Delen via


Overview

Microsoft 365 Customer Key supports RSA keys stored in Azure Key Vault Managed HSM, a FIPS 140-2 Level 3 compliant solution.

Managed HSM is a fully managed, highly available, single-tenant service that helps safeguard cryptographic keys using FIPS 140-2 Level 3–validated hardware security modules (HSMs). It supports cloud applications that require high-assurance key protection.

For more information about the service, see the Azure Key Vault Managed HSM overview.

Set Up Customer Key with Managed HSM

To set up Customer Key using Managed HSM, follow the steps in the order listed. This article includes detailed guidance for HSM-specific tasks and links to shared setup steps from the standard Customer Key process.

Important

Managed HSM uses a different set of PowerShell cmdlets than classic Azure Key Vault. Make sure to use the correct tooling in each step.

Start by completing the following shared steps:

  1. Create two new Azure subscriptions
  2. Register the required service principals

Create a resource group provision, and activate a Managed HSM

Unlike standard Azure Key Vault, which typically requires three pairs of key vaults (six total) to support all workloads, Managed HSM only requires two instances, one per Azure subscription, regardless of how many Customer Key workloads you plan to use.

To provision and activate your Managed HSM instances, follow the steps in the Managed HSM Quickstart using PowerShell.

Diagram of simplified HSM setup with two Managed HSM instances

Assign Permissions to each Managed HSM

Managed HSM uses local role-based access control (RBAC) to manage permissions. To assign the required access for Customer Key, you must grant the Managed HSM Crypto Service Encryption User role to the appropriate Microsoft 365 application.

This role grants the following permissions on the key: wrapKey, unwrapKey, and get.

For more information, see Managed HSM role management.

When assigning the role, search for the following Microsoft 365 app names:

  • Multiple workloads: M365DataAtRestEncryption
  • Exchange: Office 365 Exchange Online
  • SharePoint and OneDrive: Office 365 SharePoint Online

If you don’t see the expected app in your tenant, verify that you registered the required service principals.

To learn more about assigning roles, see Use role-based access control to manage access to your Azure subscription resources.

Assign User roles to your Managed HSM

Managed HSM Administrators are responsible for day-to-day management tasks such as backup, create, get, import, list, and restore.

For role definitions and guidance on assigning user roles, see Assigning user roles.

Add a key to each Managed HSM

Managed HSM supports only HSM-protected keys. When creating keys for use with Customer Key, you must use the RSA-HSM key type.

To create a key directly in Managed HSM, follow the steps in Add-AzKeyVaultKey.

If you prefer to generate a key on-premises and then import it into your Managed HSM, see How to generate and transfer HSM-protected keys for Azure Key Vault.

Use these instructions to create one key in each Managed HSM instance.

Verify the expiration data of your Managed HSM Keys

To check that your keys don't have an expiration date, run the Get-AzKeyVaultKey cmdlet.

For Azure Key Vault:

Get-AzKeyVaultKey -HsmName <HSM name>

Customer Key can't use expired keys. If a key is expired, any operation using it fails, which can lead to a service outage. We strongly recommend that keys used with Customer Key don't have an expiration date.

Once set, an expiration date can't be removed, but you can change it. If you must use a key with an expiration date, update it to 12/31/9999 and use the legacy onboarding method. Any other expiration value fails Microsoft 365 validation.

To change the expiration date to 12/31/9999, use the Update-AzKeyVaultKey cmdlet.

Update-AzKeyVaultKey -HsmName <HSM name> -Name <key name> -Expires (Get-Date -Date "12/31/9999")

Back up your Managed HSM Key

To back up your Managed HSM Key, see Backup-AzKeyVaultKey.

Obtain the URI for each Managed HSM key

After you set up your Managed HSMs and add your keys, run the following command to get the URI for each key. You need these URIs when creating and assigning data encryption policies (DEPs), so be sure to save them somewhere secure.

Run the following command in Azure PowerShell—once for each key vault:

(Get-AzKeyVaultKey -HsmName <HSM name>).Id

Onboard to Customer Key using the legacy method

After completing all steps to configure your subscriptions, Managed HSM instances, and keys, follow the instructions in Onboard to Customer Key using the legacy method.

Next steps

Once you complete the setup, create and assign data encryption policies (DEPs). For guidance, see Manage Customer Key.