What is Azure Cloud HSM?
Azure Cloud HSM is Microsoft Azure’s current hardware security module service for cryptographic keys with the highest security requirements. It is FIPS 140-3 Level 3 validated and provides each customer with a dedicated, single-tenant HSM cluster with full administrative control. Cloud HSM is the successor to Azure Dedicated HSM: Dedicated HSM has stopped accepting new customers since 2025 and will remain supported for existing customers until July 31, 2028. Microsoft recommends that new customers, and existing customers looking to migrate, move to Azure Cloud HSM or alternatively to Managed HSM or Azure Key Vault, depending on requirements.
Core Features
- FIPS 140-3 Level 3 validated, single-tenant HSM clusters with a customer-specific security domain
- High availability through clusters of multiple HSM nodes with automatic synchronization and failover
- Full administrative control over keys and policies for the customer, with patching and maintenance handled by Microsoft
- Support for PKCS#11, OpenSSL, JCA/JCE, CNG/KSP, and TDE for SQL Server and Oracle
- Secure, dedicated access from your own virtual network
Typical Use Cases
- Lift-and-shift of applications with dedicated HSM requirements from on-premises or from Azure Dedicated HSM
- PKI and certificate authority hosting (e.g., Active Directory Certificate Services)
- Database encryption (TDE) for SQL Server or Oracle
- SSL/TLS offloading as well as document and code signing
Benefits
- Highest available security level for cryptographic keys in Azure
- Full control over the HSM combined with a managed operational model (high availability, patching)
- Supports compliance requirements such as eIDAS and PCI 3DS
- Migration path for existing Dedicated HSM or on-premises HSM applications
Integration with innFactory
As a Microsoft Solutions Partner, innFactory supports you with Azure Cloud HSM: architecture, PKI design, migration from Azure Dedicated HSM or on-premises HSMs, and compliance consulting.
Frequently Asked Questions
What is Azure Cloud HSM?
Azure Cloud HSM is a FIPS 140-3 Level 3 validated, highly available single-tenant hardware security module service. It is the successor to Azure Dedicated HSM, which stopped accepting new customers in 2025 and will be supported for existing customers until July 31, 2028.
What is the difference from Azure Key Vault and Managed HSM?
Azure Key Vault is multi-tenant and uses hardware validated to a lower FIPS level. Managed HSM is a PaaS offering that integrates with other Azure services. Cloud HSM is pure IaaS, giving full administrative control over a dedicated, customer-specific HSM cluster without integration into other PaaS/SaaS services.
How does high availability work?
A Cloud HSM cluster consists of multiple HSM nodes, three by default. Keys and policies are automatically synchronized across nodes, and if a node fails, member nodes are automatically migrated to healthy ones. Microsoft handles patching and maintenance, while the customer retains administrative control over the keys.
What does Azure Cloud HSM cost?
Billing is usage-based per hour for the HSM cluster. Specific pricing must be requested through the Azure pricing calculator or sales, as it can vary by program or contract.
Note: All product information on this page has been compiled with care, but is provided without guarantee and may be outdated or incomplete. Cloud services evolve rapidly — features, pricing, SLAs, and availability change frequently. Authoritative and up-to-date information can only be found on the official product page of Azure (official documentation). This page does not represent an offer by Azure.
