Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Did you hear? There's a new SQL AI Developer certification (DP-800). Start preparing now and be one of the first to get certified. Register now

sutandon
‎04-03-2026 10:00 AM

Workspace Customer-Managed Keys for BYOK in Microsoft Fabric (Preview)

Enterprise analytics platforms increasingly operate under strict security, compliance, and regulatory requirements. For many organizations, encryption is not sufficient without clear ownership and control of cryptographic keys.

Microsoft Fabric supports two complementary key management capabilities:

  • Bring Your Own Key (BYOK), which enables customer‑managed encryption for Power BI semantic models at the capacity level.
  • Customer‑Managed Keys (CMK), which enables customer‑managed encryption for other Fabric items at the workspace level.
Because workspace level CMK feature does not support Power BI semantic models, together, these capabilities allow organizations to align encryption controls with their security architecture and compliance obligations.

What’s new

Previously, customers could not enable CMK on workspaces that utilized Fabric capacities already configured with BYOK. As a result, they faced a trade-off between security and convenience: to protect Fabric data with custom keys required provisioning separate capacities for Power BI semantic models and for other Fabric items, increasing costs and operational complexity.

Now, workspace‑level CMK is supported in all Fabric capacities, including BYOK‑enabled capacities. With this update:

  • CMK can be enabled on workspaces hosted in BYOK‑enabled capacities.
  • Customers can choose to use the same key for both BYOK and CMK or use separate keys to meet isolation or compliance requirements.
  • There is no longer a need to create dedicated capacities solely for CMK adoption.
This change simplifies deployment models while preserving strong encryption boundaries.

How BYOK and CMK work together

At a high level, BYOK protects Power BI semantic models at the capacity level and CMK protects Fabric workspace data at the workspace level. When used together, organizations can apply layered encryption controls, aligning key ownership with operational and regulatory requirements.

Comparing_previous_and_current_Fabric_encryption_models_showing_workspacelevel_CComparing_previous_and_current_Fabric_encryption_models_showing_workspacelevel_C

Figure: Interoperability between workspace‑level CMK and capacity level-BYOK.

Why this matters

This enhancement addresses several common enterprise scenarios:

Compliance‑driven organizations: Meet regulatory requirements that mandate customer ownership of encryption keys and granular control over cryptographic boundaries.

Shared capacities with isolated workspaces: Protect sensitive workspaces within shared Fabric capacities, without introducing additional infrastructure.

Defense‑in‑depth strategies: Apply encryption at both the capacity and workspace layers, reducing blast radius and strengthening overall security posture.

By supporting CMK and BYOK together, Fabric enables flexible encryption strategies without increasing operational overhead.

Configuring BYOK and CMK together

The following high‑level steps outline how BYOK and CMK can be used in the same Fabric environment.

Store keys in Azure Key Vault

Create encryption keys in Azure Key Vault or Azure Key Vault Managed HSM (MHSM).

  • Use MHSM when hardware‑backed, single‑tenant, FIPS‑validated key storage is required.
  • Assign the required permissions for the Power BI service and Fabric to access the keys.
Configure BYOK on a Fabric capacity

In the Fabric admin portal:

  • Select the Fabric capacity.
  • Configure BYOK using a key stored in Azure Key Vault or MHSM.
  • This key is used to encrypt Power BI semantic models hosted on the capacity.
Enable CMK on a workspace within that capacity

In the workspace settings:

  • Enable encryption using customer‑managed keys.
  • Select a key from Azure Key Vault or MHSM for workspace data encryption.
  • Choose whether to reuse the BYOK key or use a separate key for CMK.
This configuration allows encryption controls to be tailored at both the capacity and workspace levels.

Resources

For detailed guidance, refer to the following documentation:

Conclusion

With workspace‑level CMK now supported in BYOK‑enabled Fabric capacities, Microsoft Fabric delivers a more unified and flexible encryption model for enterprise analytics.

Organizations gain stronger control over encryption, improved auditability, and the ability to align key management with both operational and regulatory needs—without introducing additional infrastructure or complexity.

Whether you’re securing shared capacities, isolating sensitive workloads, or implementing a defense‑in‑depth strategy, Fabric’s enhanced key management capabilities provide the tools needed to protect analytics data with confidence.

Share your feedback! We’d love to hear from you. Reach out to your Microsoft account team with thoughts, suggestions, or feature requests. You can also leave your feedback in the comment section.

0