Edit

Share via


New-AzKeyVaultManagedHsm

Creates a managed HSM.

Syntax

Default (Default)

New-AzKeyVaultManagedHsm
    [-Name] <String>
    [-ResourceGroupName] <String>
    [-Location] <String>
    [-Administrator] <String[]>
    [-Sku <String>]
    -SoftDeleteRetentionInDays <Int32>
    [-PublicNetworkAccess <String>]
    [-EnablePurgeProtection]
    [-UserAssignedIdentity <String[]>]
    [-Tag <Hashtable>]
    [-NetworkRuleSet <PSManagedHsmNetworkRuleSet>]
    [-AsJob]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [-SubscriptionId <String>]
    [<CommonParameters>]

Description

The New-AzKeyVaultManagedHsm cmdlet creates a managed HSM in the specified resource group. To add, remove, or list keys in the managed HSM, user should:

  1. grant permissions by adding user ID to Administrator;
  2. add role assignment for user like "Managed HSM Crypto User" and so on;
  3. back up security domain data of a managed HSM using Export-AzKeyVaultSecurityDomain.

Examples

Example 1: Create a StandardB1 managed HSM

New-AzKeyVaultManagedHsm -Name 'myhsm' -ResourceGroupName 'myrg1' -Location 'eastus2euap' -Administrator "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -SoftDeleteRetentionInDays 70
Name  Resource Group Name Location    SKU
----  ------------------- --------    ---
myhsm myrg1               eastus2euap StandardB1

This command creates a managed HSM named myhsm in the location eastus2euap. The command adds the managed HSM to the resource group named myrg1. Because the command does not specify a value for the SKU parameter, it creates a Standard_B1 managed HSM.

Example 2: Create a CustomB32 managed HSM

New-AzKeyVaultManagedHsm -Name 'myhsm' -ResourceGroupName 'myrg1' -Location 'eastus2euap' -Administrator "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -Sku 'CustomB32' -SoftDeleteRetentionInDays 70
Name  Resource Group Name Location    SKU

----  ------------------- --------    ---
myhsm myrg1               eastus2euap CustomB32

This command creates a managed HSM, just like the previous example. However, it specifies a value of CustomB32 for the SKU parameter to create a CustomB32 managed HSM.

Example 3: Create a managed HSM with an user assigned identity

New-AzKeyVaultManagedHsm -Name 'myhsm' -ResourceGroupName 'myrg1' -Location 'eastus2euap' -Administrator "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"-SoftDeleteRetentionInDays 70 -UserAssignedIdentity /subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName | Format-List
Managed HSM Name                        : myhsm
Resource Group Name                     : myrg1
Location                                : eastus2euap
Resource ID                             : /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/bez-rg/pro
                                          viders/Microsoft.KeyVault/managedHSMs/bezmhsm
HSM Pool URI                            :
Tenant ID                               : 00001111-aaaa-2222-bbbb-3333cccc4444
Initial Admin Object Ids                : {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
SKU                                     : StandardB1
Soft Delete Enabled?                    : True
Enabled Purge Protection?               : False
Soft Delete Retention Period (days)     : 70
Public Network Access                   : Enabled
IdentityType                            : UserAssigned
UserAssignedIdentities                  : /subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName
Provisioning State                      : Succeeded
Status Message                          : The Managed HSM is provisioned and ready to use.
Security Domain ActivationStatus        : Active
Security Domain ActivationStatusMessage : Your HSM has been activated and can be used for cryptographic operations.
Regions                                 :
Tags

This command creates a managed HSM with an user assigned identity.

Example 4: Create a managed HSM with an initial network rule set (firewall enabled)

$ruleSet = New-AzKeyVaultManagedHsmNetworkRuleSetObject -DefaultAction Deny -Bypass AzureServices -IpAddressRange 203.0.113.0/24,198.51.100.10/32
New-AzKeyVaultManagedHsm -Name 'securehsm' -ResourceGroupName 'myrg1' -Location 'eastus2euap' -Administrator "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -SoftDeleteRetentionInDays 30 -NetworkRuleSet $ruleSet
DefaultAction        Bypass IpAddressRanges                    VirtualNetworkResourceIds
-------------        ------ ---------------                    -------------------------
         Deny AzureServices {203.0.113.0/24, 198.51.100.10/32}



Name           Resource Group Name Location SKU        ProvisioningState Security Domain ActivationStatus
----           ------------------- -------- ---        ----------------- --------------------------------
mhsm1814428918 kv-mhsm-rg          eastus   StandardB1 Succeeded         NotActivated

$h.OriginalManagedHsm.Properties.NetworkAcls
Bypass              : AzureServices
DefaultAction       : Deny
IPRules             : {203.0.113.0/24, 198.51.100.10/32}
ServiceTags         : {}
VirtualNetworkRules : {}

This pattern enables the firewall at creation time (DefaultAction Deny) while allowing two specific IP ranges plus trusted Azure services. Additional IPs can later be appended with Add-AzKeyVaultManagedHsmNetworkRule.

Parameters

-Administrator

Initial administrator object id for this managed HSM pool.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:3
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-AsJob

Run cmdlet in the background

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:cf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Parameter properties

Type:IAzureContextContainer
Default value:None
Supports wildcards:False
DontShow:False
Aliases:AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EnablePurgeProtection

specifying whether protection against purge is enabled for this managed HSM pool. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Location

Specifies the Azure region in which to create the key vault. Use the command Get-AzResourceProvider with the ProviderNamespace parameter to see your choices.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:2
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-Name

Specifies a name of the managed HSM to create. The name can be any combination of letters, digits, or hyphens. The name must start and end with a letter or digit. The name must be universally unique.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:HsmName

Parameter sets

(All)
Position:0
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-NetworkRuleSet

Specifies a Managed HSM network rule set object (from New-AzKeyVaultManagedHsmNetworkRuleSetObject) to configure default action, bypass, IP rules, and virtual network rules at creation time.

Parameter properties

Type:PSManagedHsmNetworkRuleSet
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PublicNetworkAccess

Controls permission for data plane traffic coming from public networks while private endpoint is enabled.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ResourceGroupName

Specifies the name of an existing resource group in which to create the key vault.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:1
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-Sku

Specifies the SKU of the managed HSM instance.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-SoftDeleteRetentionInDays

Specifies how long the deleted managed hsm pool is retained, and how long until the managed hsm pool in the deleted state can be purged.

Parameter properties

Type:Int32
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SubscriptionId

The ID of the subscription. By default, cmdlets are executed in the subscription that is set in the current context. If the user specifies another subscription, the current cmdlet is executed in the subscription specified by the user. Overriding subscriptions only take effect during the lifecycle of the current cmdlet. It does not change the subscription in the context, and does not affect subsequent cmdlets.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-Tag

A hash table which represents resource tags.

Parameter properties

Type:Hashtable
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Tags

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-UserAssignedIdentity

The set of user assigned identities associated with the managed HSM. Its value will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:wi

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

String

String

Hashtable

Outputs

PSManagedHsm