Managed HSM support for Document Intelligence

CHUNSIK KIM 1 Reputation point Microsoft Employee
2026-06-17T04:36:03.5833333+00:00

Please help confirm whether Managed HSM is supported for Azure Document Intelligence.

Attached link (https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-customer-managed-keys-support) seems to indicate it's not supported, but i see I can select Managed HSM as an option to choose from encryption setting in the Document Intelligence, but with an error (The connection to data plane failed. Please refresh and try again. If Private Links are enabled on the vault and the issue persists please follow the steps in the following link https://go.microsoft.com/fwlink/?linkid=2156688.)

Please be ware that the target managed HSM is enabled for all networks and do not have private endpoint configured.

User's image

Azure Document Intelligence in Foundry Tools

1 answer

Sort by: Most helpful
  1. Sina Salam 30,566 Reputation points Volunteer Moderator
    2026-06-27T16:28:49.83+00:00

    Hello CHUNSIK KIM,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you need help on Managed HSM support for Document Intelligence.

    Most of all, Azure Document Intelligence supports CMK with Azure Key Vault, but does not currently support Azure Managed HSM-backed CMK. The Managed HSM option appearing in the portal should not be treated as proof of support; it is a misleading shared encryption UX path, and the “connection to data plane failed” message is not the real root cause. The official CMK support matrix lists Azure Document Intelligence in Foundry Tools with Key Vault support only, while Managed HSM support is not listed for this service. https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-customer-managed-keys-support

    Therefore, the resolution is to configure Document Intelligence encryption with an Azure Key Vault key, enable a managed identity on the Document Intelligence resource, and grant that identity the required key permissions: get, wrapKey, and unwrapKey. The Key Vault and Document Intelligence resource must be in the same region and same Microsoft Entra tenant, although they may be in different subscriptions. If the customer has a strict requirement for Managed HSM specifically, Document Intelligence cannot currently satisfy that requirement; the supported path is Azure Key Vault, or potentially Azure Key Vault Premium with HSM-protected keys if that meets the compliance requirement. - https://learn.microsoft.com/en-us/azure/ai-services/document-intelligence/authentication/encrypt-data-at-rest?view=doc-intel-4.0.0, https://learn.microsoft.com/en-us/azure/ai-services/encryption/cognitive-services-encryption-keys-portal

    Use the below resource links for more reading and implementation steps:

    I hope this is helpful. Do not hesitate to let me know if you have any other questions, steps or clarifications.


    Please close the thread by upvoting and accepting the answer if any part of it is helpful.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.