+```rst
+GET https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.OperationalInsights/clusters/<cluster-name>?api-version=2019-08-01-preview
+Authorization: Bearer <token>
+```
+
+**Response**
 ```json
 {
   "identity": {
     "type": "SystemAssigned",
     "tenantId": "tenant-id",
-    "principalId": "principle-id"
-  },
+    "principalId": "principal-Id"
+    },
   "properties": {
     "provisioningState": "Succeeded",
     "clusterType": "LogAnalytics", 
     "clusterId": "cluster-id"
-  },
-  "id": "/subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.OperationalInsights/clusters/cluster-name",    //The cluster resource Id
+    },
+  "id": "/subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.OperationalInsights/clusters/cluster-name",
   "name": "cluster-name",
   "type": "Microsoft.OperationalInsights/clusters",
   "location": "region-name"
-}
-
+  }
 ```
+
 "principalId" is a GUID generated by the managed identity service for the *Cluster* resource.
 
 > [!IMPORTANT]
 > Copy and keep the "cluster-id" value since you will need it in next steps.
 
-If you what to delete the *Cluster* resource for any reason -- for example, create it with a different name or clusterType, use this API call:
-
-```rst
-DELETE
-https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.OperationalInsights/clusters/<cluster-name>?api-version=2019-08-01-preview
-```
 
 ### Grant Key Vault permissions
 
-Update your Key Vault and add access policy for the Cluster resource. Permissions to your Key Vault are then propagated to the underlaying Azure Monitor Storage to be used for data encryption.
-Open your Key Vault in Azure portal and click “Access Policies” then “+ Add Access Policy” to create a new policy with these settings:
+> [!IMPORTANT]
+> This step should be carried ONLY after you received confirmation from the product group through your Microsoft channel that the Azure > Monitor data-store (ADX cluster) provisioning was fulfilled. Updating Key Vault access policy prior to this provisioning, the access policy update in Key Vault will fail.
+
+Update your Key Vault and add access policy for the *Cluster* resource. Permissions to your Key Vault are then propagated to the underlaying Azure Monitor Storage to be used for data encryption.
+Open your Key Vault in Azure portal and click "Access Policies" then "+ Add Access Policy" to create a new policy with these settings:
 
-- Key permissions: select ‘Get’, ‘Wrap Key’ and ‘Unwrap Key’ permissions.
+- Key permissions: select 'Get', 'Wrap Key' and 'Unwrap Key' permissions.
 
-- Select principal: enter the cluster-id, which is the "clusterId" value in the response of the previous step.
+- Select principal: enter the cluster-id value that returned in the response in the previous step.
 
 ![grant Key Vault permissions](media/customer-managed-keys/grant-key-vault-permissions.png)
 
 The *Get* permission is required to verify that your Key Vault is
     configured as recoverable to protect your key and the access to your
     Azure Monitor data.
 
-It takes a few minutes until the *Cluster* resource is propagated in
-    Azure Resource Manager. When configuring this Access Policy
-    immediately after the *Cluster* resource creation, a transient error
-    may occur. In this case, try again after a few minutes.
-
 ### Update Cluster resource with Key identifier details
 
-This step applies following future key version updates in your Key Vault. Update the *Cluster* resource with Key Vault *Key identifier* details, to allow Azure Monitor Storage to use the new key version. Select the current version of your key in Azure Key Vault to get the Key identifier details.
+This step applies for future key version updates in your Key Vault. Update the *Cluster* resource with Key Vault *Key identifier* details, to allow Azure Monitor Storage to use the new key version. Select the current version of your key in Azure Key Vault to get the Key identifier details.
 
 ![Grant Key Vault permissions](media/customer-managed-keys/key-identifier-8bit.png)
 
@@ -300,47 +312,6 @@ Content-type: application/json
 }
 ```
 
-### Azure Monitor data-store (ADX cluster) provisioning
-
-During the early access period of the feature, the ADX cluster is
-provisioned manually by the product team once the previous steps are
-completed. Use the channel you have with Microsoft to provide the
-following details:
-
-- Confirmation that the steps above where completed successfully.
-
-- The JSON response from the previous step. It can be retrieved at any time using a Get API call:
-
-   ```rst
-   GET https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.OperationalInsights/clusters/<cluster-name>?api-version=2019-08-01-preview
-   Authorization: Bearer <token>
-   ```
-
-   **Response**
-   ```json
-   {
-     "identity": {
-       "type": "SystemAssigned",
-       "tenantId": "tenant-id",
-       "principalId": "principal-Id"
-     },
-     "properties": {
-          "KeyVaultProperties": {
-               KeyVaultUri: "https://key-vault-name.vault.azure.net",
-               KeyName: "key-name",
-               KeyVersion: "current-version"
-               },
-       "provisioningState": "Succeeded",
-       "clusterType": "LogAnalytics", 
-       "clusterId": "cluster-id"
-     },
-     "id": "/subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.OperationalInsights/clusters/cluster-name",
-     "name": "cluster-name",
-     "type": "Microsoft.OperationalInsights/clusters",
-     "location": "region-name"
-   }
-   ```
-
 ### Workspace association to *Cluster* resource
 
 > [!NOTE]
