Use customer-managed keys in Power BI

Power BI encrypts data at rest and in process. By default, Power BI uses Microsoft-managed keys to encrypt your data. You can choose to use your organization's keys for encryption of user content at rest across Power BI, from report images to imported semantic models in Premium capacities.

Why use customer-managed keys

With Power BI customer-managed keys (CMK), your organization can meet compliance requirements for data encryption at rest with your cloud service provider (in this case, Microsoft). CMK is only offered to new Power BI Premium customers. It enables your organization to encrypt Power BI user content with a key that you provide and manage. Revoking a customer-managed key makes user content within Power BI unreadable for everyone within an hour, including Microsoft. Compared to a bring-your-own-key (BYOK) offering, CMK covers user content that is generated by the service, and customer data that is imported into reports and semantic models hosted on Premium capacities. It enforces stricter caching policies, and you can only apply a single key to encrypt all the data.

How to use customer-managed keys

To opt in to Power BI customer-managed keys, contact your Microsoft account manager to validate that your organization meets the size requirements that are required for enabling CMK.

Related content

The following links provide information that can be useful for customer-managed keys:

• Bring your own encryption keys for Power BI
• Configure Multi-Geo support for Power BI Premium
• Power BI security white paper