Live publish

power-platform/admin/cmk-migrate-from-byok.md

@@ -26,7 +26,7 @@ If you have enabled audit and search in the BYOK environment and have uploaded f
 
 Similarly, if you didn’t enable these audit or search functionalities and enabled them after your environment is encrypted with this feature, all these storages will be automatically created and encrypted with the encryption key.
 
-1. Create a new encryption key and a new enterprise policy, or use an existing key and enterprise policy. More information: [Create the key and grant access overview](customer-managed-key.md#create-the-key-and-grant-access-overview) and [Create enterprise policy](customer-managed-key.md#create-enterprise-policy).
+1. Create a new encryption key and a new enterprise policy, or use an existing key and enterprise policy. More information: [Create encryption key and grant access](customer-managed-key.md#create-encryption-key-and-grant-access) and [Create enterprise policy](customer-managed-key.md#create-enterprise-policy).
 1. Enable the non-BYOK or BYOK environment as **Managed Environment**. More information: [Enable Managed Environment](customer-managed-key.md#enable-managed-environment-to-be-added-to-the-enterprise-policy).
 1. Add the non-BYOK or BYOK environment to the policy to the enterprise policy to encrypt data: More information: [Add an environment to the enterprise policy to encrypt data](customer-managed-key.md#add-an-environment-to-the-enterprise-policy-to-encrypt-data).
 

power-platform/admin/customer-managed-key.md

@@ -3,7 +3,7 @@ title: Manage your customer-managed encryption key in Power Platform
 description: Learn how to manage your encryption key. 
 author: paulliew
 ms.author: paulliew
-ms.reviewer: matp, ratrtile
+ms.reviewer: sericks, matp, ratrtile
 ms.topic: how-to
 ms.date: 08/24/2023
 ms.custom: template-how-to
@@ -116,10 +116,10 @@ The key vault administrator then grants the respective Power Platform/Dynamics 3
 
 ##### Prerequisites
 
-- An Azure subscription that includes Azure Key Vault.
+- An Azure subscription that includes Azure Key Vault or Azure Key Vault managed hardware security modules (preview).
 - Global tenant admin or an  Azure AD with contributor permission to the Azure AD subscription and permission to create an Azure Key Vault and key. This is required to set up the key vault.
 
-##### Create the key and grant access overview
+##### Create the key and grant access using Azure Key Vault
 
 The Azure Key Vault administrator performs these tasks in Azure.
 
@@ -142,7 +142,7 @@ The Power Platform administrator manages customer-managed key tasks related to t
 
 1. Add the Power Platform environments to the enterprise policy to encrypt data with the customer-managed key. More information: [Add an environment to the enterprise policy to encrypt data](#add-an-environment-to-the-enterprise-policy-to-encrypt-data)
 1. Remove environments from enterprise policy to return encryption to Microsoft managed key. More information: [Remove environments from policy to return to Microsoft managed key](#remove-environments-from-policy-to-return-to-microsoft-managed-key)
-1. Change the key by removing environments from the old enterprise policy and adding environments to a new enterprise policy. More information: [Change the environment's encryption key](#change-the-environments-encryption-key)
+1. Change the key by removing environments from the old enterprise policy and adding environments to a new enterprise policy. More information: [Create encryption key and grant access](#change-the-environments-encryption-key-with-a-new-enterprise-policy-and-key)
 1. Migrate from BYOK. If you are using the earlier self-managed encryption key feature, you can migrate your key to customer managed key. More information: [Migrate bring-your-own-key environments to customer-managed key](cmk-migrate-from-byok.md)
 
 ## Create encryption key and grant access
@@ -180,10 +180,33 @@ In Azure, perform the following steps:
       - **Key type**: **RSA**
       - **RSA key size**: **2048**
 
-##### Import protected keys for hardware security modules (HSM)
+#### Import protected keys for Hardware Security Modules (HSM)
 You can use your protected keys for hardware security modules (HSM) to encrypt your Power Platform Dataverse environments. Your [HSM-protected keys must be imported into the key vault](/azure/key-vault/keys/hsm-protected-keys) so an Enterprise policy can be created. For more information, see [Supported HSMs](/azure/key-vault/keys/hsm-protected-keys#supported-hsms) [Import HSM-protected keys to Key Vault (BYOK)](/azure/key-vault/keys/hsm-protected-keys-byok?tabs=azure-cli). 
 
-#### Encrypt your environment with key from Azure Key Vault with private link (preview)
+#### Create a key in the Azure Key Vault Managed HSM - Preview
+You can use an encryption key created from the Azure Key Vault Managed HSM to encrypt your environment data. This gives you FIPS 140-2 Level 3 support. 
+
+##### Create RSA-HSM keys
+1. Make sure you've met the [prerequisites](#prerequisites).
+1. Go to the [Azure portal](https://ms.portal.azure.com/).
+1. Create a [Managed HSM](/azure/key-vault/managed-hsm/quick-create-cli#create-a-managed-hsm):
+   1.	[Provision the Managed HSM](/azure/key-vault/managed-hsm/quick-create-cli#provision-a-managed-hsm).
+   1.	[Activate the Managed HSM](/azure/key-vault/managed-hsm/quick-create-cli#activate-your-managed-hsm). 
+1.	Enable **Purge Protection** in your Managed HSM.
+1. Grant the **Managed HSM Crypto User** role to the person who created the Managed HSM key vault.
+   1.	Access the Managed HSM key vault on the [Azure portal](https://portal.azure.com/).
+   1.	Navigate to **Local RBAC** and select **+ Add**.
+   1.	In the **Role** drop-down list, select the **Managed HSM Crypto User** role on the **Role assignment** page.
+   1.	Select **All keys** under **Scope**.
+   1.	Select **Select security principal**, and then select the admin on the **Add Principal** page.
+   1.	Select **Create**.
+1.	Create a RSA-HSM key:
+      - **Options**: **Generate**
+      - **Name**: Provide a name for the key
+      - **Key type**: **RSA-HSM**
+      - **RSA key size**: **2048**
+
+#### Encrypt your environment with key from Azure Key Vault with private link
 
 You can update your Azure Key vault's networking by enabling a [private endpoint](/azure/key-vault/general/private-link-service?tabs=portal#establish-a-private-link-connection-to-key-vault-using-the-azure-portal) and use the key in the key vault to encrypt your Power Platform environments.
 
@@ -195,7 +218,7 @@ You can either create a [new key vault and establish a private link connection](
    - Enable **Purge Protection**
    - Key type: RSA 
    - Key size: 2048
-1. Copy down the key vault URL and the encryption key URL and version to be used for creating the enterprise policy.
+1. Copy the key vault URL and the encryption key URL to be used for creating the enterprise policy.
 
    > [!NOTE]
    > Once you've added a private endpoint to your key vault or disabled the public access network, you won’t be able to see the key unless you have the appropriate permission.
@@ -224,7 +247,7 @@ Register Power Platform as a resource provider. You only need to do this task on
 1. After the PowerShell MSI is installed, go back to [Deploy a custom template](https://ms.portal.azure.com/#create/Microsoft.Template) in Azure.
 1. Select the **Build your own template in the editor** link.
 1. Copy the JSON template into a text editor such as Notepad. More information: [Enterprise policy json template](#enterprise-policy-json-template)
-1. Replace the values in the JSON template for: *EnterprisePolicyName*, *location where EnterprisePolicy needs to be created*, *keyVaultId*, *keyName*, and *keyVersion*. More information: [Field definitions for json template](#field-definitions-for-json-template)
+1. Replace the values in the JSON template for: *EnterprisePolicyName*, *location where EnterprisePolicy needs to be created*, *keyVaultId*, and *keyName*. More information: [Field definitions for json template](#field-definitions-for-json-template)
 1. Copy the updated template from your text editor then paste it into the **Edit template** of the **Custom deployment** in Azure, and select **Save**.
    :::image type="content" source="media/cmk-keyvault-template.png" alt-text="Azure key vault template":::
 1. Select a **Subscription** and **Resource group** where the enterprise policy is to be created.
@@ -257,8 +280,7 @@ A deployment is started. When it's done, the enterprise policy is created.
                     "keyVault": {
                         "id": {keyVaultId},
                         "key": {
-                            "name": {keyName},
-                            "version": {keyVersion}
+                            "name": {keyName}
                         }
                     }
                 },
@@ -294,8 +316,7 @@ A deployment is started. When it's done, the enterprise policy is created.
 - Copy these values from your key vault properties in the Azure portal:
   - **keyVaultId**: Go to **Key vaults** > select your key vault > **Overview**. Next to **Essentials** select **JSON View**. Copy the **Resource ID** to the clipboard and paste the entire contents into your JSON template.
   - **keyName**: Go to **Key vaults** > select your key vault > **Keys**. Notice the key **Name** and type the name into your JSON template.
-  - **keyVersion**: Go to **Key vaults** > select your key vault > **Keys**. Select the key, copy the **CURRENT VERSION** number, and then paste it into your JSON template.
-
+
 ### Grant enterprise policy permissions to access key vault
 
 Once the enterprise policy is created, the key vault administrator grants the enterprise policy’s managed identity access to the encryption key.
@@ -392,13 +413,13 @@ Follow these steps if you want to return to a Microsoft managed encryption key.
   > [!IMPORTANT]
   > The environment will be disabled when it is removed from the enterprise policy to revert the data encryption to the Microsoft-managed key. **Do not delete or disable the key, delete or disable the key vault, or remove the enteprise policy's permissions to the key vault.** The key and key vault's access is necessary to support database restoration. You may delete and remove the enterprise policy's permissions after 30 days.
 
-### Change the environment's encryption key
+### Change the environment's encryption key with a new enterprise policy and key
 
 To rotate your encryption key, create a new key and a new enterprise policy. You can then change the enterprise policy by removing the environments and then adding the environments to the new enterprise policy.
  > [!NOTE]
-   > Using **New key version** and setting **Rotation policy** to rotate your encryption key is not supported. Activating new key version and disabling the current version will lock the environment.
+   > Using **New key version** and setting **Rotation policy** to rotate your encryption key is now supported (preview).
 
-1. In [Azure portal](https://ms.portal.azure.com/), create a new key and a new enterprise policy. More information:  [Create the key and grant access](#create-the-key-and-grant-access-overview) and [Create an enterprise policy](#create-enterprise-policy)
+1. In [Azure portal](https://ms.portal.azure.com/), create a new key and a new enterprise policy. More information:  [Create encryption key and grant access](#create-encryption-key-and-grant-access) and [Create an enterprise policy](#create-enterprise-policy)
 1. Once the new key and enterprise policy are created, go to **Policies** > **Enterprise policies**.
 1. Select the **Environment with policies** tab, and then find the environment you want to remove from customer-managed key.
 1. Select the **All policies** tab, select the environment you verified in step 2, and then select **Edit policy** on the command bar.
@@ -417,6 +438,25 @@ To rotate your encryption key, create a new key and a new enterprise policy. You
 > [!IMPORTANT]
 > The environment will be disabled when it's added to the new enterprise policy. 
 
+### Change the environment's encryption key with a new key version (preview)
+You can change the environment’s encryption key by creating a new key version. When you create a new key version, the new key version is automatically enabled. All the storage resources detect the new key version and start applying it to encrypt your data. 
+
+When you modify the key or the key version, the protection of the root encryption key changes, but the data in the storage always remains encrypted with your key. There is no additional action required on your part to ensure that your data is protected. Rotating the key version doesn't impact performance. There is no downtime associated with rotating the key version. It can take 24 hours for all the resource providers to apply the new key version in the background. The previous key version must not be disabled as it's required for the service to use it for the re-encryption and for the support of database restoration. 
+
+To rotate the encryption key by creating a new key version, use the following steps.
+
+1.	Go to the [Azure portal](https://ms.portal.azure.com/) > **Key Vaults** and locate the key vault where you want to create a new key version.
+1.	Navigate to **Keys**.
+1. Select the current, enabled key.
+1.	Select **+ New Version**.
+1.	Note that the **Enabled** setting defaults to **Yes**, which means that the new key version is automatically enabled upon creation.
+1.	Select **Create**.
+
+You can also rotate the encryption key using the [Rotation policy](/azure/key-vault/keys/how-to-configure-key-rotation#key-rotation-policy) by either configuring a rotation policy or rotate, on demand, by invoking [Rotate now](/azure/key-vault/keys/how-to-configure-key-rotation#rotation-on-demand).
+
+> [!IMPORTANT]
+> The new key version is automatically rotated in the background and there is no action required by the Power Platform admin. It is important that the previous key version must not be disabled or deleted for, at least, 28 days to support database restoration. Disabling or deleting the previous key version too early can take your environment offline.
+
 ### View the list of encrypted environments
 
 1. Sign into the [Power Platform admin center](https://admin.powerplatform.microsoft.com), and go to **Policies** > **Enterprise policies**.

power-platform/guidance/white-papers/migrating-from-default-environment.md

@@ -19,7 +19,7 @@ This white paper explains how organizations and administrators can plan migratio
 
 ## Default environment
 
-One default environment is created per tenant and is accessible for all users in that tenant. The default environment is created in the region closest to the default region of the Azure Active Directory (Azure AD), part of Microsoft Entra, tenant and is named as follows: **[Azure AD tenant name] (default)**. Whenever a new user signs up for Power Apps or Power Automate, they're automatically added to the Maker role of the default environment. No users are automatically added to the Environment Admin role of the default environment.
+One default environment is created per tenant and is accessible for all users in that tenant. The default environment is created in the region closest to the default region of the Azure Active Directory (Azure AD) tenant and is named as follows: **[Azure AD tenant name] (default)**. Whenever a new user signs up for Power Apps or Power Automate, they're automatically added to the Maker role of the default environment. No users are automatically added to the Environment Admin role of the default environment.
 
 You can't delete the default environment and you can't manually back up the default environment. System backups are done continuously. The default environment is limited to 1 TB of storage capacity. The default environment has the following capabilities: