Table of Contents
Summary
- Azure Key Vault is retiring hsmPlatform 1, requiring organizations using BYOK with Purview Information Protection to migrate keys to hsmPlatform 2.
- Keys hosted on hsmPlatform 1 will no longer be supported, resulting in potential service disruptions if not migrated.
- Organizations must re-import original key material into hsmPlatform 2-based key vaults and update MIP configurations.
- Failure to migrate will lead to inaccessible encrypted documents and emails, as well as failed encryption operations.
- It is essential to locate original key material and complete migration as soon as possible.
Admin Impact: High
User Impact: Low
Release Start: 15 Sept 2028
Release End: 15 Sept 2028
Services: Purview
Category: Plan for change
Tags: Retirement
History
2/19/2026 Item Added to Message Center
Microsoft Message
Introduction
Early in 2024 the Azure Key Vault (AKV) team introduced updates to the AKV platform implementing FIPS 140-2 Level 3 HSM’s and improvements to the AKV platform. As part of this lifecycle service management, AKV is retiring hsmPlatform 1. Organizations using Purview Information Protection (MIP) with Bring Your Own Key (BYOK) must migrate their tenant keys to Azure Key Vault hsmPlatform 2 to avoid service disruption.
Service data indicates that your organization has one or more BYOK keys currently hosted on hsmPlatform 1. Because Azure Key Vault does not support exporting keys, customers must re-import their original key material into a new hsmPlatform 2–based key vault and update their MIP configuration.
When this will happen
- September 15, 2028: Azure Key Vault hsmPlatform 1 will be retired.
- Customers are encouraged to begin migration as soon as possible.
How this affects your organization
Who is affected:
- Organizations using Purview Information Protection’s rights management service with BYOK
- Tenants with keys hosted on Azure Key Vault hsmPlatform 1
What will happen:
- Keys on hsmPlatform 1 will no longer be supported.
- Key material must be re-imported to hsmPlatform 2.
- If no action is taken before retirement:
- Encryption and decryption using MIP will fail.
- Users will lose access to documents and emails encrypted with the affected keys.
- New encryption operations will be unavailable.
What you can do to prepare
- Identify BYOK keys on hsmPlatform 1.
- Locate original on-premises key material.
- Create a new Azure Key Vault using hsmPlatform 2.
- Re-import your key material following updated guidance.
- Update your Purview Information Protection configuration to reference the new key.
- Validate encryption and decryption scenarios after migration.
If you no longer have access to your original key material and cannot complete the migration, open a Microsoft Support ticket as soon as possible.
Learn more:
- Bring your own key for the Azure Rights Management service root key | Microsoft Learn
- Azure updates | Retirement: hsmPlatform 1 keys in Azure Key Vault
Compliance considerations
Compliance area: Encryption methods or key management
Explanation: Customer-managed encryption keys used by Purview Information Protection (known as Bring Your Own Key) must be re-imported into Azure Key Vault hsmPlatform 2. Keys remaining on hsmPlatform 1 will no longer be supported after retirement.
Compliance area: Information Protection labels
Explanation: Information Protection labels that rely on BYOK encryption will fail to apply or decrypt content if keys are not migrated before the hsmPlatform 1 retirement.
Compliance area: Access to existing encrypted data
Explanation: Documents and emails encrypted with keys stored on Azure Key Vault hsmPlatform 1 will become inaccessible after retirement if the keys are not migrated.