---
title: "Azure Key Vault Group Setup"
slug: "fortanix-dsm-azure-key-vault-cdc-group-setup"
updated: 2026-05-27T10:07:14Z
published: 2026-05-27T10:07:14Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Key Vault Group Setup

## 1.0 Introduction

This article describes how to set up a Cloud Data Control (CDC) Group for Azure Key Vault (AKV) using Fortanix-Data-Security-Manager (DSM).

The Fortanix solution for AKV Key Management Service (KMS) offers complete Bring Your Own Key (BYOK) and lifecycle management and automation of Azure keys and allows users to manage all keys centrally and securely.

This article will walk you through setting up an Azure CDC group that will be used for both CNKMS and BYOK workflows.

### 1.1 Types of Azure BYOK Flows

1. Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1compliance)
2. Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (HSM-protected: FIPS 140-2 Level 2 compliance)
3. Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM
4. Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).

## 2.0 Getting Started with Fortanix Cloud Data Control

*To understand which solution between CNKMS, Bring Your Own Key (BYOK), Bring Your Own KMS or Bring Your Own Encryption (BYOE), or BYOE is right for you, refer to*[*Fortanix DSM - Cloud Data Control - Getting Started*](/v1/docs/fortanix-dsm-cloud-data-control-getting-started)*.*

## 3.0 Obtaining Access to Fortanix DSM

Create an account in Fortanix DSM if you do not have one already. *For more information, refer to*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

## 4.0 Fortanix DSM Azure CDC Group Setup

### 4.1 Azure Application Configuration

The tool requires Azure credentials to authenticate and interact with Azure Key Vault. Perform the following steps to obtain the necessary credentials:

1. Log in to [https://portal.azure.com/](https://portal.azure.com/).
2. Register an application (app).

![azure_byok1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Azure_SetupNew_Registeration.png)

**Figure 1: Initiate App Registration**

![azure_byok2.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Azure_Setup_Register_App_Form.png)

**Figure 2: Register an App**

![azure_byok3.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Azure_Setup_App_Registered.png)

**Figure 3: App Registered**
3. Upload a client certificate for the above application.

![AzureKMS_UploadCert.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Azure_Setup_Upload_Certificate(1).png)

**Figure 4: Client Certificate for the App**
4. Create a client secret for the above application.

![AzureKMS_ClientSecret.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Azure_Setup_New_Client_Secret.png)

**Figure 5: Client Secret for the App**
5. Give the app permission to access the Azure Key Vault.

![azure_byok4.1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Azure_Setup_Request_API_Permissions(1).png)

**Figure 6: Key Vault Permission to Access App**

![Azure_App_Perm.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Azure_Setup_API_Permissions_Added.png)

**Figure 7: Key Vault Permission to Access App**
6. Create an Azure Key Vault.

![azure_byok5.1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Azure_Setup_Create_Key_Vault.png)

**Figure 8: Create Azure Key Vault**

![azure_byok6_1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Azure_Setup_Create_Key_Vault_Form.png)

**Figure 9: Create Azure Key Vault**

### 4.2 Prerequisites

To configure the Azure-backed Fortanix DSM group, the following are the prerequisites that the app in Azure CDC must have to authenticate the Fortanix DSM group with Azure Key Management Services.

- The API permissions of the app to access the Key Vault. *For more information, refer to****Figures 6****and****7****.*
- Adding the app to the Access Policy of the Key Vault. *For more information, refer to****Figure 9****.*

> [!NOTE]
> NOTE
> 
> The access policies for the app registered to the key vault should include the following permissions: "`GET`", "`LIST`", "`UPDATE`", "`CREATE`", "`IMPORT`", "`DELETE`", "`RECOVER`", "`BACKUP`", "`RESTORE`", "`PURGE`".
- Assign the **Key Vault Contributor** and **Key Vault Crypto Officer** roles to the app registration.

Ensure the user performing these operations has sufficient privileges. *For more information, refer to*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide)*.*

![AzureKMS2.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_AKV Contributor Role.png)

**Figure 10: Assign Key Vault Contributor Role**
  1. In the Azure portal, open your Key Vault.
  2. Navigate to **Access Control (IAM)** → **Add** → **Add role assignment**.
  3. In the **Add role assignment**window, select the **Role**as **Key Vault Contributor**.
  4. Click **Next**.
  5. Add your app registration.
  6. Click **Review+assign** to assign the role to the selected app registration.

Repeat the above steps for the **Key Vault Crypto Officer** role as well. Select the **Key Vault Crypto Officer** role in ***Step c***.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_AKV Role.png)

**Figure 11: Assign Key Vault Crypto Officer Role**

### 4.3 Configure the Azure CDC Group

Perform the following steps to create an Azure KMS group:

1. In the DSM left navigation panel, click the **Groups******menu item, and then click **ADD GROUP******to create a new group.
2. In the **Add new group** form:
  1. Enter a name and description for your group.
  2. Click **LINK HSM/EXTERNAL KMS** to select the Azure KMS type, so that Fortanix DSM can connect to it.
  3. Select **Azure Key Vault** from the drop down.
  4. In the **Choose Service** field, select from the following Azure services that you want to authenticate against and establish a successful key vault connection. You can choose from the following Azure services:

Select the “G**lobal Azure**” option to authenticate and upload the key material to any non-US government Azure service, or select the “**Azure for US Government**” option to authenticate and upload key material to the specific Azure service set aside for the US government.

> [!NOTE]
> NOTE
> 
> To use Azure US Government, you need to be a US citizen associated with the US Federal Government or a US government contractor. *Refer to the Cloud Provider's documentation about access to these environments.*
    - **Global Azure**
    - **Azure for US Government**
  5. Use the credentials created in [*Section 4.1: Azure Application Configuration*](/v1/docs/fortanix-dsm-azure-key-vault-cdc-group-setup#41-azure-application-configuration) to set up an Azure-backed Fortanix DSM group. Azure subscriptions have a trust relationship with Azure AD. In the **Authentication** section, enter the Azure KMS account credentials:
    - **Tenant ID**: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
    - **Client ID**: Enter the Application ID/Client ID of the app registration you created. This value can be found on the app registration’s Overview screen.
    - **Subscription ID**: The Subscription ID is the ID of your Azure AD subscription containing the key vaults associated with that Subscription ID. You can get the subscription ID by navigating to **Subscriptions** in the Azure portal. *For more information, refer to*******[*Azure Subscriptions and Roles*](https://docs.microsoft.com/en-us/azure/marketplace/find-tenant-object-id#find-subscriptions-and-roles)*.* You can authenticate with Azure Key Vault using either of the following options:
    - **Client Secret:** A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web-addressable location (using an HTTPS scheme). Client Secret is also referred to as an application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.
    - **Token authentication certificate configuration:** Click **+ ADD AUTHENTICATION CERTIFICATE** to upload a client certificate and private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key vault and vice versa. Ensure that the certificate file is in `cer`, `pem`, or `crt` format.

> [!NOTE]
> NOTE
> 
> *Refer to****Figure 3****and****5****in*[*Section 4.1: Azure Application Configuration*](/v1/docs/fortanix-dsm-azure-key-vault-cdc-group-setup#41-azure-application-configuration)*to get the Tenant ID, Client ID, and Client Secret.*
  6. Click **SAVE**.
3. Add a TLS configuration (optional). *For more For more information, refer to*[*Section 4.4: Add TLS Configuration (Optional)*](/v1/docs/fortanix-dsm-azure-key-vault-cdc-group-setup#44-add-tls-configuration-optional)*.*
4. Click **TEST CONNECTION**to test your Azure KMS connection. If Fortanix DSM connects to Azure Key Vault using your connection details, then it shows the status as “Connected” with a green tick ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360082238652(5).png) and fetches the key vaults associated with the Subscription ID. Otherwise, it shows the status as “**Not Connected**” with a yellow warning sign ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1811)(3).png) .

### 4.4 Add TLS Configuration (Optional)

> [!NOTE]
> NOTE
> 
> If you are using a configuration such as a proxy for the Azure Key Vault connection, use this section to add certificates so that Fortanix DSM would allow the use of a custom certificate.

In the **TLS configuration** section, click **+ ADD AUTHENTICATION CERTIFICATE** to add a certificate for authenticating the Azure Key Vault. Fortanix’s external KMS solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with Azure Key Vault.

1. **Validate Host:** Select the **Validate Host** check box to verify if the certificate that the Azure Key Vault provided has the same `subjectAltName` or `Common Name (CN)` as the hostname that the server certificate is coming from.
2. You can select either of the following two certificates:
  1. **Global Root CAs:** This option is for a self-signed certificate from an internal CA. By default, every Azure KMS group is configured with a Global Root CA Certificate.
    - **CLIENT CERTIFICATE** and **PRIVATE KEY:** Upload a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.
  2. **Custom CA Certificate:** This option is used when you as an enterprise want to self-sign the certificate using your own internal CA.
    - **CA CERTIFICATE:** You can either upload the certificate file or copy the contents of the certificate in the textbox provided. You can override the default Global CA cert with a Custom CA Certificate for an Azure Key Vault group.
    - **CLIENT CERTIFICATE** and **PRIVATE KEY:** A Custom CA Certificate has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.
3. Click **SAVE**.

### 4.5 Select Key Vault

Azure Key Vault provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Azure Managed HSMs only support HSM-protected keys.

> [!NOTE]
> NOTE
> 
> As of the Fortanix DSM release 4.6, we support Software-backed key vaults, HSM-backed key vaults, and Azure Managed HSM Pool.

*For more information about the types of resources that Azure Key Vault provides, refer to the*[*Azure documentation*](https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys)*.*

1. When the Azure KMS is connected successfully, it will enable the **Key vault type**section.
2. From the list of key vaults for the Subscription ID entered, select **Standard** or **Premium**. The **Standard** key vault encrypts with a Software-protected key only, and the **Premium** key vault includes HSM-protected keys that can be created as Software-protected or Hardware-protected keys.
3. Select a key vault from the drop down list for the selected Key vault type.
4. Click **SAVE** to save the group.

### 4.6 Not Connected Scenario

When you click the **TEST CONNECTION**, it is possible that Fortanix DSM is not able to connect to the Azure Key vault. If that happens, it displays a “**Not Connected**” status with a warning symbol ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1811)(4).png). You can save the details of the new connection details provided and edit them later.

### 4.7 HSM/KMS Tab

The group details now include an **HSM/KMS** tab displaying information about your KMS.

The **HSM/KMS** tab displays the details of the Azure Service Type, including the connection details of the Tenant ID, Client ID, Client Secret, Subscription ID, and Key Vault Name. You can edit these connection details here.

After editing and saving, click **TEST CONNECTION** to check the connection.

Click **SYNC KEYS** to sync keys from the configured Azure KMS to the Azure CDC group.

### 4.8 Groups Table View

After saving the group details, you can view the list of all groups and notice the special symbol ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (1812)(4).png) next to the newly created group. This symbol indicates that it is an Azure CDC group, distinguishing it from other groups.

### 4.9 User's View

Navigate to the **Users**menu item in the DSM left navigation bar and click the user that says “**You**” on the **Users**page to view the user’s detailed view.

The detailed view shows all the groups the user belongs to and indicates which groups are mapped to Azure KMS, displaying their status as "connected" or "not connected."

## 5.0 Azure Key Vault Group BYOK and Cloud Native Key Management

*For more information on how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM, refer to*[*Fortanix DSM - Azure Key Vault Cloud Native Key Management*](/v1/docs/fortanix-dsm-azure-key-vault-cloud-native-key-management).

*For more information on how to perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to*[*Fortanix DSM - Azure Key Vault Bring Your Own Key*](/v1/docs/fortanix-dsm-azure-key-vault-byok-bring-your-own-key).

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled.

## Related

- [Azure Key Vault Bring Your Own Key](/fortanix-dsm-azure-key-vault-byok-bring-your-own-key.md)
- [Fortanix Support Sign Up Process](/fortanix-support-sign-up-process.md)
- [Fortanix DSM for Google Workspace Client-Side Encryption](/fortanix-dsm-for-google-workspace-client-side-encryption.md)
- [Key Operations](/fortanix-dsm-key-operations.md)
- [Fortanix DSM SaaS Overview](/fortanix-dsm-saas-overview.md)