Merge pull request #266242 from johndowns/aoai-cmk-key-vault

Azure OpenAI - Update information about key vault requirements for CMK

Author: AnnaMHuff

articles/ai-services/media/cognitive-services-encryption/key-vault-access-policy.png

@@ -6,7 +6,7 @@ author: mrbullwinkle
 manager: nitinme
 ms.service: azure-ai-openai
 ms.topic: conceptual
-ms.date: 11/14/2022
+ms.date: 2/21/2024
 ms.author: mbullwin
 ---
 
@@ -22,37 +22,66 @@ Azure OpenAI is part of Azure AI services. Azure AI services data is encrypted a
 
 By default, your subscription uses Microsoft-managed encryption keys. There's also the option to manage your subscription with your own keys called customer-managed keys (CMK). CMK offers greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
 
-## Customer-managed keys with Azure Key Vault
+## Use customer-managed keys with Azure Key Vault
 
 Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
 
 You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
 
-To enable customer-managed keys, you must also enable both the **Soft Delete** and **Do Not Purge** properties on the key vault.
+To enable customer-managed keys, the key vault containing your keys must meet these requirements:
 
-Only RSA keys of size 2048 are supported with Azure AI services encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets and certificates](../../key-vault/general/about-keys-secrets-certificates.md).
+- You must enable both the **Soft Delete** and **Do Not Purge** properties on the key vault.
+- If you use the [Key Vault firewall](/azure/key-vault/general/access-behind-firewall), you must allow trusted Microsoft services to access the key vault.
+- The key vault must use [legacy access policies](/azure/key-vault/general/assign-access-policy).
+- You must grant the Azure OpenAI resource's system-assigned managed identity the following permissions on your key vault: *get key*, *wrap key*, *unwrap key*.
 
-## Enable customer-managed keys for your resource
+Only RSA and RSA-HSM keys of size 2048 are supported with Azure AI services encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets and certificates](../../key-vault/general/about-keys-secrets-certificates.md).
+
+### Enable your Azure OpenAI resource's managed identity
+
+1. Go to your Azure AI services resource.
+1. On the left, under **Resource Management**, select **Identity**.
+1. Switch the system-assigned managed identity status to **On**.
+1. Save your changes, and confirm that you want to enable the system-assigned managed identity.
+
+### Configure your key vault's access permissions
+
+1. In the Azure portal, go to your key vault.
+1. On the left, select **Access policies**.
+   
+   If you see a message advising you that access policies aren't available, [reconfigure your key vault to use legacy access policies](/azure/key-vault/general/assign-access-policy) before continuing.
+1. Select **Create**.
+1. Under **Key permissions**, select **Get**, **Wrap Key**, and **Unwrap Key**. Leave the remaining checkboxes unselected.
+
+   :::image type="content" source="../media/cognitive-services-encryption/key-vault-access-policy.png" alt-text="Screenshot of the Azure portal page for a key vault access policy. The permissions selected are Get Key, Wrap Key, and Unwrap Key.":::
+
+1. Select **Next**.
+1. Search for the name of your Azure OpenAI resource and select its managed identity.
+1. Select **Next**.
+1. Select **Next** to skip configuring any application settings.
+1. Select **Create**.
+
+### Enable customer-managed keys on your Azure OpenAI resource
 
 To enable customer-managed keys in the Azure portal, follow these steps:
 
 1. Go to your Azure AI services resource.
-1. On the left, select **Encryption**.
+1. On the left, under **Resource Management**, select **Encryption**.
 1. Under **Encryption type**, select **Customer Managed Keys**, as shown in the following screenshot.
 
-> [!div class="mx-imgBorder"]
-> ![Screenshot of create a resource user experience](./media/encryption/encryption.png)
+   > [!div class="mx-imgBorder"]
+   > ![Screenshot of create a resource user experience.](./media/encryption/encryption.png)
 
-## Specify a key
+### Specify a key
 
 After you enable customer-managed keys, you can specify a key to associate with the Azure AI services resource.
 
-### Specify a key as a URI
+#### Specify a key as a URI
 
 To specify a key as a URI, follow these steps:
 
 1. In the Azure portal, go to your key vault.
-1. Under **Settings**, select **Keys**.
+1. Under **Objects**, select **Keys**.
 1. Select the desired key, and then select the key to view its versions. Select a key version to view the settings for that version.
 1. Copy the **Key Identifier** value, which provides the URI.
 
@@ -67,9 +96,9 @@ To specify a key as a URI, follow these steps:
 1. Under **Subscription**, select the subscription that contains the key vault.
 1. Save your changes.
 
-### Specify a key from a key vault
+#### Select a key from a key vault
 
-To specify a key from a key vault, first make sure that you have a key vault that contains a key. Then follow these steps:
+To select a key from a key vault, first make sure that you have a key vault that contains a key. Then follow these steps:
 
 1. Go to your Azure AI services resource, and then select **Encryption**.
 1. Under **Encryption key**, select **Select from Key Vault**.