Back to Blog
AzureAZ-104SecurityAdminTutorial

Managed HSM vs Key Vault: Key Rotation and Access Control Models

Complete AZ-104 tutorial on Azure Key Vault. Learn RBAC vs access policies, managed HSM features, key rotation policy, private endpoints.

Daniel Urbano
November 5, 2025
7 min read
Managed HSM vs Key Vault: Key Rotation and Access Control Models

Managed HSM vs Key Vault: Key Rotation and Access Control Models

Introduction

In the realm of cloud security, effective key management is a critical component of protecting sensitive data. Azure Key Vault and Azure Managed HSM (Hardware Security Module) are two pivotal services offered by Microsoft Azure for managing cryptographic keys and secrets. Understanding the differences between these services, especially in terms of key rotation and access control models, is essential for Azure administrators preparing for the AZ-104 certification.

Azure Key Vault provides a secure storage solution for keys, secrets, and certificates, while Managed HSM offers a fully managed, single-tenant HSM environment with a focus on compliance and enhanced security. This tutorial will explore key rotation policies, the differences between Role-Based Access Control (RBAC) and access policies, and the unique features of each service. By grasping these concepts, administrators can ensure better security practices and compliance within their Azure environments.

Prerequisites

Before diving into the tutorial, ensure you have the following:

  • Azure Subscription: An active Azure subscription to create and manage resources.
  • Permissions: The necessary RBAC permissions (Owner, Contributor, or specific Key Vault roles) to create and manage Key Vault and Managed HSM.
  • Tools: Azure CLI or Azure PowerShell installed, and access to the Azure Portal.
  • Services Enabled: Ensure Azure Key Vault and Managed HSM services are available in your Azure region.

Core Concepts

Definitions

  • Azure Key Vault: A cloud service for securely storing and accessing secrets, keys, and certificates. It supports software-protected keys and HSM-protected keys in its Premium tier.
  • Managed HSM: A fully managed, single-tenant HSM service that provides a higher level of security with FIPS 140-3 Level 3 validated hardware.

Architecture

Azure Key Vault operates in a multitenant environment, while Managed HSM is single-tenant, providing dedicated resources for a single customer. Managed HSM offers enhanced security features such as private endpoints and local RBAC for access control.

When to Use

  • Use Azure Key Vault for general-purpose key management, especially when multitenancy is acceptable and cost is a concern.
  • Use Managed HSM for high-security requirements, regulatory compliance, and when dedicated hardware is necessary.

Limitations

  • Azure Key Vault has a limit of 1024 access policy entries, which may complicate management in larger organizations.
  • Managed HSM may incur higher costs due to its dedicated resources and compliance features.

Pricing Notes

Pricing for Azure Key Vault is based on transactions and storage, while Managed HSM incurs a fixed hourly cost regardless of usage.

Syntax/Configuration

Azure CLI Commands

Here are some commands to manage key rotation and access controls for both Azure Key Vault and Managed HSM:

Key Vault Key Rotation

# Set a key rotation policy
az keyvault key rotation-policy update --vault-name <vault-name> --name <key-name> --value <path/to/policy.json>

Managed HSM Key Rotation

# Set a key rotation policy for a key in Managed HSM
az keyvault key rotation-policy update --vault-name <hsm-name> --name <key-name> --value <path/to/policy.json>

Azure PowerShell Commands

# Set key rotation policy for Key Vault
Set-AzKeyVaultKeyRotationPolicy -VaultName <vault-name> -KeyName <key-name> -ExpiresIn (New-TimeSpan -Days 720) -KeyRotationLifetimeAction @{Action="Rotate"; TimeAfterCreate=(New-TimeSpan -Days 540)}

Practical Examples

  1. Creating a Key Vault:

    az keyvault create --name <vault-name> --resource-group <resource-group> --location <location>

  2. Adding a Key to Key Vault:

    az keyvault key create --vault-name <vault-name> --name <key-name> --protection software

  3. Setting a Rotation Policy for a Key:

    az keyvault key rotation-policy update --vault-name <vault-name> --name <key-name> --value '{ "lifetimeActions": [{"trigger": {"timeAfterCreate": "P30D"}, "action": {"type": "Rotate"}}]}'

  4. Creating a Managed HSM Instance:

    az keyvault managed-hsm create --name <hsm-name> --resource-group <resource-group> --location <location>

  5. Adding a Key to Managed HSM:

    az keyvault key create --vault-name <hsm-name> --name <key-name> --protection hsm

  6. Setting a Rotation Policy for Managed HSM Key:

    az keyvault key rotation-policy update --vault-name <hsm-name> --name <key-name> --value '{ "lifetimeActions": [{"trigger": {"timeAfterCreate": "P30D"}, "action": {"type": "Rotate"}}]}'

  7. Access Policy Configuration:

    az keyvault set-policy --name <vault-name> --upn <user-email> --secret-permissions get list

  8. RBAC Assignment:

    az role assignment create --assignee <user-email> --role "Key Vault Administrator" --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>

Real-World Scenarios

  1. Compliance-Driven Company: A financial institution uses Managed HSM to securely store keys for sensitive transactions, ensuring compliance with regulations like PCI DSS.

  2. Application Development: A startup employs Azure Key Vault to manage API keys and secrets for its applications while utilizing RBAC for fine-grained access control.

  3. Centralized Key Management: A large enterprise implements both services, using Azure Key Vault for general secrets management while leveraging Managed HSM for critical cryptographic operations.

Best Practices

  1. Use RBAC Over Access Policies: Prefer using RBAC for managing access to Azure Key Vault to enhance security and simplify management.

  2. Implement Key Rotation Policies: Always configure automatic key rotation policies to minimize the risk of key compromise.

  3. Use Private Endpoints: For Managed HSM, enable private endpoints to securely connect to the service without exposing it to the public internet.

  4. Monitor Access Logs: Regularly audit and monitor access logs for both Key Vault and Managed HSM to detect unauthorized access attempts.

  5. Follow the Principle of Least Privilege: Assign only the necessary permissions to users and applications to minimize security risks.

Common Errors

  1. Insufficient Permissions:

    • Error: "403 Forbidden: The client does not have permission to perform this operation."
    • Cause: The user lacks the necessary RBAC role or access policy.
    • Fix: Assign the appropriate role or access policy.

  2. Key Not Found:

    • Error: "404 Not Found: The specified key does not exist."
    • Cause: The key has not been created or has been deleted.
    • Fix: Verify the key's existence or create a new key.

  3. Invalid Key Rotation Policy:

    • Error: "400 Bad Request: The rotation policy is invalid."
    • Cause: The provided JSON for the rotation policy is malformed.
    • Fix: Validate and correct the JSON structure.

  4. Access Denied:

    • Error: "403 Forbidden: Access denied."
    • Cause: The user does not have the required permissions.
    • Fix: Review and adjust permissions accordingly.

Related Services/Commands

Service Type Key Rotation Access Control
Azure Key Vault Multitenant Supported RBAC & Access Policies
Managed HSM Single-tenant Supported Local RBAC

Automation Script

Here's an example PowerShell script to automate the setup of an Azure Key Vault with key rotation policy:

# Variables
$vaultName = "<vault-name>"
$keyName = "<key-name>"
$resourceGroup = "<resource-group>"
$location = "<location>"

# Create Key Vault
az keyvault create --name $vaultName --resource-group $resourceGroup --location $location

# Create Key in Key Vault
az keyvault key create --vault-name $vaultName --name $keyName --protection software

# Set Key Rotation Policy
Set-AzKeyVaultKeyRotationPolicy -VaultName $vaultName -KeyName $keyName -ExpiresIn (New-TimeSpan -Days 720) -KeyRotationLifetimeAction @{Action="Rotate"; TimeAfterCreate=(New-TimeSpan -Days 540)}

# Output
Write-Host "Key Vault and Key created with rotation policy successfully."

Conclusion

In conclusion, both Azure Key Vault and Managed HSM provide robust solutions for key management, with distinct advantages for different scenarios. Understanding their features, especially regarding key rotation policies and access control models, is crucial for Azure administrators.

As you prepare for the AZ-104 exam, consider exploring further resources, hands-on labs, and Microsoft documentation to deepen your understanding of these critical services.

References