From 2c1f17e2f5a07b66d26b5a9c1092e29ae1b5394e Mon Sep 17 00:00:00 2001
From: Sanjay Deshmukh <sandeshmukh@microsoft.com>
Date: Fri, 20 Jun 2025 09:54:21 -0400
Subject: [PATCH] Clarified not to delete or disable a previous TDE protector
 key after a rotation.

---
 .../database/transparent-data-encryption-byok-key-rotation.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md
index 2942fe88edd..1e199e17046 100644
--- a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md
+++ b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md
@@ -36,7 +36,7 @@ This article discusses both automated and manual methods to rotate the TDE prote
 > This article applies to Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics dedicated SQL pools (formerly SQL DW). For documentation on transparent data encryption (TDE) for dedicated SQL pools inside Synapse workspaces, see [Azure Synapse Analytics encryption](/azure/synapse-analytics/security/workspaces-encryption).
 
 > [!IMPORTANT]
-> Do not delete previous versions of the key after a rollover. When keys are rolled over, some data is still encrypted with the previous keys, such as older database backups, backed-up log files and transaction log files.
+> Do not delete or disable previous versions of the key after a rollover. When keys are rolled over, some data is still encrypted with the previous keys, such as older database backups, backed-up log files and transaction log files, and the previous key is still needed to access this data.
 
 ## Prerequisites