> ## Documentation Index
> Fetch the complete documentation index at: https://koreai.mintlify.app/llms.txt
> Use this file to discover all available pages before exploring further.

# BYOK Integration — Azure

<Badge icon="arrow-left" color="gray">[Back to Admin Console](/ai-for-service/administration/overview)</Badge>

Bring Your Own Key (BYOK) lets your enterprise retain control of encryption keys while protecting data on the Platform. Kore.ai integrates with Azure Key Vault to use your Customer Master Keys (CMKs) for encrypting application and bot data.

***

## Prerequisites

* Active Kore.ai subscription with BYOK enabled
* Azure account with administrative access to the Key Vault service
* Permissions to create Key Vaults

***

## Integration Process

### Step 1: Authorize the Kore Application in Your Tenant

**Option 1: Admin Consent URL**

1. Log in to the Azure portal as a Global Administrator.
2. Navigate to:
   ```
   https://login.microsoftonline.com/<YOUR-TENANT-ID>/adminconsent?client_id=<KORE-CLIENT-ID>
   ```
3. Review permissions and grant admin consent.

**Option 2: Azure CLI**

1. Open Azure Cloud Shell or install Azure CLI locally.
2. Login: `az login`
3. Create service principal: `az ad sp create --id '<KORE-CLIENT-ID>'`

This registers the Kore application in your tenant to interact securely with your Key Vault.

***

### Step 2: Prepare Key Vault and Key

**Create a Key Vault (if one doesn't exist):**

1. In the Azure Portal, create a **Key Vault**.
2. Configure:
   * Resource group (select or create)
   * Key vault name (unique)
   * Region
   * Pricing tier: Standard or Premium
3. Note the Key Vault URI: `https://<vault-name>.vault.azure.net/`

**Create an RSA Key (if needed):**

1. In your Key Vault, go to **Keys** and select **Generate/Import**.
2. Configure:
   * Options: Generate
   * Name: descriptive name
   * Key type: RSA
   * RSA key size: 2048 or 4096
3. Note the Key Identifier URL.

***

### Step 3: Configure Key Vault Access

1. In your Key Vault, go to **Access control (IAM)** and select **Add role assignment**.
2. Configure:
   * **Role:** Key Vault Crypto User
   * **Assign access to:** User, group, or service principal
   * **Members:** Search for the Kore application name
3. Select **Review + assign**.

***

### Step 4: Share Information with Kore.ai

Contact Support and provide:

* **Tenant ID** (from **Microsoft Entra ID > Properties** in the Azure portal)
* **Key Vault URI**
* **Key Name**

***

### Step 5: Configure Network Access

* **Recommended:** Enable a private endpoint for access to the platform.
* Alternatively, allow trusted Microsoft services and Kore IP ranges.

***

## Configure BYOK in AI for Service

After Kore.ai confirms the integration, enable BYOK in the Admin Console.

1. Go to **Admin Console > Enterprise Key**.

2. Under **Bring Your Own Key**, select **Create Key**.

   <img src="https://mintcdn.com/koreai/mKxGC8UPdZt2RNJG/ai-for-service/administration/security-and-control/images/byok_azure.png?fit=max&auto=format&n=mKxGC8UPdZt2RNJG&q=85&s=6c89ffc91f30353030b38074a4097f12" alt="BYOK Create Key" width="1886" height="814" data-path="ai-for-service/administration/security-and-control/images/byok_azure.png" />

3. Enter Azure details:

   | Field                          | Value              |
   | ------------------------------ | ------------------ |
   | **Cloud Provider**             | Azure              |
   | **Key identifier**             | Your Key Vault URL |
   | **Authentication credentials** | Your Tenant ID     |

4. Set the **Enforcement Date** — the date your CMK begins encrypting data.

   <Note>You can modify the CMK and retest until the enforcement date. After this date, you can only rotate the key or update which apps/bots are encrypted.</Note>

5. Select **Test Configuration** to validate the connection (tests connectivity, authentication, encryption, and decryption).

6. Select **Next** to view all apps and bots.

   * All apps and bots are selected by default.
   * Deselect any that should remain on Kore.ai's default encryption.

   <img src="https://mintcdn.com/koreai/mKxGC8UPdZt2RNJG/ai-for-service/administration/security-and-control/images/byok_2.png?fit=max&auto=format&n=mKxGC8UPdZt2RNJG&q=85&s=9f52eef20085f88356187259442cba5c" alt="Select Apps and Bots" width="1051" height="592" data-path="ai-for-service/administration/security-and-control/images/byok_2.png" />

7. Select **Proceed** to complete setup. Encryption begins on the enforcement date.

***

## Validation (Optional)

After the enforcement date, verify encryption is working.

**Option 1: View Analytics**
Check analytics data for recent chat interactions to confirm encrypted data is accessible.

**Option 2: Test Application Authorization**

1. Open the application and run **Authorization Profiles and Dialogs**.
2. Execute **BasicAuthValidationDialog**.
3. When the bot shows the authorization link, select it and enter credentials (`admin/password`).

   <img src="https://mintcdn.com/koreai/mKxGC8UPdZt2RNJG/ai-for-service/administration/security-and-control/images/byok_3.png?fit=max&auto=format&n=mKxGC8UPdZt2RNJG&q=85&s=df7fe9e887ea8a5539e311c3f88aad23" alt="BYOK Validation" width="453" height="501" data-path="ai-for-service/administration/security-and-control/images/byok_3.png" />

   <img src="https://mintcdn.com/koreai/mKxGC8UPdZt2RNJG/ai-for-service/administration/security-and-control/images/byok_4.png?fit=max&auto=format&n=mKxGC8UPdZt2RNJG&q=85&s=e49821a3beee85e18c574cd2158a64bb" alt="BYOK Success" width="390" height="494" data-path="ai-for-service/administration/security-and-control/images/byok_4.png" />

If successful, the system displays "Basic authentication successful."

***

## Related

* [Azure Key Vault Documentation](https://docs.microsoft.com/en-us/azure/key-vault/)
* [Enterprise Key Management](/ai-for-service/administration/security-and-control/enterprise-key)