Azure Managed HSM External Key Management Preview
Summary
Microsoft has launched external key management for Azure Key Vault Managed HSM in public preview, letting organizations keep encryption keys on HSMs they own outside Azure. The feature is aimed at regulated environments that require physical control of key hardware, but it also shifts availability and operational responsibility to the customer or partner.
Introduction
Microsoft has announced public preview support for external key management in Azure Key Vault Managed HSM. This gives organizations a new option to keep key material on HSM hardware they own and operate outside Microsoft datacenters, while still using Azure services that rely on customer-managed keys.
For most customers, standard Managed HSM remains the recommended model. But for government, financial services, and other regulated sectors, this preview addresses requirements for physical key custody outside the cloud provider environment.
What’s new
External key management for Managed HSM
Azure Managed HSM now supports a dedicated API endpoint that can connect to an external HSM under customer control. This means:
- Key material can remain on customer-owned or partner-operated hardware
- The external key does not reside in Microsoft infrastructure
- Applications continue using Managed HSM and Azure Key Vault APIs without major changes
- Azure forwards supported cryptographic requests to the external HSM when needed
Open integration model
Microsoft is using an open specification for the external key management API. Customers can:
- Use a vendor-provided integration
- Work with a trusted partner
- Build their own implementation
Connections between Azure and the external HSM are secured with mutual TLS.
Preview scope
At launch, the preview includes:
- Availability in all Azure public regions
- Support for data-at-rest protection scenarios tied to customer-managed keys
- Gated access, enabled through your Microsoft account team
- No added Microsoft surcharge beyond standard Managed HSM pricing
Why it matters for IT admins
This preview is important for organizations with strict sovereignty, regulatory, or contractual obligations that require encryption keys to stay outside Azure datacenters.
However, Microsoft is clear about the tradeoff: more control means more responsibility. With external key management, customers are responsible for:
- External HSM and proxy availability
- Provisioning, scaling, and recovery
- Monitoring and troubleshooting failures on their side
- Any partner licensing or hardware costs
If the external HSM or proxy is unavailable, cryptographic operations can fail and impact access to protected Azure data.
Recommended next steps
- Confirm whether your compliance requirements truly require keys outside Azure
- Review the Managed HSM shared responsibility model and SLA boundaries
- Evaluate HSM vendor or partner support for the external key management API
- Contact your Microsoft account team to request preview access
- Test availability, failover, and operational runbooks before production use
For most deployments, native Managed HSM keys will still offer the best balance of security, resilience, and operational simplicity. External key management is best reserved for scenarios where physical key residency outside Azure is mandatory.
Need help with Azure?
Our experts can help you implement and optimize your Microsoft solutions.
Talk to an ExpertStay updated on Microsoft technologies