Skip to main content
Back to Admin Console Bring Your Own Key (BYOK) lets your enterprise retain control of encryption keys while protecting data on the Kore.ai platform. Kore.ai integrates with Azure Key Vault to use your Customer Master Keys (CMKs) for encrypting application and bot data.

Prerequisites

  • Active Kore.ai subscription with BYOK enabled
  • Azure account with administrative access to the Key Vault service
  • Permissions to create Key Vaults

Integration Process

Step 1: Authorize the Kore Application in Your Tenant

Option 1: Admin Consent URL
  1. Log in to the Azure portal as a Global Administrator.
  2. Navigate to: 
    https://login.microsoftonline.com/<YOUR-TENANT-ID>/adminconsent?client_id=<KORE-CLIENT-ID>
  3. Review permissions and grant admin consent.
Option 2: Azure CLI
  1. Open Azure Cloud Shell or install Azure CLI locally.
  2. Login: az login
  3. Create service principal: az ad sp create --id '<KORE-CLIENT-ID>'
This registers the Kore application in your tenant to interact securely with your Key Vault.

Step 2: Prepare Key Vault and Key

Create a Key Vault (if one doesn’t exist):
  1. In the Azure Portal, create a Key Vault.
  2. Configure:
    • Resource group (select or create)
    • Key vault name (unique)
    • Region
    • Pricing tier: Standard or Premium
  3. Note the Key Vault URI: https://<vault-name>.vault.azure.net/
Create an RSA Key (if needed):
  1. In your Key Vault, go to Keys and select Generate/Import.
  2. Configure:
    • Options: Generate
    • Name: descriptive name
    • Key type: RSA
    • RSA key size: 2048 or 4096
  3. Note the Key Identifier URL.

Step 3: Configure Key Vault Access

  1. In your Key Vault, go to Access control (IAM) and select Add role assignment.
  2. Configure:
    • Role: Key Vault Crypto User
    • Assign access to: User, group, or service principal
    • Members: Search for the Kore application name
  3. Select Review + assign.

Step 4: Share Information with Kore.ai

Contact Kore.ai Support and provide:
  • Tenant ID (from Microsoft Entra ID > Properties in the Azure portal)
  • Key Vault URI
  • Key Name

Step 5: Configure Network Access

  • Recommended: Enable a private endpoint for access to the Kore platform.
  • Alternatively, allow trusted Microsoft services and Kore IP ranges.

Configure BYOK in AI for Service

After Kore.ai confirms the integration, enable BYOK in the Admin Console.
  1. Go to Admin Console > Enterprise Key.
  2. Under Bring Your Own Key, select Create Key. BYOK Create Key
  3. Enter Azure details:
    FieldValue
    Cloud ProviderAzure
    Key identifierYour Key Vault URL
    Authentication credentialsYour Tenant ID
  4. Set the Enforcement Date — the date your CMK begins encrypting data.
    You can modify the CMK and retest until the enforcement date. After this date, you can only rotate the key or update which apps/bots are encrypted.
  5. Select Test Configuration to validate the connection (tests connectivity, authentication, encryption, and decryption).
  6. Select Next to view all apps and bots.
    • All apps and bots are selected by default.
    • Deselect any that should remain on Kore.ai’s default encryption.
    Select Apps and Bots
  7. Select Proceed to complete setup. Encryption begins on the enforcement date.

Validation (Optional)

After the enforcement date, verify encryption is working. Option 1: View Analytics Check analytics data for recent chat interactions to confirm encrypted data is accessible. Option 2: Test Application Authorization
  1. Open the application and run Authorization Profiles and Dialogs.
  2. Execute BasicAuthValidationDialog.
  3. When the bot shows the authorization link, select it and enter credentials (admin/password). BYOK Validation BYOK Success
If successful, the system displays “Basic authentication successful.”