Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
We identified an issue with the tenant level setting for the customer-managed keys feature. We are actively working on resolving it. In the meantime, the customer-managed keys feature will be unavailable for use.
Microsoft Fabric encrypts all data-at-rest using Microsoft managed keys. With customer-managed keys for Fabric workspaces, you can use your Azure Key Vault keys to add another layer of protection to the data in your Microsoft Fabric workspaces. A customer-managed key provides greater flexibility, allowing you to manage its rotation, control access, and usage auditing. It also helps organizations meet data governance needs and comply with data protection and encryption standards.
All Fabric data stores are encrypted at rest with Microsoft-managed keys. Customer-managed keys use envelope encryption, where a Key Encryption Key (KEK) encrypts a Data Encryption Key (DEK). When using customer-managed keys, the Microsoft managed DEK encrypts your data, and then the DEK is encrypted using your customer-managed KEK. Use of a KEK that never leaves Key Vault allows the data encryption keys themselves to be encrypted and controlled.
Important
This feature is in preview.
Prerequisites
Customer-managed key for Fabric workspaces requires an initial setup. This setup includes enabling the Fabric encryption tenant setting, configuring Azure Key Vault, and granting the Fabric Platform CMK app access to Azure Key Vault. Once the setup is complete, a user with an admin workspace role can enable the feature on the workspace.
Step 1: Enable the Fabric tenant setting
A Fabric administrator needs to make sure that the Apply customer-managed keys setting is enabled. For more information, see Encryption tenant setting article.
Step 2: Create a Service Principal for the Fabric Platform CMK app
Fabric uses the Fabric Platform CMK app to access your Azure Key Vault. For the app to work, a service principal needs to be created. This process is performed by a user that has Microsoft Entra ID privileges, such as a Cloud Application Administrator.
Follow the instructions in Create an enterprise application from a multitenant application in Microsoft Entra ID to create a service principal for an application called Fabric Platform CMK in your Microsoft Entra ID tenant.
Step 3: Configure Azure Key Vault
You need to configure your Key Vault so that Fabric can access it. This step is performed by a user that has Key Vault privileges, such as a Key Vault Administrator. For more information, see Azure Security roles.
Open the Azure portal and navigate to your Key Vault. If you don't have Key Vault, follow the instructions in Create a key vault using the Azure portal.
In your Key Vault, configure the following settings:
- Soft delete - Enabled
- Purge protection - Enabled
In your Key Vault, open Access control (IAM).
From the Add dropdown, select Add Role assignment.
Select the Members tab and then select Select members.
In the Select members pane, search for Fabric Platform CMK
Select the Fabric Platform CMK app and then Select.
Select the Role tab and search for Key Vault Crypto Service Encryption User or a role that enables get, wrapkey, and unwrap key permissions.
Select Key Vault Crypto Service Encryption User.
Select Review + assign and then select Review + assign to confirm your choice.
Step 4: Create an Azure Key Vault key
To create an Azure Key Vault key, follow the instructions in Create a key vault using the Azure portal.
Key Vault requirements
Fabric only supports versionless customer-managed keys, which are keys in the https://{vault-name}.vault.azure.net/{key-type}/{key-name} format. Fabric checks the key vault daily for a new version, and uses the latest version available. To avoid having a period where you can't access data in the workspace after a new key is created, wait 24 hours before disabling the older version.
Your key must be RSA key. The supported sizes are:
- 2,048 bit
- 3,072 bit
- 4,096 bit
For more information, see About keys.
Enable encryption using customer-managed keys
Follow the steps in this section to use customer-managed keys in your Fabric workspace.
From your Fabric workspace, select Workspace settings.
From the Workspace settings pane, select Encryption.
Enable Apply customer-managed keys.
In the Key identifier field, enter your customer-managed key identifier.
Select Apply.
Once you complete these steps, your workspace is encrypted with a customer-managed key. This means existing and future items in the workspace will be encrypted by the customer-managed key you used for the setup. You can review the encryption status Active, In progress or Failed in the Encryption tab in workspace settings. Items for which encryption is in progress or failed are listed categorically too. The key needs to remain active in the Key Vault while encryption is in progress (Status: In progress).
Revoke access
To revoke access to data in a workspace that's encrypted using a customer-managed key, revoke the key in the Azure Key Vault. After 30 minutes from the time the key is revoked, read and write calls to the workspace fail.
You can revoke a customer-managed encryption key by changing the access policy, by changing the permissions on the key vault, or by deleting the key.
To reinstate access, restore access to the customer-managed key in the Key Vault.
Disable the encryption
To disable encrypting the workspace using a customer-managed key, go to Workspace settings disable Apply customer-managed keys. The workspace remains encrypted using Microsoft Managed keys.
You can't disable customer-managed keys while encryption for any of the Fabric items in your workspace is in progress.
Encryption is currently available in selected regions and will only work for workspaces using capacities in those regions.
Considerations and limitations
Before you configure your Fabric workspace with a customer-managed key, consider the following limitations:
Customer-managed keys are currently supported for the following Fabric items:
- Lakehouse
- Environment
- Spark Job Definition
- API for GraphQL
- ML model
- Experiment
- Data Pipeline
- Dataflow
- Industry solutions
- Mirrored items
This feature can't be enabled for a workspace that contains unsupported items.
When customer-managed key encryption for a Fabric workspace is enabled, only supported items can be created in that workspace.
The data listed below isn't protected with customer-managed keys:
- Lakehouse column names, table format, table compression, SQL endpoint
- Spark shuffle data and Spark event logs
- Metadata generated when creating a Data pipeline, such as DB name, table, schema
- Metadata of ML model and experiment, like the model name, version, metrics
CMK is only supported in the following regions: East US, Germany West Central, North Central US, North Europe, South Central US, Southeast Asia, UAE North, UK South, West Europe, and West US. To use CMK, your home region and capacity must be in a supported region.
CMK is supported on all F SKUs.
CMK is not supported when Azure Key Vault firewall setting is enabled.