Azure

Azure Managed HSM External Key Management Preview

3 min read

Summary

Microsoft has launched external key management for Azure Key Vault Managed HSM in public preview, letting organizations keep encryption keys on HSMs they own outside Azure. The feature is aimed at regulated environments that require physical control of key hardware, but it also shifts availability and operational responsibility to the customer or partner.

Need help with Azure?Talk to an Expert

Introduction

Microsoft has announced public preview support for external key management in Azure Key Vault Managed HSM. This gives organizations a new option to keep key material on HSM hardware they own and operate outside Microsoft datacenters, while still using Azure services that rely on customer-managed keys.

For most customers, standard Managed HSM remains the recommended model. But for government, financial services, and other regulated sectors, this preview addresses requirements for physical key custody outside the cloud provider environment.

What’s new

External key management for Managed HSM

Azure Managed HSM now supports a dedicated API endpoint that can connect to an external HSM under customer control. This means:

  • Key material can remain on customer-owned or partner-operated hardware
  • The external key does not reside in Microsoft infrastructure
  • Applications continue using Managed HSM and Azure Key Vault APIs without major changes
  • Azure forwards supported cryptographic requests to the external HSM when needed

Open integration model

Microsoft is using an open specification for the external key management API. Customers can:

  • Use a vendor-provided integration
  • Work with a trusted partner
  • Build their own implementation

Connections between Azure and the external HSM are secured with mutual TLS.

Preview scope

At launch, the preview includes:

  • Availability in all Azure public regions
  • Support for data-at-rest protection scenarios tied to customer-managed keys
  • Gated access, enabled through your Microsoft account team
  • No added Microsoft surcharge beyond standard Managed HSM pricing

Why it matters for IT admins

This preview is important for organizations with strict sovereignty, regulatory, or contractual obligations that require encryption keys to stay outside Azure datacenters.

However, Microsoft is clear about the tradeoff: more control means more responsibility. With external key management, customers are responsible for:

  • External HSM and proxy availability
  • Provisioning, scaling, and recovery
  • Monitoring and troubleshooting failures on their side
  • Any partner licensing or hardware costs

If the external HSM or proxy is unavailable, cryptographic operations can fail and impact access to protected Azure data.

  • Confirm whether your compliance requirements truly require keys outside Azure
  • Review the Managed HSM shared responsibility model and SLA boundaries
  • Evaluate HSM vendor or partner support for the external key management API
  • Contact your Microsoft account team to request preview access
  • Test availability, failover, and operational runbooks before production use

For most deployments, native Managed HSM keys will still offer the best balance of security, resilience, and operational simplicity. External key management is best reserved for scenarios where physical key residency outside Azure is mandatory.

Need help with Azure?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Azure Managed HSMAzure Key Vaultencryption keysHSMcustomer-managed keys

Related Posts

Azure

Azure resiliency update: Zones, recovery, sovereignty

Microsoft has outlined how Azure resiliency has evolved beyond basic uptime and region pairing to a broader model covering infrastructure resiliency, data resiliency, and cyber recovery. The update matters because IT teams must now design recovery strategies around workload needs, compliance boundaries, and sovereign data requirements rather than relying on one-size-fits-all architectures.

Azure

Azure Brain AI System Improves Cloud Reliability

Microsoft has introduced Brain, Azure’s centralized AIOps-powered reliability intelligence system that creates a real-time digital twin of cloud health. By combining Azure Resource Graph, telemetry, AI/ML models, dependencies, and customer impact data, Brain helps Azure detect issues faster, scope incidents more accurately, and automate key reliability actions.

Azure

Azure Chaos Studio Workspaces Preview for Resilience

Microsoft has introduced Azure Chaos Studio Workspaces in public preview, adding a scenario-based way to test application resilience against realistic outage patterns. The update helps IT teams validate failover, recovery, and application behavior across Azure services before production incidents expose gaps.

Azure

Azure IaaS Cost Optimization: Design for Long-Term Savings

Microsoft shared guidance for designing and operating Azure IaaS environments with long-term cost optimization in mind across compute, storage, and networking. The key takeaway for IT teams: most cloud overspend comes from many small architectural choices, so continuous right-sizing, lifecycle management, and smarter resiliency patterns are critical to reducing TCO at scale.

Azure

Azure Agent Confidence Index 2026: Key Findings

Microsoft and MIT Technology Review Insights surveyed 300 AI, data, and cloud experts to measure where teams trust agents to take on real work. The 2026 Agent Confidence Index shows strongest confidence in predictable, repetitive tasks, while also highlighting the continued need for human oversight on high-stakes decisions.

Azure

Claude in Microsoft Foundry GA on Azure

Microsoft has made Claude in Microsoft Foundry generally available, giving enterprises a production-ready way to use Anthropic models within Azure. The release matters because it combines frontier AI models with Azure-native identity, governance, billing, networking, and data controls to help teams move from pilots to scalable production workloads.