Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at FabCon Vienna from September 15-18, 2025, for the ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM. Get registered

Reply
Soobramoney
Advocate I
Advocate I

Fabric - Setting a tenant on notebooks

‎01-22-2025 01:44 AM

Hi, 

 

I'm trying to retrieve a key vault secrete that's on a different tentant, but I get the following error 

 

 

Py4JJavaError: An error occurred while calling o4768.getSecretWithToken. : java.io.IOException: 401 {"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/xxxxxx/, https://sts.windows.net/xxxxxxxxxx/, https://sts.windows.net/xxxx/, found https://sts.windows.net/xxxx/."}}.

 

 

 

It seems i need to set the tenant that the keyvault belongs to. I tried setting the tenant, but i get another error.

 

 

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

# Set the tenant ID
tenant_id = 'xxxx'

# Create a DefaultAzureCredential with the tenant ID
credential = DefaultAzureCredential(authority=f"https://login.microsoftonline.com/{tenant_id}")

# Create a SecretClient
vault_url = 'https://vault.azure.net/'
client = SecretClient(vault_url=vault_url, credential=credential)
ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
	EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
	ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
	SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
	AzureCliCredential: Azure CLI not found on path
	AzurePowerShellCredential: PowerShell is not installed
	AzureDeveloperCliCredential: Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then,once installed, authenticate to your Azure account using 'azd auth login'.
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

 

 



Labels:
Message 1 of 6
2,648 Views
0
1 ACCEPTED SOLUTION
nilendraFabric
Community Champion
Community Champion

‎01-22-2025 03:22 AM

If you need to access a Key Vault in a different tenant, you’ll need to ensure that:
1. The managed identity of your Fabric workspace has been granted access to the Key Vault in the target tenant.
2. The Key Vault’s access policies or RBAC settings allow access from your managed identity.
Use Fabric’s Secret Management
Azure Fabric provides built-in secret management capabilities. Instead of accessing the Key Vault directly from your notebook, consider storing the secret in Fabric’s secret management and accessing it from there:


from notebookutils import mssparkutils

secret_value = mssparkutils.secrets.get("your-secret-name", "your-secret-scope")
print(secret_value)

 

View solution in original post

Message 4 of 6
2,131 Views
5 REPLIES 5
v-saisrao-msft
Community Support
Community Support

‎02-03-2025 12:58 AM

Hi @Soobramoney ,

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

 

Message 6 of 6
898 Views
0
v-saisrao-msft
Community Support
Community Support

‎01-30-2025 11:38 PM

Hi @Soobramoney 

Thank you for reaching out to the Microsoft Forum community.

 

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.
Thank you.

Message 5 of 6
923 Views
0
nilendraFabric
Community Champion
Community Champion

‎01-22-2025 03:22 AM

If you need to access a Key Vault in a different tenant, you’ll need to ensure that:
1. The managed identity of your Fabric workspace has been granted access to the Key Vault in the target tenant.
2. The Key Vault’s access policies or RBAC settings allow access from your managed identity.
Use Fabric’s Secret Management
Azure Fabric provides built-in secret management capabilities. Instead of accessing the Key Vault directly from your notebook, consider storing the secret in Fabric’s secret management and accessing it from there:


from notebookutils import mssparkutils

secret_value = mssparkutils.secrets.get("your-secret-name", "your-secret-scope")
print(secret_value)

 

Message 4 of 6
2,132 Views
nilendraFabric
Community Champion
Community Champion

‎01-22-2025 02:59 AM

Hi @Soobramoney 

 

The error you’re encountering suggests that the `DefaultAzureCredential` is unable to authenticate using any of the available methods when you specify a different tenant. This is likely because the Fabric notebook environment doesn’t have access to the credentials for the other tenant.

 

Instead of using `DefaultAzureCredential`, you can create a service principal in the target tenant and use its credentials to authenticate:

from azure.identity import ClientSecretCredential
from azure.keyvault.secrets import SecretClient

tenant_id = 'target_tenant_id'
client_id = 'service_principal_client_id'
client_secret = 'service_principal_client_secret'

credential = ClientSecretCredential(tenant_id, client_id, client_secret)

vault_url = 'https://vault.azure.net/'
client = SecretClient(vault_url=vault_url, credential=credential)

Please see if this is helpful 

Message 2 of 6
2,339 Views
0
Soobramoney
Advocate I
Advocate I
In response to nilendraFabric

‎01-22-2025 03:12 AM

Hi @nilendraFabric ,


If we implement this, will it not expose the client_id  and client_secrete in the notebooks? I'm trying not to hardcode any credentials hence why i'm trying to use key vault.

Message 3 of 6
2,190 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June FBC25 Carousel

Fabric Monthly Update - June 2025

Check out the June 2025 Fabric update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All