Share via


Use-AipServiceKeyVaultKey

Tells Azure Information Protection to use a customer-managed tenant key in Azure Key Vault.

Syntax

Use-AipServiceKeyVaultKey
   -KeyVaultKeyUrl <String>
   [-FriendlyName <String>]
   [-Force]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The Use-AipServiceKeyVaultKey cmdlet tells Azure Information Protection to use a customer-managed key (BYOK) in Azure Key Vault.

You must use PowerShell to configure your tenant key; you cannot do this configuration by using a management portal.

You can run this cmdlet before or after the protection service (Azure Rights Management) is activated.

Before you run this cmdlet, make sure that the Azure Rights Management service principal has been granted permissions to the key vault that contains the key you want to use for Azure Information Protection. These permissions are granted by running the Azure Key Vault cmdlet, Set-AzKeyVaultAccessPolicy.

For security reasons, the Use-AipServiceKeyVaultKey cmdlet does not let you set or change the access control for the key in Azure Key Vault. After that access is granted by running Set-AzKeyVaultAccessPolicy, run Use-AipServiceKeyVaultKey to tell Azure Information Protection to use the key and version that you specify with the KeyVaultKeyUrl parameter.

For more information, see Best practices for choosing your Azure Key Vault location.

Note

If you run this cmdlet before the permissions are granted to the key vault, you will see an error that displays The Rights Management service failed to add the key.

To see more detailed information, run the command again, with -Verbose. If the permissions are not granted, you see VERBOSE: Failure to access Azure KeyVault.

When your command successfully runs, the key is added as an archived customer-managed tenant key for Azure Information Protection for your organization. To make it the active tenant key for Azure Information Protection, you must then run the Set-AipServiceKeyProperties cmdlet.

Use Azure Key Vault to centrally manage and monitor use of the key that you specified. All calls to your tenant key will be made to the key vault that your organization owns. You can confirm which key you are using in Key Vault by using the Get-AipServiceKeys cmdlet.

For more information about the types of tenant keys that Azure Information Protection supports, see Planning and implementing your Azure Information Protection tenant key.

For more information about Azure Key Vault, see What is Azure Key Vault.

Examples

Example 1: Configure Azure Information Protection to use a customer-managed key in Azure Key Vault

PS C:\>Use-AipServiceKeyVaultKey -KeyVaultKeyUrl "https://contoso.vault.azure.net/keys/contoso-aipservice-key/aaaabbbbcccc111122223333"

This command tells Azure Information Protection to use the key named contoso-aipservice-key, version aaaabbbbcccc111122223333, in the key vault named contoso.

This key and version in Azure Key Vault then becomes the customer-managed tenant key for Azure Information Protection.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Force

Forces the command to run without asking for user confirmation.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-FriendlyName

Specifies the friendly name of a trusted publishing domain (TPD) and the SLC key that you imported from AD RMS.

If users run Office 2016 or Office 2013, specify the same Friendly name value that is set for the AD RMS cluster properties on the Server Certificate tab.

This parameter is optional. If you don't use it, the key identifier is used instead.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-KeyVaultKeyUrl

Specifies the URL of the key and version in Azure Key Vault that you want to use for your tenant key.

This key will be used by Azure Information Protection as the root key for all cryptographic operations for your tenant.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False