Added steps to change the secret for expired keys

Rupp29 · Rupp29 · commit 8fa3e3ff8ed4 · 2021-09-01T12:53:57.000-07:00
diff --git a/docs/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault.md b/docs/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault.md
@@ -528,6 +528,21 @@ For a note about the minimum permission levels needed for each action in this se
     DROP ASYMMETRIC KEY [EKMSampleASYKey]
     DROP CRYPTOGRAPHIC PROVIDER [AzureKeyVault_EKM]
     ```  
+      > [!NOTE]
+      > If the credential has a client secret that is about to expire, a new secret can be assigned to the credential.
+      > <ol>1. Update the secret originally create in <b>Step 1: Set up an Azure AD service principal.</b>
+      >
+      >    Alter the credential using the same identity and new secret using the following code:
+      >
+      >    ```sql
+      >    ALTER CREDENTIAL CREDName
+      >    WITH IDENTITY = 'Original Identity',
+      >    SECRET = 'New Secret';
+      >    ```
+      >
+      ></ol>
+      > <ol>2. Restart the SQL service</ol>
+      > <ol>3. Steps 2 and 3 need to be done on all nodes of an Availability Group</ol>
 
 For sample scripts, see the blog at [SQL Server Transparent Data Encryption and Extensible Key Management with Azure Key Vault](https://techcommunity.microsoft.com/t5/sql-server/intro-sql-server-transparent-data-encryption-and-extensible-key/ba-p/1427549).
 
