Sql vm akv changes (#35123)

PhilB-MSFT · rwestMSFT · web-flow · commit 627a6f3d146c · 2025-10-06T17:47:41.000-06:00
* Update managed identity EKM requirements in documentation

Added explicit exclusion for "Azure Cloud HSM" after discussion with Pieter Vanhove.

Update key vault creation steps with support note

Clarify supported Azure Key Vault services

Added explicit exclusion for "Azure Cloud HSM" after discussion with Pieter Vanhove.

* Edit pass

---------

Co-authored-by: Randolph West MSFT &lt;97149825+rwestMSFT@users.noreply.github.com&gt;
diff --git a/azure-sql/virtual-machines/windows/managed-identity-extensible-key-management.md b/azure-sql/virtual-machines/windows/managed-identity-extensible-key-management.md
@@ -3,8 +3,8 @@ title: Managed Identity Support for Extensible Key Management (EKM) with Azure K
 description: Learn how to use managed identities with SQL Server on Azure Virtual Machines and Transparent Data Encryption (TDE) Extensible Key Management with Azure Key Vault.
 author: Pietervanhove
 ms.author: pivanho
-ms.reviewer: vanto, mathoma
-ms.date: 02/16/2025
+ms.reviewer: vanto, mathoma, randolphwest
+ms.date: 10/06/2025
 ms.service: azure-vm-sql-server
 ms.subservice: security
 ms.topic: how-to
@@ -19,7 +19,7 @@ This article shows you how to use managed identities for Extensible Key Manageme
 
 Starting with SQL Server 2022 Cumulative Update 17 (CU17), managed identities are supported for EKM with AKV and Managed Hardware Security Modules (HSM) on SQL Server on Azure VMs. Managed identities are the recommended authentication method to allow different Azure services to authenticate the SQL Server on Azure VM resource without using passwords or secrets. For more information on managed identities, see [Managed identity types](/entra/identity/managed-identities-azure-resources/overview#managed-identity-types).
 
-> [!NOTE]
+> [!NOTE]  
 > Managed identities are only supported for SQL Server on Azure VMs and not for SQL Server on-premises.
 >
 > For information on setting up EKM with AKV for SQL Server on-premises, see [Set up SQL Server TDE Extensible Key Management by using Azure Key Vault](/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault).
@@ -29,6 +29,10 @@ Starting with SQL Server 2022 Cumulative Update 17 (CU17), managed identities ar
 - A SQL Server on Azure VM with SQL Server 2022 CU17 or later [registered with the SQL IaaS Agent extension](sql-agent-extension-manually-register-single-vm.md).
 - The SQL Server instance using a managed identity for EKM must be [configured with Microsoft Entra authentication](configure-azure-ad-authentication-for-sql-vm.md), whether or not it's the instance registered with the extension.
 - An Azure Key Vault and key created in the key vault. For more information, see [Create a key vault](/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault?tabs=portal#step-2-create-a-key-vault).
+
+> [!NOTE]  
+> Only Azure Key Vault and Azure Key Vault Managed HSM are supported. Azure Cloud HSM isn't supported.
+
 - Managed identities are supported for EKM with AKV. The primary managed identity for the SQL Server on Azure VM needs:
   - To be assigned with a user-assigned managed identity or system-assigned managed identity. For more information, see [Configure managed identities on Azure virtual machines (VMs)](/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities) and [Enable Microsoft Entra authentication](configure-azure-ad-authentication-for-sql-vm.md#enable-microsoft-entra-authentication).
   - To have the `Key Vault Crypto Service Encryption User` role for the primary managed identity assigned to the key vault if you're using [Azure role-based access control](/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault?tabs=portal#azure-role-based-access-control) or the *Unwrap Key* and *Wrap Key* permissions if you're using [vault access policy](/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault?tabs=portal#vault-access-policy).
@@ -43,30 +47,32 @@ Before you can create a credential using a managed identity, you need to add a r
 The following example shows how to create a credential for a managed identity to use with the AKV:
 
 ```sql
-CREATE CREDENTIAL [<akv-name>.vault.azure.net] 
+CREATE CREDENTIAL [<akv-name>.vault.azure.net]
     WITH IDENTITY = 'Managed Identity'
-    FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov
+    FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov;
 ```
 
 You can check the AKV name by querying `sys.credentials`:
 
 ```sql
 SELECT name, credential_identity
-FROM sys.credentials
+FROM sys.credentials;
 ```
 
 The `WITH IDENTITY = 'Managed Identity'` clause requires a primary managed identity assigned to the SQL Server on Azure VM.
 
 For more information on setting up EKM with AKV, see [Set up SQL Server TDE Extensible Key Management by using Azure Key Vault](/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault).
 
-## Creating a credential to use with Managed Hardware Security Modules (HSMs)
+<a id="creating-a-credential-to-use-with-managed-hardware-security-modules-hsms"></a>
+
+## Create a credential to use with managed hardware security modules (HSMs)
 
 To create a credential to use with Azure Key Vault Managed Hardware Security Modules (HSMs), use the following syntax:
 
 ```sql
-CREATE CREDENTIAL [<akv-name>.managedhsm.azure.net] 
+CREATE CREDENTIAL [<akv-name>.managedhsm.azure.net]
     WITH IDENTITY = 'Managed Identity'
-    FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov
+    FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov;
 ```
 
 For more information on setting up EKM with AKV, see [Set up SQL Server TDE Extensible Key Management by using Azure Key Vault](/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault).
@@ -78,31 +84,31 @@ If your current configuration is using EKM with AKV using a secret, you'll need
 1. Create the credential using a managed identity:
 
    ```sql
-   CREATE CREDENTIAL [<akv-name>.vault.azure.net] 
+   CREATE CREDENTIAL [<akv-name>.vault.azure.net]
        WITH IDENTITY = 'Managed Identity'
-       FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov
+       FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov;
    ```
 
 1. If there's a credential using a secret associated with the SQL Server administration domain login, drop the existing credential:
 
    ```sql
    ALTER LOGIN [<domain>\<login>]
-   DROP CREDENTIAL [<existing-credential-name>]
+       DROP CREDENTIAL [<existing-credential-name>];
    ```
 
 1. Associate the new credential with the SQL Server administration domain login:
 
    ```sql
    ALTER LOGIN [<domain>\<login>]
-   ADD CREDENTIAL [<akv-name>.vault.azure.net]
+       ADD CREDENTIAL [<akv-name>.vault.azure.net];
    ```
 
 You can check the encrypted database view to verify the database encryption using the following query:
 
 ```sql
-SELECT * 
-FROM sys.dm_database_encryption_keys 
-WHERE database_id=db_id('<your-database-name>')
+SELECT *
+FROM sys.dm_database_encryption_keys
+WHERE database_id = db_id('<your-database-name>');
 ```
 
 For more information on setting up EKM with AKV, see [Set up SQL Server TDE Extensible Key Management by using Azure Key Vault](/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault).
diff --git a/docs/relational-databases/security/encryption/extensible-key-management-using-azure-key-vault-sql-server.md b/docs/relational-databases/security/encryption/extensible-key-management-using-azure-key-vault-sql-server.md
@@ -1,52 +1,65 @@
 ---
-title: "Extensible Key Management using Azure Key Vault"
+title: Extensible Key Management Using Azure Key Vault
 description: Use the SQL Server Connector for Extensible Key Management with Azure Key Vault for SQL Server.
 author: jaszymas
 ms.author: jaszymas
-ms.reviewer: vanto
-ms.date: "07/22/2016"
+ms.reviewer: vanto, randolphwest
+ms.date: 10/06/2025
 ms.service: sql
 ms.subservice: security
 ms.topic: conceptual
+ms.custom:
+  - sfi-image-nochange
 helpviewer_keywords:
   - "Extensible Key Management with key vault"
   - "Transparent Data Encryption, using EKM and key vault"
   - "EKM, with key vault"
   - "TDE, EKM and key vault"
   - "Key Management with key vault"
   - "SQL Server Connector, about"
-ms.custom: sfi-image-nochange
 ---
-# Extensible Key Management Using Azure Key Vault (SQL Server)
+# Extensible Key Management using Azure Key Vault (SQL Server)
+
 [!INCLUDE [SQL Server](../../../includes/applies-to-version/sqlserver.md)]
 
-  The [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] Connector for [!INCLUDE[msCoName](../../../includes/msconame-md.md)] Azure Key Vault enables [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] encryption to use the Azure Key Vault service as an [Extensible Key Management &#40;EKM&#41;](../../../relational-databases/security/encryption/extensible-key-management-ekm.md) provider to protect [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] encryption keys.  
-  
- This topic describes the [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] connector. Additional information is available in [Setup Steps for Extensible Key Management Using the Azure Key Vault](../../../relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault.md), [Use SQL Server Connector with SQL Encryption Features](../../../relational-databases/security/encryption/use-sql-server-connector-with-sql-encryption-features.md), and [SQL Server Connector Maintenance & Troubleshooting](../../../relational-databases/security/encryption/sql-server-connector-maintenance-troubleshooting.md).  
-  
-##  <a name="Uses"></a> What is Extensible Key Management (EKM) and Why Use it?  
- [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] provides several types of encryption that help protect sensitive data, including [Transparent Data Encryption &#40;TDE&#41;](../../../relational-databases/security/encryption/transparent-data-encryption.md), [Column Level Encryption](../../../relational-databases/security/encryption/encrypt-a-column-of-data.md) (CLE), and [Backup Encryption](../../../relational-databases/backup-restore/backup-encryption.md). In all of these cases, in this traditional key hierarchy, the data is encrypted using a symmetric data encryption key (DEK). The symmetric data encryption key is further protected by encrypting it with a hierarchy of keys stored in [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)]. Instead of this model, the alternative is the EKM Provider Model. Using the EKM provider architecture enables [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] to protect the data encryption keys by using an asymmetric key stored outside of [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] in an external cryptographic provider. This model adds an additional layer of security and separates the management of keys and data.  
-   
- The following image compares the traditional service-manage key hierarchy with the Azure Key Vault system.  
-  
- ![Diagram that compares the traditional service-manage key hierarchy with the Azure Key Vault system.](../../../relational-databases/security/encryption/media/ekm-key-hierarchy-traditional.png "ekm-key-hierarchy-traditional")  
-  
-   
- The [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] Connector serves as a bridge between [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] and Azure Key Vault, so [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] can leverage the scalability, high performance, and high availability of the Azure Key Vault service. The following image represents how the key hierarchy works in the EKM provider architecture with Azure Key Vault and [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] Connector.  
-  
-  Azure Key Vault can be used with [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] installations on [!INCLUDE[msCoName](../../../includes/msconame-md.md)] Azure Virtual Machines and for on-premises servers. The key vault service also provides the option to use tightly controlled and monitored Hardware Security Modules (HSMs) for a higher level of protection for asymmetric encryption keys. For more information about the key vault, see [Azure Key Vault](/azure/key-vault/general/basic-concepts).  
-  
- The following image summarizes the process flow of EKM using the key vault. (The process step numbers in the image are not meant to match the setup step numbers that follow the image.)  
-  
- ![SQL Server EKM using the Azure Key Vault](../../../relational-databases/security/encryption/media/ekm-using-azure-key-vault.png "SQL Server EKM using the Azure Key Vault")  
+The [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] Connector for Azure Key Vault enables [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] encryption to use the Azure Key Vault service as an [Extensible Key Management (EKM)](extensible-key-management-ekm.md) provider to protect [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] encryption keys.
+
+This article describes the [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] connector. More information is available in:
+
+- [Set up SQL Server TDE Extensible Key Management by using Azure Key Vault](setup-steps-for-extensible-key-management-using-the-azure-key-vault.md)
+- [Use SQL Server Connector with SQL Encryption Features](use-sql-server-connector-with-sql-encryption-features.md)
+- [SQL Server Connector Maintenance & Troubleshooting](sql-server-connector-maintenance-troubleshooting.md)
+
+<a id="Uses"></a>
+
+## What is Extensible Key Management (EKM) and why use it?
+
+[!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] provides several types of encryption that help protect sensitive data, including [Transparent data encryption (TDE)](transparent-data-encryption.md), [Encrypt a Column of Data](encrypt-a-column-of-data.md) (CLE), and [Backup encryption](../../backup-restore/backup-encryption.md). In all of these cases, in this traditional key hierarchy, the data is encrypted using a symmetric data encryption key (DEK). The symmetric data encryption key is further protected by encrypting it with a hierarchy of keys stored in [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)].
+
+Instead of this model, the alternative is the EKM Provider Model. Using the EKM provider architecture enables [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] to protect the data encryption keys by using an asymmetric key stored outside of [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] in an external cryptographic provider. This model adds an additional layer of security and separates the management of keys and data.
+
+The following image compares the traditional service-manage key hierarchy with the Azure Key Vault system.
+
+:::image type="content" source="media/ekm-key-hierarchy-traditional.png" alt-text="Diagram that compares the traditional service-manage key hierarchy with the Azure Key Vault system." lightbox="media/ekm-key-hierarchy-traditional.png":::
+
+The [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] Connector serves as a bridge between [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] and Azure Key Vault, so [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] can use the scalability, high performance, and high availability of the Azure Key Vault service. The following image represents how the key hierarchy works in the EKM provider architecture with Azure Key Vault and [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] Connector.
+
+Azure Key Vault can be used with [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] installations on Azure Virtual Machines and for on-premises servers. The key vault service also provides the option to use tightly controlled and monitored Hardware Security Modules (HSMs) for a higher level of protection for asymmetric encryption keys. For more information about the key vault, see [Azure Key Vault](/azure/key-vault/general/basic-concepts).
+
+> [!NOTE]  
+> Only Azure Key Vault and Azure Key Vault Managed HSM are supported. Azure Cloud HSM isn't supported.
+
+The following image summarizes the process flow of EKM using the key vault. (The process step numbers in the image aren't meant to match the setup step numbers that follow the image.)
+
+:::image type="content" source="media/ekm-using-azure-key-vault.png" alt-text="Screenshot of SQL Server EKM using the Azure Key Vault." lightbox="media/ekm-using-azure-key-vault.png":::
 
 > [!NOTE]  
->  Versions 1.0.0.440 and older have been replaced and are no longer supported in production environments. Upgrade to version 1.0.1.0 or later by visiting the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45344) and using the instructions on the [SQL Server Connector Maintenance & Troubleshooting](../../../relational-databases/security/encryption/sql-server-connector-maintenance-troubleshooting.md) page under "Upgrade of SQL Server Connector."
-  
- For the next step, see [Setup Steps for Extensible Key Management Using the Azure Key Vault](../../../relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault.md).  
-  
- For use scenarios, see [Use SQL Server Connector with SQL Encryption Features](../../../relational-databases/security/encryption/use-sql-server-connector-with-sql-encryption-features.md).  
-  
-## See Also  
- [SQL Server Connector Maintenance & Troubleshooting](../../../relational-databases/security/encryption/sql-server-connector-maintenance-troubleshooting.md)  
-  
+> Versions 1.0.0.440 and older are no longer supported in production environments. Upgrade to version 1.0.1.0 or a later version by visiting the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45344) and using the instructions on the [SQL Server Connector Maintenance & Troubleshooting](sql-server-connector-maintenance-troubleshooting.md) page under "Upgrade of SQL Server Connector."
+
+For the next step, see [Set up SQL Server TDE Extensible Key Management by using Azure Key Vault](setup-steps-for-extensible-key-management-using-the-azure-key-vault.md).
+
+For use scenarios, see [Use SQL Server Connector with SQL Encryption Features](use-sql-server-connector-with-sql-encryption-features.md).
+
+## Related content
+
+- [SQL Server Connector Maintenance & Troubleshooting](sql-server-connector-maintenance-troubleshooting.md)
diff --git a/docs/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault.md b/docs/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault.md
