Encrypting Data-At-Rest with Customer Managed Keys in M365

As I mentioned in my previous posts. I like to keep my view as holistic as possible. Mixing a little bit of Azure infrastructure and Security side with a little hint of M365 Compliance and Entra Identity ingredients.
So that in mind I want to layout the Azure Key Vault method to use Data Encryption Policies
There is two different methods to store your Encryption keys in Key Vault Premium and Managed HSM. See from Learn an comparison article which one you should choose.

How to choose the right key management solution - How to choose between Azure Key Vault, Azure Managed HSM, Azure Dedicated HSM, and Azure Payment HSM
Note! Azure Key Vault Premium is billed on a transactional basis, with an additional monthly per-key charge for premium hardware-backed keys. Managed HSM, Dedicated HSM, and Payments HSM don't charge on a transactional basis; instead they are always-in-use devices that are billed at a fixed hourly rate
What is Key vault?
Azure Key Vault acts as a central repository for safeguarding sensitive information critical to your applications and cloud resources. It offers robust solutions for three key areas:
- Secret Management: Securely store and control access to confidential data like tokens, passwords, certificates, API keys, and more. Key Vault helps you restrict access to authorized users and applications.
- Key Management: Simplify the process of creating and managing the encryption keys that protect your data. Azure Key Vault provides a centralized location for key control.
- Certificate Management: Effortlessly provision, manage, and deploy public and private TLS/SSL certificates used for Azure services and your internal resources. Key Vault ensures the security of your certificates throughout their lifecycle.
Azure Key Vaults may be either software-protected or, with the Azure Key Vault Premium tier, hardware-protected by hardware security modules (HSMs).
We are now concentrating on Keys as this article is on Data Encryption and two different models, Premium and Managed HSM.
What can I do with Key vault Premium?
It has the following data-plane address.
| Resource type | Key protection methods | Data-plane endpoint base URL | 
|---|---|---|
| Vaults | HSM-protected (with Premium SKU) | https://{vault-name}.vault.azure.net | 
And see more form my previous blogs what you can do with it.

How to use Azure Key Vault with managed identities and generating keys with auto-rotation
What about Managed HSM?
Each HSM pool is an isolated single-tenant instance with its own security domain providing complete cryptographic isolation from all other HSM's sharing the same hardware infrastructure.
Managed HSM uses Marvell LiquidSecurity adapters. So yes, you got it right. It is a Shared physical device and there is separate physical cards that hosts your content.
It has the following data-plane address.
| Resource type | Key protection methods | Data-plane endpoint base URL | 
|---|---|---|
| Managed HSMs | HSM-protected | https://{hsm-name}.managedhsm.azure.net | 
There are three different FIPS levels, and they are based on The Federal Information Security Management Act (FISMA), which was established as standards and guidelines for federal computer systems by the National Institute of Standards and Technology (NIST) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no existing industry standards or solutions that meet a certain regulatory requirement. FIPS were developed for use by the federal government, although many firms voluntarily adopt them. Managed HSM has the highest FIPS Level of 3.
You will use it almost like normal Key vault, once you have it provisioned you will see Managed HSM in the service that you plan to use the Keys. You can generate the keys with AZ CLI or with the GUI like below.

And when you have Managed HSM RSA key in place

Why to use it?
Regulations and compliance based on our industry is one of the biggest reasons. Content has to encrypted with your own keys, that you generate and hold. With HSM you have the root of trust but also the responsibility to backup your infrastructure and content.
See some excellent examples from Azure Architecture Center for HSM deployments.

Browse Azure Architectures - Azure Architecture Center
How to provision?
You can find Managed HSM inside Azure portal from here https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2FmanagedHSMs
Note! It will cost you money from the moment of provisioning, so there is an separate box to check!

And you can also provision it with Azure CLI
# Once connected to Azure CLI, login AZ login # Provision you HSM to your location az group create --name "HSMResourceGroup" --location northeurope # Getting the logged in user to $OID, add it as admin once provioning HSM oid=$(az ad signed-in-user show --query id -o tsv) az keyvault create --hsm-name "YouHSMName" --resource-group "HSMResourceGroup" --location "northeurope" --administrators $oid --retention-days 7 Note! Managed HSM instances are considered always-in-use. If you choose to enable purge protection using the --enable-purge-protection flag, you will be billed for the entirety of the retention period. # Generate three RSA-2048 certificates openssl req -newkey rsa:2048 -nodes -keyout cert_0.key -x509 -days 365 -out cert_0.cer openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer openssl req -newkey rsa:2048 -nodes -keyout cert_2.key -x509 -days 365 -out cert_2.cer # Download security domain (boundary) and Activate your HSM az keyvault security-domain download --hsm-name YouHSMName --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file YourHSMName-SD.json
How to remove?
You tried it but you want remove it, well that won't super easy but here you go and I found at least one reason why.
When you deprovision the HSM, you have to have your subscription in Enabled state. Otherwise you cannot and you will get the following error when trying.
(ProviderError) Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'.
Code: ProviderError
Message: Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'.
So do these to get it working.
# Select Subscription and show state (Disable, enabled) az account show --subscription SUBSCRIPTIONID --query state # List deleted HSM's from Subscription az keyvault list-deleted --subscription SUBSCRIPTIONID --resource-type hsm # Delete HSM from your Subscription az keyvault delete --hsm-name HSMNAME --location westus3 --subscription SUBSCRIPTIONID Note! Deleting the resource group puts the Managed HSM into a soft-deleted state. The Managed HSM will continue to be billed until it is purged. # Purge deleted HSM's from Subscription az keyvault purge --hsm-name HSMNAME --location westus3 --subscription SUBSCRIPTIONID # Finally remove your HSM Resource group az group delete --name YourResourceGroup
But if you have your Subscription active, it's super easy.

Remove-AzKeyVaultManagedHsm (Az.KeyVault)
Data Encryption Policies (DEP)
Now when we know and maybe even have Key Vaults in-place, we can see what could be done with those keys in M365 services. I will illustrate first to set the stage

And these steps can be achieved with:
- Setup Key Vault
- Setting up Customer Manage Key to Key vault https://learn.microsoft.cm/en-us/purview/customer-key-set-up
- Assigning the Data Encryption Policy to the whole tenant or to a specific service https://learn.microsoft.com/en-us/purview/customer-key-manage
How easy is that, well it isn't but it could be mandatory based on regulations you follow or just for a fun learning experience!
