diff --git a/power-platform/admin/customer-managed-key.md b/power-platform/admin/customer-managed-key.md
index e7ac887b37..9756fd8dbb 100644
--- a/power-platform/admin/customer-managed-key.md
+++ b/power-platform/admin/customer-managed-key.md
@@ -5,7 +5,7 @@ author: paulliew
 ms.author: paulliew
 ms.reviewer: matp, ratrtile
 ms.topic: how-to
-ms.date: 06/22/2023
+ms.date: 07/17/2023
 ms.custom: template-how-to
 ---
 # Manage your customer-managed encryption key
@@ -230,8 +230,7 @@ Register Power Platform as a resource provider. You only need to do this task on
 1. Select **Review + create**, and then select **Create**.
 
 A deployment is started. When it's done, the enterprise policy is created.
- > [!NOTE]
-   > You can only create up to two enterprise policies.
+
 
 ### Enterprise policy json template
 
@@ -311,6 +310,11 @@ Once the enterprise policy is created, the key vault administrator grants the en
 1. Select the enterprise policy, and then choose **Select**.
 1. Select **Review + assign**.
 
+> [!NOTE]
+> The above permission setting is based on your key vault's **Permission model** of **Azure role-based access control**. If your key vault is set to **Vault access policy**, it's recommended that you migrate to the role-based model. To grant your enterprise policy access to the key vault using **Vault access policy**, create an Access policy, select **Get** on *Key management operations* and **Unwrap key** and **Wrap key** on *Cryptographic Operations*.
+
+
+
 ### Grant the Power Platform admin privilege to read enterprise policy
 
 Administrators who have Azure global, Dynamics 365, and Power Platform administration roles can access the Power Platform admin center to assign environments to the enterprise policy. To access the enterprise policies, the global admin with Azure key vault access is required to grant the **Reader** role to the Power Platform admin. Once the **Reader** role is granted, the Power Platform administrator will be able to view the enterprise policies on the Power Platform admin center.  
@@ -363,8 +367,7 @@ The key vault admin notifies the Power Platform admin that an encryption key and
 1. Select **Save**, and then select **Confirm**.
 
 > [!IMPORTANT]
->
-> - The environment is disabled temporarily during this process and re-enabled to allow users to access while the encryption process continues. It can take up to a day to complete the encryption process.
+> - The environment is disabled temporarily during this process and re-enabled to allow users access while the encryption process continues. It can take up to a day or two to complete the encryption process.
 > - Only environments that are in the same region as the enterprise policy are displayed in the **Add environments** list.
 
 > [!NOTE]
@@ -383,6 +386,9 @@ Follow these steps if you want to return to a Microsoft managed encryption key.
    :::image type="content" source="media/cmk-ppac-remove-env-policy.png" alt-text="Remove an environment from customer-managed key":::
 1. Select **Remove environment** on the command bar, select the environment you want to remove, and then select **Continue**.
 1. Select **Save**.
+   
+  > [!IMPORTANT]
+  > The environment will be disabled when it is removed from the enterprise policy to revert the data encryption to the Microsoft-managed key. **Do not delete or disable the key, delete or disable the key vault, or remove the enteprise policy's permissions to the key vault.** The key and key vault's access is necessary to support database restoration. You may delete and remove the enterprise policy's permissions after 30 days.
 
 ### Change the environment's encryption key
 
@@ -400,14 +406,14 @@ To rotate your encryption key, create a new key and a new enterprise policy. You
 1. Repeat steps 2-6 until all environments in the enterprise policy have been removed.
 
   > [!IMPORTANT]
-  > The environment will be disabled when it is removed from the enterprise policy to revert the data encryption to Microsoft managed key.
+  > The environment will be disabled when it is removed from the enterprise policy to revert the data encryption to the Microsoft-managed key. **Do not delete or disable the key, delete or disable the key vault, or remove the enteprise policy's permissions to the key vault**. The key and key vault's access is necessary to support database restoration. You may delete and remove the enterprise policy's permissions after 30 days.
 
 1. Once all the environments are removed, from the Power Platform admin center go to **Enterprise policies**.
 1. Select the new enterprise policy, and then select **Edit policy**.
 1. Select **Add environment**, select the environments that you want to add, and then select **Continue**.
 
 > [!IMPORTANT]
-> The environment will be disabled when it's added to the new enterprise policy.
+> The environment will be disabled when it's added to the new enterprise policy. 
 
 ### View the list of encrypted environments