Edit

Share via


Azure Key Vault references overview (Preview)

Note

Azure Key Vault references in Fabric are available as a preview feature.

Azure Key Vault (AKV) is Microsoft’s cloud service for storing secrets, keys, and certificates centrally, so that applications never need to embed credentials in code or configuration. Azure Key Vault references extend this model to Microsoft Fabric. Instead of pasting passwords or connection strings into Fabric, you create a reference to the secret that lives in your vault; Fabric fetches the value just-in-time whenever a data connection in Fabric workloads needs it.

How Azure Key Vault references work

When you add an Azure Key Vault reference in Fabric, the service records the vault URI and the secret name by using Microsoft Entra ID OAuth 2.0 consent. During the consent flow, you grant Fabric’s system-assigned managed identity Get and List permissions on the specified secrets; the secret values themselves never leave the key vault.

Since Fabric stores only an encrypted access token, no secret material is written to disk or sent through the browser. At run time, the Fabric connector’s engine resolves the reference, retrieves the current secret value, and inserts it into the connector’s connection string entirely in memory. The secret is held just long enough to establish the connection and is then discarded.

Prerequisites

Supported connectors and authentication types

Supported Connector Category Account key Basic (Username/Password) Token (Shared Access Signature or Personal Access Token) Service Principal

Azure Blob
Storage
Azure

Azure Data Lake
Storage Gen2
Azure

Azure Table
Storage
Azure

Databricks
Services and apps

Dataverse
Services and apps

OData
Generic protocol

Oracle Cloud Storage
File

PostgreSQL
Database

SharePoint Online
list
Services and apps

Snowflake
Services and apps

SQL Server (Cloud)
Database

Web API/Webpage
Generic Protocol

Limitations and considerations

  • Azure Key Vault references can be used only with cloud connections.
  • Virtual network data gateways and on-premises data gateways aren’t supported.
  • Fabric Lineage view isn't available for AKV references.
  • You can’t create or use AKV references with connection from the "Modern Get Data” pane in Fabric items. Learn how to create Azure Key Vault references in Fabric from "Manage Connections & Gateways".
  • Azure Key Vault references in Fabric always retrieve the current (latest) version of a secret; Azure Key Vault credential versioning is not supported.