Microsoft is committed to ensuring that customers using Microsoft Purview Information Protection with Bring Your Own Key (BYOK) continue to benefit from a secure, compliant, and modern cryptographic foundation. As part of Azure Key Vault (AKV) platform lifecycle management, the AKV team has announced the retirement of the legacy HSM Platform One.
What is changing?
In early 2024, Azure Key Vault introduced a modernized hardware security module (HSM) platform based on FIPS 140-2 Level 3 certified HSMs. As part of this evolution, the legacy HSM Platform One will be retired on September 15, 2028. Many Information Protection customers who use BYOK today rely on this legacy platform.
Why this matters for BYOK customers
BYOK configurations for Information Protection require that the tenant root key is stored in Azure Key Vault. Azure Key Vault does not support exporting keys once imported. In short, affected customers will need to migrate their BYOK key to a new Key Vault on the modern HSM platform and update their Purview configuration to reference it.
If no action is taken before the retirement date, encryption and decryption operations for Information Protection will become unavailable until the key is successfully migrated.
Why act now (even though retirement is in 2028)?
Although the retirement date is several years away, Microsoft strongly recommends that customers begin planning now. Migrating sooner allows customers to move to the most secure configuration available today. More critically, some customers may no longer have access to the original on-premises key material that was used during initial BYOK setup. Recovering, regenerating, or replacing this key material can take significant time and coordination across security, compliance, and HSM teams.
What should customers do next?
For customers using BYOK with Information Protection:
- Confirm whether your tenant key is using legacy HSM Platform
- If so, create a new Azure Key Vault on the modern HSM platform
- Re-import the original key material into the new vault
- If your organization no longer has access to the original key material, begin planning immediately and engage with Microsoft support to explore your options
Learn more
In February, we also published a Message Center post (MC1234660) to notify those customers affected (i.e. using BYOK currently) about the Azure Key Vault HSM Platform One retirement and its impact on Information Protection tenants using Bring Your Own Key (BYOK).
Updated guidance for configuring and managing BYOK with Information Protection is available on Microsoft Learn.
Manage the root key for your tenant's Azure Rights Management service | Microsoft Learn
We recommend reviewing this documentation in detail to understand prerequisites, supported configurations, and migration considerations.
Microsoft will continue to communicate updates through the Microsoft 365 Message Center and Tech Community as the retirement date approaches.
Microsoft