|
| 1 | +--- |
| 2 | +title: Rotate keys in Azure AI Foundry |
| 3 | +titleSuffix: Azure AI Foundry |
| 4 | +description: "Learn how to rotate API keys and encryptions for better security, without interrupting service" |
| 5 | +author: PatrickFarley |
| 6 | +manager: nitinme |
| 7 | +ms.service: azure-ai-services |
| 8 | +ms.custom: |
| 9 | + - ignite-2023 |
| 10 | +ms.topic: how-to |
| 11 | +ms.date: 5/19/2025 |
| 12 | +ms.author: pafarley |
| 13 | +--- |
| 14 | + |
| 15 | +# Rotate Keys in Azure AI Foundry |
| 16 | + |
| 17 | +Azure AI Foundry supports key rotation for both API keys and encryption keys to help maintain strong security hygiene and reduce the risk of unauthorized access. The dual-key setup for API access is designed to enable rotation without interrupting current traffic, helping maintain service availability while enhancing security posture. |
| 18 | + |
| 19 | +## How to rotate API Keys |
| 20 | + |
| 21 | +Follow these steps to rotate your API keys: |
| 22 | + |
| 23 | +1. Ensure only one key is actively used in production. |
| 24 | + |
| 25 | + For example, if both keys are in use, update your application to use only Key 1. This is important because regenerating a key invalidates its previous version immediately, which would result in 401 Access Denied errors for clients still using the old key. |
| 26 | + |
| 27 | +1. Regenerate the unused key. |
| 28 | + |
| 29 | + In the Azure portal, navigate to your Foundry resource, select the Keys and Endpoint tab, and click Regenerate Key 2. |
| 30 | + |
| 31 | +1. Update your application to use the newly generated key. |
| 32 | + |
| 33 | + Monitor logs or availability to confirm that all clients have successfully switched to Key 2. |
| 34 | + |
| 35 | +1. Regenerate the original key. |
| 36 | + Once all clients are using Key 2, repeat the process to regenerate Key 1. |
| 37 | + |
| 38 | +1. Switch back to Key 1 if desired. |
| 39 | + Update your application to use the new Key 1. |
| 40 | + |
| 41 | +## Encryption Key Rotation (Customer-Managed Keys) |
| 42 | +If you're using [customer-managed key encryption](../concepts/encryption-keys-portal.md), Azure AI Foundry allows you to rotate the encryption key used to protect your data. This applies to data stored in Microsoft-managed infrastructure, encrypted using your Azure Key Vault key. |
| 43 | + |
| 44 | +Rotation Limitations |
| 45 | + |
| 46 | +* **Same Key Vault Requirement** |
| 47 | + |
| 48 | + You can only rotate encryption keys to another key within the same Azure Key Vault instance. Cross-vault key rotation is not supported. |
| 49 | + |
| 50 | +* **Scope of Rotation** |
| 51 | + |
| 52 | + The new key must be compatible with the existing encryption configuration. Ensure that the new key is properly configured with the necessary access policies and permissions. |
| 53 | + |
| 54 | +* **Updating from customer-managed to Microsoft-managed** |
| 55 | + |
| 56 | + When an Azure AI Foundry resource is created, you can update from Microsoft-managed keys to customer-managed keys. However, you may not switch back from customer-managed keys to Microsoft-managed keys. |
| 57 | + |
| 58 | +How to Rotate Encryption Keys |
| 59 | + |
| 60 | +* In your Azure Key Vault, create or identify the new key you want to use for encryption. |
| 61 | + |
| 62 | +* From Azure Portal or template options, update the Foundry resource configuration to reference the new key within the same Key Vault. |
| 63 | + |
| 64 | +* Your AI Foundry resource will take a few minutes to wrap data using your new encryption key. During this period, certain service operations are available. |
| 65 | + |
| 66 | +* Azure AI Foundry will begin using the new key for encryption of newly stored data. Existing data remains encrypted with the previous key unless reprocessed. |
| 67 | + |
| 68 | +## Learn more |
| 69 | + |
| 70 | +* [Customer-managed key encryption](../concepts/encryption-keys-portal.md) |
| 71 | +* [Disable local auth](disable-local-auth.md) |
0 commit comments