Configure an Azure Key Vault

Last update: 2023-10-12
  • Created for:
  • Developer

Customer-managed keys (CMK) only supports keys from a Microsoft Azure Key Vault. To get started, you must work with Azure to create a new enterprise account, or use an existing enterprise account and follow the steps below to create the Key Vault.


Only the Premium and Standard service tiers for Azure Key Vault are supported. Azure Managed HSM, Azure Dedicated HSM and Azure Payments HSM are not supported. Refer to the Azure documentation for more information on offered key management services.


The documentation below only covers the basic steps to create the Key Vault. Outside of this guidance, you should configure the Key Vault as per your organization’s policies.

Log in to the Azure portal and use the search bar to locate Key vaults under the list of services.

The search feature in Microsoft Azure with Key vaults highlighted in the search results.

The Key vaults page appears after selecting the service. From here, select Create.

The Key vaults dashboard in Microsoft Azure with Create highlighted.

Using the provided form, fill in the basic details for the Key Vault, including a name and an assigned resource group.


While most options can be left as their default values, make sure that you enable the soft-delete and purge protection options. If you do not turn on these features, you could risk losing access to your data if the Key Vault is deleted.

The Microsoft Azure Create a Key Vault workflow with soft delete and purge protection highlighted.

From here, continue going through the Key Vault creation workflow and configure the different options according to your organization’s policies.

Once you arrive at the Review + create step, you can review the details of the Key Vault while it goes through validation. Once validation passes, select Create to complete the process.

The Microsoft Azure Key vaults Review and create page with Create highlighted.

Configure access

Next, enable Azure role-based access control for your key vault. Select Access configuration in the Settings section of the left navigation, then select Azure role-based access control to enable the setting. This step is essential as the CMK App must later be associated with an Azure role. Assigning a role is documented in both the API and UI workflows.

The Microsoft Azure dashboard with Access configuration and Azure role-based access control highlighted.

Configure networking options

If your Key Vault is configured to restrict public access to certain virtual networks or disable public access entirely, you must grant Microsoft a firewall exception.

Select Networking in the left navigation. Under Firewalls and virtual networks, select the checkbox Allow trusted Microsoft services to bypass this firewall, then select Apply.

The Networking tab of Microsoft Azure with Networking and Allow trusted Microsoft surfaces to bypass this firewall exception highlighted.

Generate a key

Once you have created a Key Vault, you can generate a new key. Navigate to the Keys tab and select Generate/Import.

The Keys tab of Azure with Generate import highlighted.

Use the provided form to provide a name for the key, and select RSA for the key type. At a minimum, the RSA key size must be at least 3072 bits as required by Cosmos DB. Azure Data Lake Storage is also compatible with RSA 3027.


Remember the name that you provide for the key, as it is required to send the key to Adobe.

Use the remaining controls to configure the key you want to generate or import as desired. When finished, select Create.

The Create a key dashboard with 3072 bits highlighted.

The configured key appears in the list of keys for the vault.

The Keys workspace with the key name highlighted.

Next steps

To continue the one-time process for setting up the customer-managed keys feature, continue with either the API or UI customer-managed keys setup guides.

On this page