Best practices when using Managed HSM

Control Access to your managed HSM

Managed HSM is a cloud service that safeguards encryption keys. As these keys are sensitive and business critical, make sure to secure access to your managed HSMs by allowing only authorized applications and users. This article provides an overview of the access model. It explains authentication and authorization, and role-based access control.

  • Create an Azure Active Directory Security Group for the HSM Administrators (instead of assigning Administrator role to individuals), to prevent "administration lock-out" if there was individual account deletion.
  • Lock down access to your management groups, subscriptions, resource groups and Managed HSMs - Use Azure RBAC to control access to your management groups, subscriptions, and resource groups
  • Create per key role assignments using Managed HSM local RBAC.
  • To maintain separation of duties, avoid assigning multiple roles to same principals.
  • Use least privilege access principal to assign roles.
  • Create custom role definition with precise set of permissions.


  • Make sure you take regular backups of your HSM. Backups can be done at the HSM level and for specific keys.

Turn on logging

Turn on recovery options

  • Soft Delete is on by default. You can choose a retention period between 7 and 90 days.
  • Turn on purge protection to prevent immediate permanent deletion of HSM or keys. When purge protection is on HSM or keys will remain in deleted state until the retention days have passed.

Next steps