Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Encryption using Customer-Managed Keys

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Azure AI Services (AI Foundry) instances are using Customer-Managed Keys (CMKs) instead of Microsoft-managed encryption keys (i.e. default keys used by Microsoft Azure for encryption at rest) in order to have a more granular control over your Azure AI Services data encryption and decryption process.

Security

Microsoft Azure AI Services automatically encrypts your data at rest. The encryption protects your data and assists in fulfilling your organization's security and compliance requirements. By default, the encryption process uses Microsoft-managed keys. However, you can bring your own keys (i.e. Customer-Managed Keys) to fully control who can use the encryption keys and access the encrypted data. Using Customer-Managed Keys (CMKs) also allows you to automatically update the key version used for storage encryption whenever a new version is available.

Audit

To determine if your Microsoft Azure AI Services (AI Foundry) instances are encrypted using Customer Managed Keys (CMKs), perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure AI Foundry for Value, then choose Apply to list the Azure AI Services (AI Foundry) instances available in the selected subscription.

05 Click on the name (link) of the AI Foundry instance that you want to examine.

06 In the resource navigation panel, under Resource Management, select Encryption to access the encryption configuration settings available for the selected AI Foundry instance.

07 On the Encryption panel, check for the Encryption type configuration setting to determine the type of the encryption key used for the selected resource. If Encryption type is set to Microsoft Managed Keys, encryption at rest using Customer-Managed Keys (CMKs) is not enabled for the selected Azure AI Services (AI Foundry) instance.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure AI Services (AI Foundry) instance available within the current subscription: 

az cognitiveservices account list
	--output table
	--query '[?(kind==`AIServices`)].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AI Foundry instance identifiers: 

Name                               ResourceGroup
-------------------------------    ------------------------------
cc-project5-ai-service-instance    cloud-shell-storage-westeurope
cc-project5-ai-foundry-instance    cloud-shell-storage-westeurope

06 Run cognitiveservices account show command (Windows/macOS/Linux) with the name of the Azure AI Foundry instance that you want to examine as the identifier parameter and custom output filters to describe the name of the encryption key used for the selected instance: 

az cognitiveservices account show
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope
	--query '{"encryptionKey":properties.encryption.keyVaultProperties.keyName}'

07 The command output should return the name of the requested encryption key: 

{
	"encryptionKey": null
}

If the cognitiveservices account show command output returns null for the "encryptionKey" configuration attribute, as shown in the output example above, there is no Customer-Managed Key configured for your service instance, therefore, encryption at rest using Customer-Managed Keys (CMKs) is not enabled for the selected Azure AI Services (AI Foundry) instance.

Remediation / Resolution

To enable encryption at rest for your Azure AI Services (AI Foundry) instances using Customer-Managed Keys (CMKs), perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Key vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults.

03 Choose Create and perform the following actions to create the Azure key vault that will store your new Customer-Managed Key (CMK):

  1. For Basics, choose the correct subscription and resource group, provide a unique name for the new key vault, then select the Azure cloud region where the vault will be deployed, and the appropriate pricing tier. Configure the vault retention period and enable purge protection. Both soft delete and purge protection must be enabled on the key vault. Choose Next to continue the setup process.
  2. For Access configuration, select Vault access policy for Permission model, choose Create under Access policies, and follow the setup wizard to create the policy that allows Azure AI Foundry to create, get, recover, wrap, and unwrap encryption keys from the new vault. Once the access policy is configured, choose Create to create and attach it to the key vault. (Optional) Configure Azure cloud resource access under Resource access. Choose Next to continue the setup.
  3. For Networking, configure the network access control for the new key vault. You can connect to your new key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint. Choose Next to continue.
  4. For Tags, use the Name and Value fields to create tags that will help organize the identity of the key vault. Choose Review + create to validate the key vault setup.
  5. For Review + create, review the resource configuration details, then choose Create to create your new Azure key vault.

04 Click on the name of the newly created Microsoft Azure key vault.

05 In the resource navigation panel, under Objects, select Keys, then choose Generate/Import to create the Customer-Managed Key required for Azure AI Foundry instance encryption.

06 On the Create a key setup page, provide a unique name for the encryption key in the Name box, set Key type to RSA, RSA key size to 2048 or higher, choose an activation and/or expiration date, set the Enabled flag to Yes, then choose Create to generate your new Customer-Managed Key (CMK).

07 Once your new Customer-Managed Key is available, navigate to Azure AI Foundry blade at https://portal.azure.com/#view/Microsoft_Azure_ProjectOxford/CognitiveServicesHub/~/AIServices.

08 Click on the name (link) of the Azure AI Foundry instance that you want to configure.

09 In the resource navigation panel, under Resource Management, select Encryption to access the encryption configuration settings available for the selected resource.

10 On the Encryption panel, perform the following actions to configure CMK-based encryption for your instance:

  1. For Encryption type select Customer Managed Keys.
  2. For Encryption key choose Select from Key Vault.
  3. For Key vault and key choose Select a KeyVault and Key for encryption.
  4. Select the appropriate Azure subscription from the Subscription dropdown list.
  5. For Key store type choose Key vault.
  6. For Key vault select the Azure key vault deployed earlier in the Remediation section.
  7. For Key choose the Customer-Managed Key (CMK) created earlier in the Remediation section.
  8. For Version choose the version listed under Current version.
  9. Choose Select to save the key vault and key selection.

11 Choose Save to apply the encryption configuration changes.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure key vault where the required Customer-Managed Key (CMK) will be placed. Both soft delete and purge protection must be enabled on the new key vault: 

az keyvault create
	--name tm-project5-vault
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--enabled-for-deployment true
	--enabled-for-template-deployment true
	--enable-purge-protection true
	--retention-days 30
	--enable-rbac-authorization false

05 The command output should return the object ID of the new Microsoft Azure key vault: 

{
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/tm-project5-vault",
	"location": "westeurope",
	"name": "tm-project5-vault",
	"properties": {
		"accessPolicies": [
		{
			"applicationId": null,
			"objectId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
			"permissions": {
				"certificates": [
					"all"
				],
				"keys": [
					"all"
				],
				"secrets": [
					"all"
				],
				"storage": [
					"all"
				]
			},
			"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234"
		}
		],
		"createMode": null,
		"enablePurgeProtection": true,
		"enableRbacAuthorization": false,
		"enableSoftDelete": true,
		"enabledForDeployment": true,
		"enabledForDiskEncryption": null,
		"enabledForTemplateDeployment": true,
		"hsmPoolResourceId": null,
		"networkAcls": null,
		"privateEndpointConnections": null,
		"provisioningState": "Succeeded",
		"publicNetworkAccess": "Enabled",
		"sku": {
		"family": "A",
		"name": "standard"
		},
		"softDeleteRetentionInDays": 30,
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"vaultUri": "https://tm-project5-vault.vault.azure.net/"
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"systemData": {
		"createdAt": "2025-09-12T15:48:59.183000+00:00",
		"createdBy": "",
		"createdByType": "User",
		"lastModifiedAt": "2024-06-02T15:48:59.183000+00:00",
		"lastModifiedBy": "",
		"lastModifiedByType": "User"
	},
	"tags": {},
	"type": "Microsoft.KeyVault/vaults"
}

06 Run keyvault set-policy command (Windows/macOS/Linux) with the managed identity object ID (i.e., "properties.accessPolicies.objectId") and the name of the newly created key vault as the identifier parameters to assign the right permissions to the selected vault: 

az keyvault set-policy
	--name tm-project5-vault
	--object-id abcdabcd-abcd-abcd-abcd-abcdabcdabcd
	--key-permissions create get recover unwrapKey wrapKey
	--query 'properties.accessPolicies'

07 The command output should return the modified key vault configuration information: 

[
	{
		"applicationId": null,
		"objectId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
		"permissions": {
			"certificates": [
				"all"
			],
			"keys": [
				"recover",
				"unwrapKey",
				"get",
				"create",
				"wrapKey"
			],
			"secrets": [
				"all"
			],
			"storage": [
				"all"
			]
		},
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234"
	}
]

08 Run keyvault key create command (Windows/macOS/Linux) to create the Customer-Managed Key (CMK) necessary to encrypt data for your Azure AI Services (AI Foundry) instance: 

az keyvault key create
	--name tm-ai-foundry-instance-key
	--vault-name tm-project5-vault
	--kty RSA
	--size 2048
	--ops decrypt encrypt sign unwrapKey verify wrapKey
	--protection software
	--disabled false
	--query 'key.kid'

09 The command output should return the URL of the new Customer-Managed Key: 

"https://tm-project5-vault.vault.azure.net/keys/tm-ai-foundry-instance-key/abcd1234abcd1234abcd1234abcd1234"

10 Run cognitiveservices account update command (Windows/macOS/Linux) to enable encryption at rest with Customer-Managed Keys (CMKs) for the selected Azure AI Foundry instance. Replace the --encryption parameter values with your own key information (returned in the previous step): 

az cognitiveservices account update
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope
	--encryption '{
		"keySource": "Microsoft.KeyVault",
		"keyVaultProperties": {
			"identityClientId": null,
			"keyName": "tm-ai-foundry-instance-key",
			"keyVaultUri": "https://tm-project5-vault.vault.azure.net",
			"keyVersion": "abcd1234abcd1234abcd1234abcd1234"
		}
	}'

11 The command output should return the configuration information for the configured Azure AI Foundry instance: 

{
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/tm-ai-foundry-instance-key",
	"identity": {
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"type": "SystemAssigned",
		"userAssignedIdentities": null
	},
	"kind": "AIServices",
	"location": "westeurope",
	"name": "tm-ai-foundry-instance-key",
	"properties": {
		"encryption": {
			"keySource": "Microsoft.KeyVault",
			"keyVaultProperties": {
				"identityClientId": null,
				"keyName": "ttm-ai-foundry-instance-key",
				"keyVaultUri": "https://tm-project5-vault.vault.azure.net",
				"keyVersion": "abcd1234abcd1234abcd1234abcd1234"
			}
		},

		...

		"isMigrated": false,
		"locations": null,
		"migrationToken": null,
		"networkAcls": {
			"defaultAction": "Allow",
			"ipRules": [],
			"virtualNetworkRules": []
		},
		"privateEndpointConnections": [],
		"provisioningState": "Succeeded",
		"publicNetworkAccess": "Enabled",
		"quotaLimit": null,
		"restore": null,
		"restrictOutboundNetworkAccess": null,
		"scheduledPurgeDate": null,
		"skuChangeInfo": null,
		"userOwnedStorage": null
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.CognitiveServices/accounts"
}

References

Publication date Sep 10, 2025

Related AIFoundry rules