Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Azure Key Vault references in Fabric are available as a preview feature.
Azure Key Vault (AKV) is Microsoft’s cloud service for storing secrets, keys, and certificates centrally, so you don’t have to hardcode them into your apps. With Azure Key Vault references in Microsoft Fabric, you can just point to a secret in your vault instead of copying and pasting credentials. Fabric grabs the secret automatically whenever it’s needed for a data connection.
How Azure Key Vault references work
When you configure an Azure Key Vault reference in Fabric, you're creating a secure pointer to your secret rather than storing the secret itself. Here's how the process works:
Initial Setup: Fabric records only the vault URI, secret name from your Key Vault and user auth / OAuth2.0 credential for connecting to the Azure Key Vault (AKV). You must grant your the user identity Get and List permissions in the specified AKV. Importantly, the actual secret values are never stored within Fabric.
Runtime Secret Retrieval: When Fabric needs to establish a data connection, it dynamically retrieves the secret from your Key Vault using the stored reference. The secret is used immediately to authenticate the connection and is held in memory only for the duration needed to establish that connection.
Prerequisites
- A Microsoft Fabric tenant account with an active subscription. Create an account for free.
- You need an Azure subscription with Azure Key Vault resource to test this feature.
- Read the Azure Key Vault quick start guide on learn.microsoft.com to learn more about creating an AKV resource.
- The Azure Key Vault needs to be accessible from public network.
- The creator of Azure Key Vault reference connection must have at least Key Vault Certificate User permission on the Key Vault.
Supported connectors and authentication types
| Supported Connector | Category | Account key | Basic (Username/Password) | Token (Shared Access Signature or Personal Access Token) | Service Principal |
|---|---|---|---|---|---|
Azure Blob Storage |
Azure | 
|
|
|
|
|
Azure Data Lake Storage Gen2 |
Azure |
|
|
|
|
Azure Table Storage |
Azure |
|
|
|
|
Databricks |
Services and apps |
|
|
|
|
Dataverse |
Services and apps |
|
|
|
|
OData |
Generic protocol |
|
|
|
|
Oracle Cloud Storage |
File |
|
|
|
|
PostgreSQL |
Database |
|
|
|
|
SharePoint Online list |
Services and apps |
|
|
|
|
Snowflake |
Services and apps |
|
|
|
|
SQL Server (Cloud) |
Database |
|
|
|
|
Web API/Webpage |
Generic Protocol |
|
|
|
|
Limitations and considerations
- Azure Key Vault references can be used only with cloud connections.
- Virtual network data gateways and on-premises data gateways aren’t supported.
- Fabric Lineage view isn't available for AKV references.
- You can’t create AKV references with connection from the "Modern Get Data” pane in Fabric items. Learn how to create Azure Key Vault references in Fabric from "Manage Connections & Gateways".
- Azure Key Vault references in Fabric always retrieve the current (latest) version of a secret; Azure Key Vault credential versioning is not supported.