Bring your own Azure key vault (preview)

[This article is prerelease documentation and is subject to change.]


On September 1, 2023, we merged and renamed Dynamics 365 Marketing and Dynamics 365 Customer Insights. Dynamics 365 Marketing is now called Dynamics 365 Customer Insights - Journeys. Dynamics 365 Customer Insights is now called Dynamics 365 Customer Insights - Data. For more information, see Dynamics 365 Customer Insights FAQs.


Azure Active Directory is now Microsoft Entra ID. Learn more

Linking a dedicated Azure key vault to a Dynamics 365 Customer Insights - Data environment helps organizations to meet compliance requirements.

Set up the dedicated key vault to stage and use secrets in an organization's compliance boundary.



  1. Go to Settings > Permissions, and then select the Key Vault tab.
  2. On the Key Vault tile, select Setup.
  3. Choose a Subscription.
  4. Choose a key vault from the Key Vault dropdown list. If too many key vaults are available, select a resource group to limit the search results.
  5. Review the Data privacy and compliance and select I agree.
  6. Select Save.

The Key Vault tile shows the linked key vault name, subscription, and resource group. It's ready to be used in the connection setup. For details about which permissions on the key vault are granted to the system, go to Permissions granted on the key vault.

Use the key vault in the connection setup

When setting up connections to supported third-party systems, use the secrets from the linked Key Vault to configure the connections.

  1. Go to Settings > Connections.

  2. Select Add connection.

  3. For the supported connection types, a Use Key Vault toggle is available if you linked a key vault.

  4. Instead of entering the secret manually, choose the secret name that points to the secret value in the key vault.

    Connection pane with an SFTP connection that uses a Key Vault secret.

  5. Select Save to create the connection.

Supported connection types

The following export connections are supported:

Permissions granted on the key vault

The following permissions are granted to Customer Insights - Data on a linked key vault if either Key Vault access policy or Azure role-based access control is enabled.

Key Vault access policy

Type Permissions
Key Get Keys, Get Key
Secret Get Secrets, Get Secret
Certificate Get Certificates, Get Certificate

The preceding values are the minimum to list and read during execution.

Azure role-based access control

The Key Vault Reader and Key Vault Secrets User roles will be added for Customer Insights - Data.

Frequently asked questions

Can Customer Insights - Data write secrets or overwrite secrets into the key vault?

No. Only the read and list permissions outlined in granted permissions are granted. The system can't add, delete, or overwrite secrets in the key vault. That's also the reason why you can't enter credentials when a connection uses Key Vault.

Can I change a connection from using Key Vault secrets to default authentication?

No. You can't change back to a default connection after you've configured it by using a secret from a linked key vault. Create a separate connection, and delete the old one if you don't need it anymore.

How can I revoke access to a key vault for Customer Insights - Data?

If the Key Vault access policy or Azure role-based access control is enabled, remove the permissions for the service principal 0bfc4568-a4ba-4c58-bd3e-5d3e76bd7fff with the name Dynamics 365 AI for Customer Insights. All connections that use the key vault will stop working.

A secret that's used in a connection got removed from the key vault. What can I do?

A notification appears in Customer Insights - Data when a configured secret from the key vault isn't accessible anymore. Enable soft-delete on the key vault to restore secrets if they're accidentally removed.

A connection doesn't work, but my secret is in the key vault. What might be the cause?

A notification appears in Customer Insights - Data when it can't access the key vault. The cause might be:

  • The permissions for the service principal got removed. They need to be manually restored.

  • The firewall on the key vault is enabled. The firewall must be disabled to make the key vault accessible for the system again.