Microsoft.KeyVault managedHSMs 2021-06-01-preview

The managedHSMs resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.KeyVault/managedHSMs resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.KeyVault/managedHSMs@2021-06-01-preview' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  sku: {
    family: 'B'
    name: 'string'
  properties: {
    createMode: 'string'
    enablePurgeProtection: bool
    enableSoftDelete: bool
    initialAdminObjectIds: [ 'string' ]
    networkAcls: {
      bypass: 'string'
      defaultAction: 'string'
      ipRules: [
          value: 'string'
      virtualNetworkRules: [
          id: 'string'
    publicNetworkAccess: 'string'
    softDeleteRetentionInDays: int
    tenantId: 'string'

Property values


Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
name The resource name string (required)
location The supported Azure location where the managed HSM Pool should be created. string
tags Resource tags Dictionary of tag names and values. See Tags in templates
sku SKU details ManagedHsmSku
properties Properties of the managed HSM Pool ManagedHsmProperties


Name Description Value
createMode The vault's create mode to indicate whether the vault need to be recovered or not. 'default'
enablePurgeProtection Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. If it's not set to any value(true or false) when creating new managed HSM pool, it will be set to true by default. Once set to true, it cannot be reverted to false. bool
initialAdminObjectIds Array of initial administrators object ids for this managed hsm pool. string[]
networkAcls A set of rules governing the network accessibility of a managed hsm pool. MhsmNetworkRuleSet
publicNetworkAccess Control permission for data plane traffic coming from public networks while private endpoint is enabled. 'Disabled'
softDeleteRetentionInDays softDelete data retention days. It accepts }=7 and {=90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM pool. string


Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. 'AzureServices'
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. 'Allow'
ipRules The list of IP address rules. MhsmipRule[]
virtualNetworkRules The list of virtual network rules. MhsmVirtualNetworkRule[]


Name Description Value
value An IPv4 address range in CIDR notation, such as '' (simple IP address) or '' (all addresses that start with 124.56.78). string (required)


Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)


Name Description Value
family SKU Family of the managed HSM Pool 'B'
name SKU of the managed HSM Pool 'Custom_B32'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an Azure Key Vault Managed HSM

Deploy to Azure
This template creates an Azure Key Vault Managed HSM.