Microsoft Azure Attestation
A unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it.
Overview
Store and process confidential data with confidence
Verify the identity and security posture of a platform before you interact with it. Azure Attestation receives evidence from the platform, validates it with security standards, evaluates it against configurable policies, and produces an attestation token for claims-based applications. The service supports attestation of trusted platform modules (TPMs) and trusted execution environments (TEEs) like Intel® Software Guard Extensions (SGX) and virtualization-based security (VBS) enclaves.
- Tap into disruptive business models that require highly scalable compute resources and uncompromising trust with the remote attestation capability. Azure Attestation provides comprehensive attestation services for multiple environments and distinctive use cases such as enclave validation, secure key sharing, and confidential multiparty computation.
- Easily access a default provider in your Azure region for attestation services without the need for configuration. Default providers are available for all Azure Active Directory (Azure AD) users.
- Create your own attestation provider and configure custom policies to restrict attestation token generation. Azure Attestation evaluates the platform evidence against your policies to ensure that the binaries running inside the platform haven’t been tampered with by external entities. If your attestation provider allows signed policies, Azure Attestation will use your signer certificates to validate the signed policies and authenticate the users.
Features
Unified attestation across trusted compute platforms
Trusted Proof
Demonstrates that software binaries were instantiated on a trusted platform
Platform Reach
Supports attestation of multiple platforms like TEEs and TPMs
Policy Control
Custom attestation providers can be configured for fine-grained control and enforce user-defined policies
Built‑in Ease
Default attestation providers simplify attestation without the need for additional configuration
Security
Embedded security and compliance
34,000
Full-time equivalent engineers dedicated to security initiatives at Microsoft.
15,000
Partners with specialized security expertise.
>100
Compliance certifications, including over 50 specific to global regions and countries.
Pricing
Azure Attestation is free
Azure Attestation services are available at no additional cost. Microsoft Azure Attestation is a free service which offers attestation of multiple TEEs in Azure.
Resources
Azure Attestation resources and documentation
Frequently asked questions
- View regional availability.
- A public key generated within an enclave can be expressed in the enclave held data (EHD) property of the attestation request object sent to Azure Attestation. Azure Attestation includes EHD as a claim in the attestation token. A relying party can use the EHD from the verified attestation response to encrypt the secrets and share with the enclave. See Azure Attestation concepts for more information.
- Attestation token generated by the Azure Attestation is signed using a self-signed certificate. The signing certificates are exposed via an OpenID metadata endpoint. Relying party can retrieve the certificates from this endpoint and perform signature verification of the attestation token.
Next steps
Choose the Azure account that’s right for you
Pay as you go or try Azure free for up to 30 days.
Azure Solutions
Azure cloud solutions
Solve your business problems with proven combinations of Azure cloud services, as well as sample architectures and documentation.
Business Solutions Hub
Find the right Microsoft Cloud solution
Browse the Microsoft Business Solutions Hub to find the products and solutions that can help your organization reach its goals.
Explore Azure Portal 
