Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update customer-managed-key.md #2059

Merged
merged 2 commits into from
Jul 17, 2023
Merged

Update customer-managed-key.md #2059

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5dd434e
Update customer-managed-key.md
paulliew Jul 17, 2023
dc2fd35
Update customer-managed-key.md
sericks007 Jul 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions power-platform/admin/customer-managed-key.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ author: paulliew
ms.author: paulliew
ms.reviewer: matp, ratrtile
ms.topic: how-to
ms.date: 06/22/2023
ms.date: 07/17/2023
ms.custom: template-how-to
---
# Manage your customer-managed encryption key
Expand Down Expand Up @@ -230,8 +230,7 @@ Register Power Platform as a resource provider. You only need to do this task on
1. Select **Review + create**, and then select **Create**.

A deployment is started. When it's done, the enterprise policy is created.
> [!NOTE]
> You can only create up to two enterprise policies.


### Enterprise policy json template

Expand Down Expand Up @@ -311,6 +310,11 @@ Once the enterprise policy is created, the key vault administrator grants the en
1. Select the enterprise policy, and then choose **Select**.
1. Select **Review + assign**.

> [!NOTE]
> The above permission setting is based on your key vault's **Permission model** of **Azure role-based access control**. If your key vault is set to **Vault access policy**, it's recommended that you migrate to the role-based model. To grant your enterprise policy access to the key vault using **Vault access policy**, create an Access policy, select **Get** on *Key management operations* and **Unwrap key** and **Wrap key** on *Cryptographic Operations*.



### Grant the Power Platform admin privilege to read enterprise policy

Administrators who have Azure global, Dynamics 365, and Power Platform administration roles can access the Power Platform admin center to assign environments to the enterprise policy. To access the enterprise policies, the global admin with Azure key vault access is required to grant the **Reader** role to the Power Platform admin. Once the **Reader** role is granted, the Power Platform administrator will be able to view the enterprise policies on the Power Platform admin center.
Expand Down Expand Up @@ -363,8 +367,7 @@ The key vault admin notifies the Power Platform admin that an encryption key and
1. Select **Save**, and then select **Confirm**.

> [!IMPORTANT]
>
> - The environment is disabled temporarily during this process and re-enabled to allow users to access while the encryption process continues. It can take up to a day to complete the encryption process.
> - The environment is disabled temporarily during this process and re-enabled to allow users access while the encryption process continues. It can take up to a day or two to complete the encryption process.
> - Only environments that are in the same region as the enterprise policy are displayed in the **Add environments** list.

> [!NOTE]
Expand All @@ -383,6 +386,9 @@ Follow these steps if you want to return to a Microsoft managed encryption key.
:::image type="content" source="media/cmk-ppac-remove-env-policy.png" alt-text="Remove an environment from customer-managed key":::
1. Select **Remove environment** on the command bar, select the environment you want to remove, and then select **Continue**.
1. Select **Save**.

> [!IMPORTANT]
> The environment will be disabled when it is removed from the enterprise policy to revert the data encryption to the Microsoft-managed key. **Do not delete or disable the key, delete or disable the key vault, or remove the enteprise policy's permissions to the key vault.** The key and key vault's access is necessary to support database restoration. You may delete and remove the enterprise policy's permissions after 30 days.

### Change the environment's encryption key

Expand All @@ -400,14 +406,14 @@ To rotate your encryption key, create a new key and a new enterprise policy. You
1. Repeat steps 2-6 until all environments in the enterprise policy have been removed.

> [!IMPORTANT]
> The environment will be disabled when it is removed from the enterprise policy to revert the data encryption to Microsoft managed key.
> The environment will be disabled when it is removed from the enterprise policy to revert the data encryption to the Microsoft-managed key. **Do not delete or disable the key, delete or disable the key vault, or remove the enteprise policy's permissions to the key vault**. The key and key vault's access is necessary to support database restoration. You may delete and remove the enterprise policy's permissions after 30 days.

1. Once all the environments are removed, from the Power Platform admin center go to **Enterprise policies**.
1. Select the new enterprise policy, and then select **Edit policy**.
1. Select **Add environment**, select the environments that you want to add, and then select **Continue**.

> [!IMPORTANT]
> The environment will be disabled when it's added to the new enterprise policy.
> The environment will be disabled when it's added to the new enterprise policy.

### View the list of encrypted environments

Expand Down