This article shows you how to switch your company from CyberSentriq-managed encryption to encryption using your own Azure Key Vault, enabling you to hold the master key that protects your backup encryption keys.
PAGE CONTENTS
Before you begin
What your IT / Azure admin needs to prepare
- An Azure Key Vault in your Azure tenant containing an RSA key (this must be a key and not a secret, which refers to a different concept in Azure).
- Someone with the Global Administrator or Privileged Role Administrator role in Microsoft Entra ID, available to grant tenant-wide admin consent during setup.
- After consent is granted, the Azure admin must assign the Key Vault Crypto User role to the CyberSentriq KMS Connector service principal on the vault (see the steps below).
- Two values to paste into RedApp:
- Vault URI: a URI in the format
https://your-vault-name.vault.azure.net/ - Key Name: the name of the RSA key inside the vault (not the full URL)
- Vault URI: a URI in the format
Assigning the Key Vault Crypto User role to the CyberSentriq service principal
Once admin consent is granted in RedApp as part of KMS setup (see Article 1651), a service principal called CyberSentriq KMS Connector will appear in your Azure tenant. The service principal can be found by searching for it in Entra ID > Enterprise applications.
Your Azure admin must now assign this service principal the Key Vault Crypto User role on your Key Vault, using either the Azure CLI or the Azure Portal. Instructions for both can be found below.
Azure CLI:
# Get the service principal object ID by display name
SP_OBJECT_ID=$(az ad sp list --display-name "CyberSentriq KMS Connector" --query "[0].id" -o tsv)
# Assign Key Vault Crypto User role scoped to the vault
az role assignment create \
--assignee-object-id "$SP_OBJECT_ID" \
--assignee-principal-type ServicePrincipal \
--role "Key Vault Crypto User" \
--scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>"Replace <subscription-id>, <resource-group>, and <vault-name> with your own values.
Azure Portal:
- In the Azure Portal, search for and open Key Vaults, then select your vault.
- In the left menu, select Access control (IAM).
- Click + Add > Add role assignment.
- On the Role tab, search for Key Vault Crypto User and select it. Click Next.
- On the Members tab:
- Set Assign access to = User, group, or service principal.
- Click + Select members.
- Search for CyberSentriq KMS Connector.
- Select the service principal from the results and click Select.
- Click Review + assign twice to confirm.
- Verify the assignment appears in the Role assignments tab under Key Vault Crypto User.
What you need in RedApp
- You are signed in as a Partner Admin or Company Admin.
- Your company has an active encryption provider (CyberSentriq-managed, AWS KMS, or another customer-managed vault). You can switch directly to Azure Key Vault from any provider.
How to switch to Azure Key Vault
A summary of the steps for switching to Azure Key Vault is provided below. For more detailed instructions, see Article 1651.
- In RedApp, open Key Management and choose Manage KMS. Confirm the current provider shows as CyberSentriq-Managed.
- Choose Switch to Azure Key Vault.
- Enter your Vault URI and Key Name, then Click Test Connection. RedApp redirects your Global Administrator (or Privileged Role Admin) to Microsoft's sign-in and consent page. The admin signs in and approves CyberSentriq's access to your tenant. This creates the CyberSentriq KMS Connector service principal in your Azure tenant.
- Your Azure admin then assigns the Key Vault Crypto User role to the CyberSentriq KMS Connector service principal on your Key Vault or the individual key itself (this is only done once, in Azure — see the steps in the prerequisites section above).
- Back in RedApp, click Completed on the popup once. Wait for the green success confirmation before continuing.
- Click Save. RedApp shows the list of Microsoft 365 and Google Workspace tenants found in your backup sets — each one must be verified before the switch can finish.
- Verify each discovered tenant (see the next section).
- When every tenant is verified, RedApp automatically finishes the switch: your backup encryption keys are re-protected with your Azure Key Vault key, and the KMS status flips to Azure Key Vault.
Verifying your tenants
Before RedApp can switch your encryption, it needs to confirm you actually own every Microsoft 365 or Google Workspace tenant that appears in your backup sets. This protects your data from being re-keyed by an unauthorised party.
- Microsoft 365 tenants are verified by having a Global Administrator or Privileged Role Administrator grant admin consent. To check a user's role: sign into the Microsoft Entra admin center, go to Users > All users, select the user, and look under Assigned roles.
- Google Workspace tenants are verified by having a Super Admin authorise CyberSentriq. Delegated admins will not work. To check a user's role: sign into the Google admin center and go to Account > Admin roles > Super Admin.
If a new backup set is added during the KMS setup, its tenant will show up as unverified on the list of tenants. You will need to also verify this tenant before the switch can complete.
Common issues
| What you see | Why it happens | How to fix it |
|---|---|---|
| "The URI appears to contain the key path" | You pasted the full key URL (like https://vault.vault.azure.net/keys/my-key/abc123) into the Vault URI field. | Use only the vault base URI (https://vault.vault.azure.net). Put the key name in the separate Key Name field. |
| "The URI appears to point to a secret" | You pasted a Secret URL instead of a Key URL. Secrets and Keys are different resources in Azure Key Vault. | In the Azure Portal, open your Key Vault and go to Keys (not Secrets). Use an RSA key. |
| "Key not found in the vault" | The key name is mistyped, or you entered a secret name instead of a key name. | Open the vault's Keys section in the Azure Portal and copy the exact key name. |
| "Azure AD admin consent is required" | The admin consent step was skipped, or the cached consent expired (it's kept for 24 hours). | Click Grant admin consent again and complete the flow with a Global Admin or Privileged Role Admin. |
| "Forbidden" or "Access denied" during connection test | CyberSentriq has consent to your tenant but has not been given permission to use the key in your vault yet. | Ask your Azure admin to grant CyberSentriq the key-use permission on the vault, then retry the test. |
| Your Azure admin sees a banner saying the vault uses "vault access policy" | The vault is on the legacy permission model, which CyberSentriq doesn't support. | Ask your Azure admin to switch the vault to Azure role-based access control and re-apply the key-use permission. |
| The consent flow returns an error for the admin who tried it | That user doesn't have the Global Administrator or Privileged Role Administrator role. | Ask an admin with the correct Entra role to grant consent. Microsoft enforces this role check itself. |
| The switch won't complete - tenants keep showing as unverified | A new backup set was added during setup, introducing a new tenant. Or a tenant was verified by someone who isn't a Super Admin / Global Admin. | Refresh the tenant list and complete consent for any new tenants using a qualified admin account. |
What to do next
Once the switch completes, you will have one opportunity to export a copy of your company encryption key without having to re-verify your tenants. If you'd like an off-platform copy for safe-keeping, export the encryption key now by following the steps in Article 1655.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article