doc: Add a note to state the limitations in CMK-encrypted registry

articles/container-registry/container-registry-manage-artifact.md

@@ -227,6 +227,9 @@ Storing individual (subject) OCI Artifacts are covered in [Push and pull OCI art
 
 To store a graph of artifacts, a reference to a `subject` artifact is defined using the [OCI image manifest][oci-image-manifest], which is part of the [prerelease OCI 1.1 Distribution specification][oci-1_1-spec].
 
+ > [!NOTE]
+ > ORAS uses the OCI Referrers API](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers) to store the attached referrer artifacts in the registry by default. The OCI Referrers API is supported by most of the ACR features except the CMK-encrypted registry. ORAS will fall back to use [OCI Referrers Tag Schema](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#referrers-tag-schema) to store the attached referrers in the CMK-encrypted registry.
+
 ### Push a container image
 
 To associate a graph of artifacts with a container image using the Azure CLI:

articles/container-registry/container-registry-tutorial-sign-build-push.md

@@ -274,6 +274,9 @@ The following steps show how to create a self-signed certificate for testing pur
     | Workload identity credential | `workloadid`               |
     | Managed identity credential  | `managedid`                |
     | Azure CLI credential         | `azurecli`                 |
+
+ > [!NOTE]
+ > Notation uses [OCI Referrers Tag Schema](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#referrers-tag-schema) to store the signature in ACR by default. You can also enable [OCI Referrers API](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers) by using the flag `--force-referrers-tag false` if needed. The OCI Referrers API is supported by most of the ACR features except the CMK-encrypted registry.
 
 5. View the graph of signed images and associated signatures.
 

articles/container-registry/container-registry-tutorial-sign-trusted-ca.md

@@ -315,6 +315,9 @@ To learn more about assigning policy to a principal, see [Assign Access Policy](
         └── sha256:d7258166ca820f5ab7190247663464f2dcb149df4d1b6c4943dcaac59157de8e
     ```
 
+> [!NOTE]
+ > Notation uses [OCI Referrers Tag Schema](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#referrers-tag-schema) to store the signature in ACR by default. You can also enable [OCI Referrers API](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers) by using the flag `--force-referrers-tag false` if needed. The OCI Referrers API is supported by most of the ACR features except the CMK-encrypted registry.
+
 ## Verify a container image with Notation CLI 
 
 1. Add the root certificate to a named trust store for signature verification. If you do not have the root certificate, you can obtain it from your CA. The following example adds the root certificate `$ROOT_CERT` to the `$STORE_NAME` trust store.