Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Regenerate API Access Keys for Azure AI Foundry Instances

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the API access keys created for your Azure AI Foundry instances are regularly regenerated (rotated) in order to meet security and compliance requirements. These keys are used to access Microsoft Azure AI Services API. By default, it is recommended to regenerate API access keys every 90 days.

Security

The API access keys available for your Azure AI Foundry instances should be regenerated periodically to enhance security by minimizing the risk of unauthorized access if the keys are compromised. Regularly updating access keys helps protect sensitive data and maintain the integrity of the system.

Remediation / Resolution

To regenerate (rotate) the API access keys created for your Azure AI Foundry instances, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

  4. From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure AI Foundry for Value, then choose Apply to list the Azure AI Services (AI Foundry) instances available in the selected subscription.

  5. Click on the name (link) of the AI Foundry instance that you want to examine.

  6. In the resource navigation panel, under Resource Management, select Keys and Endpoint, and choose Show Keys to view the API access keys created for the selected AI Foundry instance.

  7. Regenerating your API access keys can affect the applications that are dependent on these keys. To initiate the regeneration process, you must first configure your applications to use the secondary key (i.e. KEY 2) for continued access to the service.

  8. Choose Regenerate Key1 to regenerate the primary API access key, then select Yes to confirm the operation.

  9. Once the new primary access key is generated, configure your applications to reference the new access key (i.e., KEY 1).

  10. Choose Regenerate Key2 to regenerate the secondary API access key. Select Yes to confirm the operation and complete the regeneration (rotation) process.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure AI Services (AI Foundry) instance available within the current subscription:

    az cognitiveservices account list
	--output table
	--query '[?(kind==`AIServices`)].{name:name, resourceGroup:resourceGroup}'

  5. The command output should return the requested AI Foundry instance identifiers:

    Name                               ResourceGroup
-------------------------------    ------------------------------
cc-project5-ai-service-instance    cloud-shell-storage-westeurope
cc-project5-ai-foundry-instance    cloud-shell-storage-westeurope

  6. Run cognitiveservices account keys list command (Windows/macOS/Linux) with the name of the Azure AI Foundry instance that you want to examine as the identifier parameter, to describe the API access keys created for the selected instance:

    az cognitiveservices account keys list
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope

  7. The command output should return the API access keys available for your AI Foundry instance:

    {
	"key1": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
	"key2": "1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

  8. Regenerating your API access keys can affect the applications that are dependent on these keys. To initiate the regeneration process, you must first configure your applications to use the secondary key (i.e. "key2" attribute value) for continued access to the service. Run cognitiveservices account keys regenerate command (Windows/macOS/Linux) to regenerate the primary API access key (i.e. "key1" value):

    az cognitiveservices account keys regenerate
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope
	--key-name key1

  9. The command output should return the API access keys available for your Azure AI Foundry instance, including the newly generated key:

    {
	"key1": "1234123412341234123412341234123412341234123412341234123412341234",
	"key2": "1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

  10. Once the new primary access key is generated, configure your applications to reference the new access key ("key1" attribute value).

  11. Run cognitiveservices account keys regenerate command (Windows/macOS/Linux) to regenerate the secondary API access key ("key2" value):

    az cognitiveservices account keys regenerate
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope
	--key-name key2

  12. The command output should return the new API access keys generated for your OpenAI instance:

    {
	"key1": "1234123412341234123412341234123412341234123412341234123412341234",
	"key2": "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"
}

References

Publication date Sep 10, 2025

Related AIServices rules