Azure key sovereignty clarification

PUA Anthony 20 Reputation points
2024-11-08T10:09:00.18+00:00

Hi Microsoft,

I previously asked clarification on Azure's Managed HSM key sovereignty and now back for more clarification.

May I ask, without key sovereignty (as in the case of Azure Key Vault Premium), what kinds of access would Microsoft personnel has exactly? Could you describe a few scenarios please?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,329 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,450 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Bhasker Donthu 930 Reputation points Microsoft Vendor
    2024-11-11T18:33:15.91+00:00

    Hello @PUA Anthony,

    Thank you for posting your query on Microsoft Q&A.

    Key sovereignty is the concept of maintaining full control over cryptographic keys, including their management, storage, and access, in a manner that aligns with legal and regulatory requirements. In cloud services like Azure Key Vault, key sovereignty empowers organizations to maintain exclusive ownership and control over their encryption keys and sensitive data, no matter where the data is stored or processed.

    This level of control is essential for ensuring security and compliance, as it enables organizations to protect their data and meet regulatory requirements without relying solely on the cloud provider’s internal controls.

    For more details, please refer to https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/managed-hsm-technical-details Without key sovereignty, there are specific scenarios where Microsoft personnel may have limited access to data within Azure Key Vault. Here are some examples:

    1. If you encounter an issue and open a support ticket, authorized Microsoft support engineers might access your Key Vault to diagnose and resolve the problem. This access is strictly controlled and audited.
    2. For maintaining and operating the Azure Key Vault service, certain Microsoft personnel might have access to the infrastructure. However, this access is typically limited to metadata and not the actual keys or secrets.
    3. During compliance checks or security audits, authorized personnel might review access logs and other metadata to ensure the service meets regulatory requirements. Again, this does not include access to the actual keys or secrets.
    4. In the event of a security incident, Microsoft’s security team might access your Key Vault to investigate and mitigate the issue. This access is also highly controlled and logged.

    In all these scenarios, access is governed by strict policies and procedures to ensure your data remains secure and private. If you need more control over your keys, Azure Key Vault Premium with key sovereignty might be a better option.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.
    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


  2. PUA Anthony 20 Reputation points
    2024-11-23T09:30:34.68+00:00

    Hi Bhasker, could I ask for confirmation on the following: Without key sovereignty,

    1. Can Microsoft personnel change access policies for keys in AKV Premium (such that others could access it and use it to sign)? (I presume not) If yes, under what scenario?
    2. Under no circumstances Microsoft personnel would have access to the actual key/secret and use it to sign data (although it's mentioned but to confirm it is the case for all scenarios)

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.