Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Regenerate API Access Keys for Azure AI Foundry Instances

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the API access keys created for your Azure AI Foundry instances are regularly regenerated (rotated) in order to meet security and compliance requirements. These keys are used to access Microsoft Azure AI Services API. By default, it is recommended to regenerate API access keys every 90 days.

Security

The API access keys available for your Azure AI Foundry instances should be regenerated periodically to enhance security by minimizing the risk of unauthorized access if the keys are compromised. Regularly updating access keys helps protect sensitive data and maintain the integrity of the system.

Remediation / Resolution

To regenerate (rotate) the API access keys created for your Azure AI Foundry instances, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure AI Foundry for Value, then choose Apply to list the Azure AI Services (AI Foundry) instances available in the selected subscription.

05 Click on the name (link) of the AI Foundry instance that you want to examine.

06 In the resource navigation panel, under Resource Management, select Keys and Endpoint, and choose Show Keys to view the API access keys created for the selected AI Foundry instance.

07 Regenerating your API access keys can affect the applications that are dependent on these keys. To initiate the regeneration process, you must first configure your applications to use the secondary key (i.e. KEY 2) for continued access to the service.

08 Choose Regenerate Key1 to regenerate the primary API access key, then select Yes to confirm the operation.

09 Once the new primary access key is generated, configure your applications to reference the new access key (i.e., KEY 1).

10 Choose Regenerate Key2 to regenerate the secondary API access key. Select Yes to confirm the operation and complete the regeneration (rotation) process.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure AI Services (AI Foundry) instance available within the current subscription: 

az cognitiveservices account list
	--output table
	--query '[?(kind==`AIServices`)].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AI Foundry instance identifiers: 

Name                               ResourceGroup
-------------------------------    ------------------------------
cc-project5-ai-service-instance    cloud-shell-storage-westeurope
cc-project5-ai-foundry-instance    cloud-shell-storage-westeurope

06 Run cognitiveservices account keys list command (Windows/macOS/Linux) with the name of the Azure AI Foundry instance that you want to examine as the identifier parameter, to describe the API access keys created for the selected instance: 

az cognitiveservices account keys list
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope

07 The command output should return the API access keys available for your AI Foundry instance: 

{
	"key1": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
	"key2": "1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

08 Regenerating your API access keys can affect the applications that are dependent on these keys. To initiate the regeneration process, you must first configure your applications to use the secondary key (i.e. "key2" attribute value) for continued access to the service. Run cognitiveservices account keys regenerate command (Windows/macOS/Linux) to regenerate the primary API access key (i.e. "key1" value): 

az cognitiveservices account keys regenerate
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope
	--key-name key1

09 The command output should return the API access keys available for your Azure AI Foundry instance, including the newly generated key: 

{
	"key1": "1234123412341234123412341234123412341234123412341234123412341234",
	"key2": "1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

10 Once the new primary access key is generated, configure your applications to reference the new access key ("key1" attribute value).

11 Run cognitiveservices account keys regenerate command (Windows/macOS/Linux) to regenerate the secondary API access key ("key2" value): 

az cognitiveservices account keys regenerate
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope
	--key-name key2

12 The command output should return the new API access keys generated for your OpenAI instance: 

{
	"key1": "1234123412341234123412341234123412341234123412341234123412341234",
	"key2": "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"
}

References

Publication date Sep 10, 2025

Related AIFoundry rules