Merge pull request #276295 from GennadNY/gennadyk8976

prmerger-automator[bot] · web-flow · commit fdf0aced75cf · 2024-05-24T15:29:11.000Z
Update concepts-data-encryption.md
diff --git a/articles/postgresql/flexible-server/concepts-data-encryption.md b/articles/postgresql/flexible-server/concepts-data-encryption.md
@@ -179,6 +179,16 @@ Some of the reasons why the server state becomes **Inaccessible** are:
 >
 > Generally, a server becomes **Inaccessible** within 60 minutes after a key is disabled, deleted, expired, or not reachable. After key the becomes available, the server might take up to 60 minutes to become **Accessible** again.
 
+## Recovering from Managed Identity Deletion 
+
+In rare case when Entra ID managed identity, which used by CMK to retrieve a key from Azure Key Vault (AKV), is deleted in Microsoft Entra ID following are recommended steps to recover:
+1. Either [recover the identity](../../active-directory/fundamentals/recover-from-deletions.md) or create new managed Entra ID identity 
+2. Make sure this identity has proper permissions for operations on key in Azure Key Vault (AKV). Depending on the permission model of the key vault (access policy or Azure RBAC), key vault access can be granted either by creating an access policy on the key vault (**list**, **get**, **wrapKey**, and **unwrapKey** access policies), or by creating a new Azure RBAC role assignment with the role [Key Vault Crypto Service Encryption User](../../key-vault/general/rbac-guide.md#azure-built-in-roles-for-key-vault-data-plane-operations).
+3. Revalidate CMK data encryption with a new or recovered identity in Azure Database for PostgreSQL - Flexible Server Data Encryption Azure portal screen. 
+> [!IMPORTANT]
+> Simply creating new Entra ID identity with the same name as deleted identity doesn't recover from managed identity deletion.
+
+
 ## Using data encryption with CMKs and geo-redundant business continuity features
 
 Azure Database for PostgreSQL flexible server supports advanced [data recovery](../flexible-server/concepts-business-continuity.md) features, such as [replicas](../../postgresql/flexible-server/concepts-read-replicas.md) and [geo-redundant backup](../flexible-server/concepts-backup-restore.md). Following are requirements for setting up data encryption with CMKs and these features, in addition to [basic requirements for data encryption with CMKs](#requirements-for-configuring-data-encryption-for-azure-database-for-postgresql-flexible-server):
