Hi Sai,
It still does not answer my question regarding the boundaries of PMK . Example in AWS if an AWS managed key is used to encrypt disk usually we are not able to copy that disk over to a different account and use it on a different host in that new account, so the boundary is an account within AWS. Similarly within Azure what is the boundary for PMK. It should not be a case anyone in any organization under any tenant should be able to just copy the disk and use , in which case what is the purpose of encryption ?
I hope i was able to clarify the question better. let me know.
Best
Viswanath Sekar