Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Azure Key Vault references in Fabric are available as a preview feature.
Azure Key Vault (AKV) is Microsoft’s cloud service for storing secrets, keys, and certificates centrally, so that applications never need to embed credentials in code or configuration. Azure Key Vault references extend this model to Microsoft Fabric. Instead of pasting passwords or connection strings into Fabric, you create a reference to the secret that lives in your vault; Fabric fetches the value just-in-time whenever a data connection in Fabric workloads needs it.
How Azure Key Vault references work
When you add an Azure Key Vault reference in Fabric, the service records the vault URI and the secret name by using Microsoft Entra ID OAuth 2.0 consent. During the consent flow, you grant Fabric’s system-assigned managed identity Get and List permissions on the specified secrets; the secret values themselves never leave the key vault.
Since Fabric stores only an encrypted access token, no secret material is written to disk or sent through the browser. At run time, the Fabric connector’s engine resolves the reference, retrieves the current secret value, and inserts it into the connector’s connection string entirely in memory. The secret is held just long enough to establish the connection and is then discarded.
Prerequisites
- A Microsoft Fabric tenant account with an active subscription. Create an account for free.
- You need an Azure subscription with Azure Key Vault resource to test this feature.
- Read the Azure Key Vault quick start guide on learn.microsoft.com to learn more about creating an AKV resource.
Supported connectors and authentication types
Supported Connector | Category | Account key | Basic (Username/Password) | Token (Shared Access Signature or Personal Access Token) | Service Principal |
---|---|---|---|---|---|
![]() Azure Blob Storage |
Azure | ![]() |
![]() |
![]() |
![]() |
![]() Azure Data Lake Storage Gen2 |
Azure | ![]() |
![]() |
![]() |
![]() |
![]() Azure Table Storage |
Azure | ![]() |
![]() |
![]() |
![]() |
![]() Databricks |
Services and apps | ![]() |
![]() |
![]() |
![]() |
![]() Dataverse |
Services and apps | ![]() |
![]() |
![]() |
![]() |
![]() OData |
Generic protocol | ![]() |
![]() |
![]() |
![]() |
![]() Oracle Cloud Storage |
File | ![]() |
![]() |
![]() |
![]() |
![]() PostgreSQL |
Database | ![]() |
![]() |
![]() |
![]() |
![]() SharePoint Online list |
Services and apps | ![]() |
![]() |
![]() |
![]() |
![]() Snowflake |
Services and apps | ![]() |
![]() |
![]() |
![]() |
![]() SQL Server (Cloud) |
Database | ![]() |
![]() |
![]() |
![]() |
![]() Web API/Webpage |
Generic Protocol | ![]() |
![]() |
![]() |
![]() |
Limitations and considerations
- Azure Key Vault references can be used only with cloud connections.
- Virtual network data gateways and on-premises data gateways aren’t supported.
- Fabric Lineage view isn't available for AKV references.
- You can’t create or use AKV references with connection from the "Modern Get Data” pane in Fabric items. Learn how to create Azure Key Vault references in Fabric from "Manage Connections & Gateways".
- Azure Key Vault references in Fabric always retrieve the current (latest) version of a secret; Azure Key Vault credential versioning is not supported.