From 87871405cb059085b0a9727f7967272f8f40f801 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Thu, 23 Jun 2022 23:06:24 +0200
Subject: [PATCH 01/10] Updated cmk implementation

---
 .../workspaces/.parameters/parameters.json    |  8 ++---
 .../workspaces/deploy.bicep                   | 35 +++++++++++--------
 .../workspaces/readme.md                      | 20 +++++------
 3 files changed, 34 insertions(+), 29 deletions(-)

diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json
index d8058a2616..53ce29cb06 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json
+++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json
@@ -34,13 +34,13 @@
         "discoveryUrl": {
             "value": "http://example.com"
         },
-        "encryptionIdentity": {
+        "cMKUserAssignedIdentityResourceId": {
             "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
         },
-        "encryptionKeyIdentifier": {
-            "value": "https://adp-carml-az-kv-nopr-002.vault.azure.net/keys/keyEncryptionKey/5263fcde203347baa7cda35d074073b2" // ID must be updated for new keys
+        "cMKKeyName": {
+            "value": "keyEncryptionKey"
         },
-        "encryptionKeyVaultResourceId": {
+        "cMKKeyVaultResourceId": {
             "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002"
         },
         "imageBuildCompute": {
diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index 3541bb651a..b88f2f220d 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -113,14 +113,14 @@ param description string = ''
 @sys.description('Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services.')
 param discoveryUrl string = ''
 
-@sys.description('Optional. The Resource ID of the user assigned identity that will be used to access the customer managed key vault.')
-param encryptionIdentity string = ''
+@sys.description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.')
+param cMKKeyVaultResourceId string = ''
 
-@sys.description('Conditional. Key vault URI to access the encryption key. Required if an \'encryptionIdentity\' was provided.')
-param encryptionKeyIdentifier string = ''
+@sys.description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.')
+param cMKKeyName string = ''
 
-@sys.description('Conditional. The ResourceID of the keyVault where the customer owned encryption key is present. Required if an \'encryptionIdentity\' was provided.')
-param encryptionKeyVaultResourceId string = ''
+@sys.description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKeyName\' is not empty.')
+param cMKUserAssignedIdentityResourceId string = ''
 
 @sys.description('Optional. The compute name for image build.')
 param imageBuildCompute string = ''
@@ -181,6 +181,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
+resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) {
+  name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}'
+  scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4])
+}
+
 resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = {
   name: name
   location: location
@@ -200,15 +205,15 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = {
     allowPublicAccessWhenBehindVnet: allowPublicAccessWhenBehindVnet
     description: description
     discoveryUrl: discoveryUrl
-    encryption: any({
-      identity: !empty(encryptionIdentity) ? {
-        userAssignedIdentity: encryptionIdentity
-      } : null
-      keyVaultProperties: !empty(encryptionIdentity) ? {
-        keyIdentifier: encryptionKeyIdentifier
-        keyVaultArmId: encryptionKeyVaultResourceId
-      } : null
-    })
+    encryption: !empty(cMKKeyName) ? {
+      identity: {
+        userAssignedIdentity: cMKUserAssignedIdentityResourceId
+      }
+      keyVaultProperties: {
+        keyVaultArmId: cMKKeyVaultResourceId
+        keyIdentifier: cMKKeyVaultKey.properties.keyUri
+      }
+    } : null
     imageBuildCompute: imageBuildCompute
     primaryUserAssignedIdentity: primaryUserAssignedIdentity
     publicNetworkAccess: publicNetworkAccess
diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
index c9c3e80489..2db82aae95 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -35,8 +35,7 @@ This module deploys a Machine Learning Services Workspace.
 **Conditional parameters**
 | Parameter Name | Type | Default Value | Description |
 | :-- | :-- | :-- | :-- |
-| `encryptionKeyIdentifier` | string | `''` | Key vault URI to access the encryption key. Required if an 'encryptionIdentity' was provided. |
-| `encryptionKeyVaultResourceId` | string | `''` | The ResourceID of the keyVault where the customer owned encryption key is present. Required if an 'encryptionIdentity' was provided. |
+| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKeyName' is not empty. |
 | `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. |
 | `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. |
 | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. |
@@ -46,6 +45,8 @@ This module deploys a Machine Learning Services Workspace.
 | :-- | :-- | :-- | :-- | :-- |
 | `allowPublicAccessWhenBehindVnet` | bool | `False` |  | The flag to indicate whether to allow public access when behind VNet. |
 | `associatedContainerRegistryResourceId` | string | `''` |  | The resource ID of the associated Container Registry. |
+| `cMKKeyName` | string | `''` |  | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. |
+| `cMKKeyVaultResourceId` | string | `''` |  | The resource ID of a key vault to reference a customer managed key for encryption from. |
 | `computes` | _[computes](computes/readme.md)_ array | `[]` |  | Computes to create respectively attach to the workspace. |
 | `description` | string | `''` |  | The description of this workspace. |
 | `diagnosticEventHubAuthorizationRuleId` | string | `''` |  | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
@@ -58,7 +59,6 @@ This module deploys a Machine Learning Services Workspace.
 | `diagnosticWorkspaceId` | string | `''` |  | Resource ID of the diagnostic log analytics workspace. |
 | `discoveryUrl` | string | `''` |  | URL for the discovery service to identify regional endpoints for machine learning experimentation services. |
 | `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via the Customer Usage Attribution ID (GUID). |
-| `encryptionIdentity` | string | `''` |  | The Resource ID of the user assigned identity that will be used to access the customer managed key vault. |
 | `hbiWorkspace` | bool | `False` |  | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. |
 | `imageBuildCompute` | string | `''` |  | The compute name for image build. |
 | `location` | string | `[resourceGroup().location]` |  | Location for all resources. |
@@ -497,13 +497,13 @@ module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep'
         "discoveryUrl": {
             "value": "http://example.com"
         },
-        "encryptionIdentity": {
+        "cMKUserAssignedIdentityResourceId": {
             "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
         },
-        "encryptionKeyIdentifier": {
-            "value": "https://adp-carml-az-kv-nopr-002.vault.azure.net/keys/keyEncryptionKey/5263fcde203347baa7cda35d074073b2" // ID must be updated for new keys
+        "cMKKeyName": {
+            "value": "keyEncryptionKey"
         },
-        "encryptionKeyVaultResourceId": {
+        "cMKKeyVaultResourceId": {
             "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002"
         },
         "imageBuildCompute": {
@@ -605,9 +605,9 @@ module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep'
     }
     description: 'The cake is a lie.'
     discoveryUrl: 'http://example.com'
-    encryptionIdentity: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
-    encryptionKeyIdentifier: 'https://adp-carml-az-kv-nopr-002.vault.azure.net/keys/keyEncryptionKey/5263fcde203347baa7cda35d074073b2'
-    encryptionKeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002'
+    cMKUserAssignedIdentityResourceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
+    cMKKeyName: 'keyEncryptionKey'
+    cMKKeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002'
     imageBuildCompute: 'testcompute'
     publicNetworkAccess: 'Enabled'
     primaryUserAssignedIdentity: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'

From bef93dd37cd2fff3028db7b280d3fa862194a94f Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Fri, 24 Jun 2022 08:24:42 +0200
Subject: [PATCH 02/10] Updated par + added property

---
 arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep | 3 ++-
 arm/Microsoft.MachineLearningServices/workspaces/readme.md    | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index b88f2f220d..433eee31ef 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -43,7 +43,7 @@ param allowPublicAccessWhenBehindVnet bool = false
 @sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
 param roleAssignments array = []
 
-@sys.description('Optional. Configuration Details for private endpoints.')
+@sys.description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
 param privateEndpoints array = []
 
 @sys.description('Optional. Computes to create respectively attach to the workspace.')
@@ -206,6 +206,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = {
     description: description
     discoveryUrl: discoveryUrl
     encryption: !empty(cMKKeyName) ? {
+      status: 'Enabled'
       identity: {
         userAssignedIdentity: cMKUserAssignedIdentityResourceId
       }
diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
index 2db82aae95..4e5b3feb4d 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -63,7 +63,7 @@ This module deploys a Machine Learning Services Workspace.
 | `imageBuildCompute` | string | `''` |  | The compute name for image build. |
 | `location` | string | `[resourceGroup().location]` |  | Location for all resources. |
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
-| `privateEndpoints` | array | `[]` |  | Configuration Details for private endpoints. |
+| `privateEndpoints` | array | `[]` |  | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
 | `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether requests from Public Network are allowed. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `tags` | object | `{object}` |  | Resource tags. |

From 822cd0c5de349e801be880e8597d467cb0317ee9 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Fri, 24 Jun 2022 10:31:05 +0200
Subject: [PATCH 03/10] Upload fix

---
 .../workspaces/.parameters/parameters.json                      | 2 +-
 arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json
index 53ce29cb06..d2940f8df0 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json
+++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json
@@ -41,7 +41,7 @@
             "value": "keyEncryptionKey"
         },
         "cMKKeyVaultResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002"
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002"
         },
         "imageBuildCompute": {
             "value": "testcompute"
diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index 433eee31ef..db9e6b7fc9 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -212,7 +212,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = {
       }
       keyVaultProperties: {
         keyVaultArmId: cMKKeyVaultResourceId
-        keyIdentifier: cMKKeyVaultKey.properties.keyUri
+        keyIdentifier: cMKKeyVaultKey.properties.keyUriWithVersion
       }
     } : null
     imageBuildCompute: imageBuildCompute

From 0572f3233237ab223dd43d4f6affe5e62818f150 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Fri, 24 Jun 2022 10:33:27 +0200
Subject: [PATCH 04/10] Updaetd readme

---
 arm/Microsoft.MachineLearningServices/workspaces/readme.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
index 4e5b3feb4d..28d6399248 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -504,7 +504,7 @@ module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep'
             "value": "keyEncryptionKey"
         },
         "cMKKeyVaultResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002"
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002"
         },
         "imageBuildCompute": {
             "value": "testcompute"
@@ -607,7 +607,7 @@ module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep'
     discoveryUrl: 'http://example.com'
     cMKUserAssignedIdentityResourceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
     cMKKeyName: 'keyEncryptionKey'
-    cMKKeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002'
+    cMKKeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002'
     imageBuildCompute: 'testcompute'
     publicNetworkAccess: 'Enabled'
     primaryUserAssignedIdentity: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'

From 6cdeb39eb34468a36138f758c5315ae28ae5f558 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Fri, 24 Jun 2022 11:28:32 +0200
Subject: [PATCH 05/10] Added optional key version

---
 .../workspaces/deploy.bicep                                  | 5 ++++-
 arm/Microsoft.MachineLearningServices/workspaces/readme.md   | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index db9e6b7fc9..3261099a6d 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -122,6 +122,9 @@ param cMKKeyName string = ''
 @sys.description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKeyName\' is not empty.')
 param cMKUserAssignedIdentityResourceId string = ''
 
+@sys.description('Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used.')
+param cMKKeyVersion string = ''
+
 @sys.description('Optional. The compute name for image build.')
 param imageBuildCompute string = ''
 
@@ -212,7 +215,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = {
       }
       keyVaultProperties: {
         keyVaultArmId: cMKKeyVaultResourceId
-        keyIdentifier: cMKKeyVaultKey.properties.keyUriWithVersion
+        keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion
       }
     } : null
     imageBuildCompute: imageBuildCompute
diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
index 28d6399248..7140e529fb 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -47,6 +47,7 @@ This module deploys a Machine Learning Services Workspace.
 | `associatedContainerRegistryResourceId` | string | `''` |  | The resource ID of the associated Container Registry. |
 | `cMKKeyName` | string | `''` |  | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. |
 | `cMKKeyVaultResourceId` | string | `''` |  | The resource ID of a key vault to reference a customer managed key for encryption from. |
+| `cMKKeyVersion` | string | `''` |  | The version of the customer managed key to reference for encryption. If not provided, latest is used. |
 | `computes` | _[computes](computes/readme.md)_ array | `[]` |  | Computes to create respectively attach to the workspace. |
 | `description` | string | `''` |  | The description of this workspace. |
 | `diagnosticEventHubAuthorizationRuleId` | string | `''` |  | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |

From aed35390a2cdda16704aa1bcec9825a3e13058f0 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Fri, 24 Jun 2022 13:11:45 +0200
Subject: [PATCH 06/10] Updated docs

---
 arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep | 2 +-
 arm/Microsoft.MachineLearningServices/workspaces/readme.md    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index 3261099a6d..9f17c47e76 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -116,7 +116,7 @@ param discoveryUrl string = ''
 @sys.description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.')
 param cMKKeyVaultResourceId string = ''
 
-@sys.description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.')
+@sys.description('Optional. The name of the customer managed key to use for encryption.')
 param cMKKeyName string = ''
 
 @sys.description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKeyName\' is not empty.')
diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
index 7140e529fb..531914d878 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -45,7 +45,7 @@ This module deploys a Machine Learning Services Workspace.
 | :-- | :-- | :-- | :-- | :-- |
 | `allowPublicAccessWhenBehindVnet` | bool | `False` |  | The flag to indicate whether to allow public access when behind VNet. |
 | `associatedContainerRegistryResourceId` | string | `''` |  | The resource ID of the associated Container Registry. |
-| `cMKKeyName` | string | `''` |  | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. |
+| `cMKKeyName` | string | `''` |  | The name of the customer managed key to use for encryption. |
 | `cMKKeyVaultResourceId` | string | `''` |  | The resource ID of a key vault to reference a customer managed key for encryption from. |
 | `cMKKeyVersion` | string | `''` |  | The version of the customer managed key to reference for encryption. If not provided, latest is used. |
 | `computes` | _[computes](computes/readme.md)_ array | `[]` |  | Computes to create respectively attach to the workspace. |

From b81482a525593009ba93476ef4f33aca13b172bf Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Sat, 25 Jun 2022 00:16:43 +0200
Subject: [PATCH 07/10] Update to latest

---
 .../workspaces/deploy.bicep                               | 8 ++++----
 .../workspaces/readme.md                                  | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index 9f17c47e76..a5d3173663 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -119,10 +119,10 @@ param cMKKeyVaultResourceId string = ''
 @sys.description('Optional. The name of the customer managed key to use for encryption.')
 param cMKKeyName string = ''
 
-@sys.description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKeyName\' is not empty.')
+@sys.description('Conditional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.')
 param cMKUserAssignedIdentityResourceId string = ''
 
-@sys.description('Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used.')
+@sys.description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.')
 param cMKKeyVersion string = ''
 
 @sys.description('Optional. The compute name for image build.')
@@ -210,9 +210,9 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = {
     discoveryUrl: discoveryUrl
     encryption: !empty(cMKKeyName) ? {
       status: 'Enabled'
-      identity: {
+      identity: !emtpy(cMKUserAssignedIdentityResourceId) ? {
         userAssignedIdentity: cMKUserAssignedIdentityResourceId
-      }
+      } : null
       keyVaultProperties: {
         keyVaultArmId: cMKKeyVaultResourceId
         keyIdentifier: !empty(cMKKeyVersion) ? '${cMKKeyVaultKey.properties.keyUri}/${cMKKeyVersion}' : cMKKeyVaultKey.properties.keyUriWithVersion
diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
index 531914d878..c1649337b9 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -35,7 +35,7 @@ This module deploys a Machine Learning Services Workspace.
 **Conditional parameters**
 | Parameter Name | Type | Default Value | Description |
 | :-- | :-- | :-- | :-- |
-| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKeyName' is not empty. |
+| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. |
 | `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. |
 | `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. |
 | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. |
@@ -47,7 +47,7 @@ This module deploys a Machine Learning Services Workspace.
 | `associatedContainerRegistryResourceId` | string | `''` |  | The resource ID of the associated Container Registry. |
 | `cMKKeyName` | string | `''` |  | The name of the customer managed key to use for encryption. |
 | `cMKKeyVaultResourceId` | string | `''` |  | The resource ID of a key vault to reference a customer managed key for encryption from. |
-| `cMKKeyVersion` | string | `''` |  | The version of the customer managed key to reference for encryption. If not provided, latest is used. |
+| `cMKKeyVersion` | string | `''` |  | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. |
 | `computes` | _[computes](computes/readme.md)_ array | `[]` |  | Computes to create respectively attach to the workspace. |
 | `description` | string | `''` |  | The description of this workspace. |
 | `diagnosticEventHubAuthorizationRuleId` | string | `''` |  | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |

From 24f096ec1c41ed2a20872e83c1fd50731379d453 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Sat, 25 Jun 2022 00:16:49 +0200
Subject: [PATCH 08/10] Update to latest

---
 arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index a5d3173663..3fd3163e6a 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -210,7 +210,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = {
     discoveryUrl: discoveryUrl
     encryption: !empty(cMKKeyName) ? {
       status: 'Enabled'
-      identity: !emtpy(cMKUserAssignedIdentityResourceId) ? {
+      identity: !empty(cMKUserAssignedIdentityResourceId) ? {
         userAssignedIdentity: cMKUserAssignedIdentityResourceId
       } : null
       keyVaultProperties: {

From 6763d3734ca94451ca7f25adcba71e255d85302e Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Sat, 25 Jun 2022 00:21:34 +0200
Subject: [PATCH 09/10] Update to latest

---
 arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep | 2 +-
 arm/Microsoft.MachineLearningServices/workspaces/readme.md    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index 3fd3163e6a..ea34dbde10 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -119,7 +119,7 @@ param cMKKeyVaultResourceId string = ''
 @sys.description('Optional. The name of the customer managed key to use for encryption.')
 param cMKKeyName string = ''
 
-@sys.description('Conditional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.')
+@sys.description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.')
 param cMKUserAssignedIdentityResourceId string = ''
 
 @sys.description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.')
diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
index c1649337b9..be85e207d4 100644
--- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -35,7 +35,6 @@ This module deploys a Machine Learning Services Workspace.
 **Conditional parameters**
 | Parameter Name | Type | Default Value | Description |
 | :-- | :-- | :-- | :-- |
-| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. |
 | `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. |
 | `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. |
 | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. |
@@ -48,6 +47,7 @@ This module deploys a Machine Learning Services Workspace.
 | `cMKKeyName` | string | `''` |  | The name of the customer managed key to use for encryption. |
 | `cMKKeyVaultResourceId` | string | `''` |  | The resource ID of a key vault to reference a customer managed key for encryption from. |
 | `cMKKeyVersion` | string | `''` |  | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. |
+| `cMKUserAssignedIdentityResourceId` | string | `''` |  | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. |
 | `computes` | _[computes](computes/readme.md)_ array | `[]` |  | Computes to create respectively attach to the workspace. |
 | `description` | string | `''` |  | The description of this workspace. |
 | `diagnosticEventHubAuthorizationRuleId` | string | `''` |  | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |

From 08051574e9d59dfc8808a93c9a6d16feb80670f5 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Mon, 4 Jul 2022 12:14:22 +0200
Subject: [PATCH 10/10] Extracted encr to dedicated file

---
 .../ms.machinelearningservices.workspaces.yml |   1 +
 .../workspaces/.test/encr.parameters.json     |  49 ++++++++
 .../workspaces/.test/parameters.json          |   9 --
 .../workspaces/deploy.bicep                   |   6 +-
 .../workspaces/readme.md                      | 108 +++++++++++++++---
 5 files changed, 148 insertions(+), 25 deletions(-)
 create mode 100644 modules/Microsoft.MachineLearningServices/workspaces/.test/encr.parameters.json

diff --git a/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml b/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml
index b4b74f62f2..7d18d7b1bd 100644
--- a/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml
+++ b/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml
@@ -47,6 +47,7 @@ stages:
           deploymentBlocks:
             - path: $(modulePath)/.test/min.parameters.json
             - path: $(modulePath)/.test/parameters.json
+            - path: $(modulePath)/.test/encr.parameters.json
 
   - stage: Publishing
     displayName: Publishing
diff --git a/modules/Microsoft.MachineLearningServices/workspaces/.test/encr.parameters.json b/modules/Microsoft.MachineLearningServices/workspaces/.test/encr.parameters.json
new file mode 100644
index 0000000000..b98a6f241d
--- /dev/null
+++ b/modules/Microsoft.MachineLearningServices/workspaces/.test/encr.parameters.json
@@ -0,0 +1,49 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "<<namePrefix>>-az-mls-encr-001"
+        },
+        "sku": {
+            "value": "Basic"
+        },
+        "associatedStorageAccountResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
+        },
+        "associatedKeyVaultResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
+        },
+        "associatedApplicationInsightsResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<<namePrefix>>-az-appi-x-001"
+        },
+        "cMKUserAssignedIdentityResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
+        },
+        "cMKKeyName": {
+            "value": "keyEncryptionKey"
+        },
+        "cMKKeyVaultResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002"
+        },
+        "systemAssignedIdentity": {
+            "value": false // Must be false if `primaryUserAssignedIdentity` is provided
+        },
+        "userAssignedIdentities": {
+            "value": {
+                "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
+            }
+        },
+        "primaryUserAssignedIdentity": {
+            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
+        },
+        "privateEndpoints": {
+            "value": [
+                {
+                    "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints",
+                    "service": "amlworkspace"
+                }
+            ]
+        }
+    }
+}
diff --git a/modules/Microsoft.MachineLearningServices/workspaces/.test/parameters.json b/modules/Microsoft.MachineLearningServices/workspaces/.test/parameters.json
index d2940f8df0..ae1a639a13 100644
--- a/modules/Microsoft.MachineLearningServices/workspaces/.test/parameters.json
+++ b/modules/Microsoft.MachineLearningServices/workspaces/.test/parameters.json
@@ -34,15 +34,6 @@
         "discoveryUrl": {
             "value": "http://example.com"
         },
-        "cMKUserAssignedIdentityResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
-        },
-        "cMKKeyName": {
-            "value": "keyEncryptionKey"
-        },
-        "cMKKeyVaultResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002"
-        },
         "imageBuildCompute": {
             "value": "testcompute"
         },
diff --git a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
index a7f9407c7d..d84d2c3939 100644
--- a/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
+++ b/modules/Microsoft.MachineLearningServices/workspaces/deploy.bicep
@@ -119,12 +119,12 @@ param cMKKeyVaultResourceId string = ''
 @sys.description('Optional. The name of the customer managed key to use for encryption.')
 param cMKKeyName string = ''
 
-@sys.description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.')
-param cMKUserAssignedIdentityResourceId string = ''
-
 @sys.description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.')
 param cMKKeyVersion string = ''
 
+@sys.description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.')
+param cMKUserAssignedIdentityResourceId string = ''
+
 @sys.description('Optional. The compute name for image build.')
 param imageBuildCompute string = ''
 
diff --git a/modules/Microsoft.MachineLearningServices/workspaces/readme.md b/modules/Microsoft.MachineLearningServices/workspaces/readme.md
index 1666a87d79..6fd60e15b9 100644
--- a/modules/Microsoft.MachineLearningServices/workspaces/readme.md
+++ b/modules/Microsoft.MachineLearningServices/workspaces/readme.md
@@ -404,6 +404,100 @@ userAssignedIdentities: {
 
 <summary>via JSON Parameter file</summary>
 
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "<<namePrefix>>-az-mls-encr-001"
+        },
+        "sku": {
+            "value": "Basic"
+        },
+        "associatedStorageAccountResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
+        },
+        "associatedKeyVaultResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
+        },
+        "associatedApplicationInsightsResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<<namePrefix>>-az-appi-x-001"
+        },
+        "cMKUserAssignedIdentityResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
+        },
+        "cMKKeyName": {
+            "value": "keyEncryptionKey"
+        },
+        "cMKKeyVaultResourceId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002"
+        },
+        "systemAssignedIdentity": {
+            "value": false // Must be false if `primaryUserAssignedIdentity` is provided
+        },
+        "userAssignedIdentities": {
+            "value": {
+                "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
+            }
+        },
+        "primaryUserAssignedIdentity": {
+            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
+        },
+        "privateEndpoints": {
+            "value": [
+                {
+                    "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints",
+                    "service": "amlworkspace"
+                }
+            ]
+        }
+    }
+}
+```
+
+</details>
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep' = {
+  name: '${uniqueString(deployment().name)}-workspaces'
+  params: {
+    name: '<<namePrefix>>-az-mls-encr-001'
+    sku: 'Basic'
+    associatedStorageAccountResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
+    associatedKeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
+    associatedApplicationInsightsResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<<namePrefix>>-az-appi-x-001'
+    cMKUserAssignedIdentityResourceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
+    cMKKeyName: 'keyEncryptionKey'
+    cMKKeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002'
+    systemAssignedIdentity: false
+    userAssignedIdentities: {
+      '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001': {}
+    }
+    primaryUserAssignedIdentity: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
+    privateEndpoints: [
+      {
+        subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints'
+        service: 'amlworkspace'
+      }
+    ]
+  }
+}
+```
+
+</details>
+<p>
+
+<h3>Example 2</h3>
+
+<details>
+
+<summary>via JSON Parameter file</summary>
+
 ```json
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
@@ -454,7 +548,7 @@ module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep'
 </details>
 <p>
 
-<h3>Example 2</h3>
+<h3>Example 3</h3>
 
 <details>
 
@@ -497,15 +591,6 @@ module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep'
         "discoveryUrl": {
             "value": "http://example.com"
         },
-        "cMKUserAssignedIdentityResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
-        },
-        "cMKKeyName": {
-            "value": "keyEncryptionKey"
-        },
-        "cMKKeyVaultResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002"
-        },
         "imageBuildCompute": {
             "value": "testcompute"
         },
@@ -604,9 +689,6 @@ module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep'
     }
     description: 'The cake is a lie.'
     discoveryUrl: 'http://example.com'
-    cMKUserAssignedIdentityResourceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
-    cMKKeyName: 'keyEncryptionKey'
-    cMKKeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002'
     imageBuildCompute: 'testcompute'
     publicNetworkAccess: 'Enabled'
     primaryUserAssignedIdentity: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'