Merge pull request #224308 from msmbaldwin/ade-misc

v-dirichards · web-flow · commit dce60c6fc64a · 2023-01-19T14:11:10.000-06:00
Allow key management operations through ARM
diff --git a/articles/key-vault/managed-hsm/authorize-azure-resource-manager.md b/articles/key-vault/managed-hsm/authorize-azure-resource-manager.md
@@ -0,0 +1,38 @@
+---
+title: Allow key management operations through Azure Resource Manager
+description: Learn how to allow key management operations through ARM
+services: key-vault
+author: mbaldwin
+tags: azure-resource-manager
+
+ms.service: key-vault
+ms.subservice: managed-hsm
+ms.topic: tutorial
+ms.date: 11/14/2022
+ms.author: mbaldwin
+
+# Customer intent: As a managed HSM administrator, I want to authorize Azure Resource Manager to perform key management operations via Azure Managed HSM
+---
+
+# Allow key management operations through Azure Resource Manager
+
+For many asynchronous operations in the Portal and Template deployments, Azure Resource Manager must be trusted to act on behalf of users. Azure Key Vault trusts Azure Resource Manager but, for many higher assurance environments, such trust in the Azure portal and Azure Resource Manager may be considered a risk.
+
+Azure Managed HSM doesn't trust Azure Resource Manager by default. However, for environments where such risk is an acceptable tradeoff for the ease of use of the Azure portal and template deployments, Managed HSM offers a way for an administrator to opt in to this trust.
+
+For the Azure portal or Azure Resource Manager to interact with Azure Managed HSM in the same way as Azure Key Vault Standard and Premium, an authorized Managed HSM administrator must allow Azure Resource Manager to act on behalf of the user. To change this behavior and allow users to use Azure portal or Azure Resource Manager to create new keys or list keys, make the following Azure Managed HSM setting update:
+
+```azurecli-interactive
+az rest --method PATCH --url "https://<managed-hsm-url>/settings/AllowKeyManagementOperationsThroughARM" --body "{\"value\":\"true\"}" --headers "Content-Type=application/json" --resource "https://managedhsm.azure.net" 
+```
+
+To disable this trust and revert to the default behavior of Managed HSM:
+
+```azurecli-interactive
+az rest --method PATCH --url "https://<managed-hsm-url>/settings/AllowKeyManagementOperationsThroughARM" --body "{\"value\":\"false\"}" --headers "Content-Type=application/json" --resource "https://managedhsm.azure.net" 
+```
+
+## Next steps
+
+- [Control your data with Managed HSM](mhsm-control-data.md)
+- [Azure Managed HSM access control](access-control.md)
diff --git a/articles/key-vault/managed-hsm/toc.yml b/articles/key-vault/managed-hsm/toc.yml
@@ -47,6 +47,8 @@ items:
     href: multi-region-replication.md 
   - name: Integrate Managed HSM with Azure Policy
     href: azure-policy.md
+  - name: Authorize Azure Resource Manager
+    href: authorize-azure-resource-manager.md
 
 - name: Concepts 
   items:
