Appendix
| Operation | Description | ||
|---|---|---|---|
Revoke the tenant key |
This happens automatically when an organization unsubscribes from Azure RMS.
|
||
Refresh the tenant key |
Refreshing the Azure BYOK tenant key involves updating or rotating your key that is protected by your HSM. This means repeating sections Create the Key Exchange Key in Azure, Generate, wrap, and export your own key, and Upload the wrapped key to Azure. Then the Azure services have to be updated to use the new key. |
||
Backup and recover the tenant key |
Your organization is responsible for ensuring that a copy of the tenant key is kept securely and is appropriately backup. A backup is the only way to retrieve the key. Azure RMS holds a copy of the Tokenized Key Blob that is used for recovery purposes within Azure if necessary (for example, if a node fails.) The version of the key held within Azure RMS cannot be exported. |
||
Export the tenant key |
This is not possible from Azure RMS. |