Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at FabCon Vienna from September 15-18, 2025, for the ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM. Get registered

Reply
willparker1
New Member

Azure Key Vault References

‎04-09-2025 03:21 AM

Hi

 

Anyone tried using the new Azure Key Vault references feature?

 

I think it was part of the Q1 2025 feature drop but looks only partially implemented to me.

 

We now have a new tab under "Manage Connections and Gateways" called "Azure Key Vault references". Under there we can successfully create entrries to reference Azure Key Vault resources created within our tenant.

 

How do we reference them? There appears to be no documentation on this that I can find.

 

If we have a Cloud Connection to Azure Blob Storage - Happy Days. A neat little Key Vault icon next to the authentication credentials field.... just click on that and enter your key vault reference.

 

Any other connections? I can't see any way of connecting. No nice little icons, and no way of entering teh key vault reference for a connection.

 

Can anyone advise how this new feature is supposewd to be used?

 

Labels:
Message 1 of 18
1,932 Views
17 REPLIES 17
v-csrikanth
Community Support
Community Support

6 hours ago

Hi @onerbreno 

If your Fabric notebook isn't fetching secrets with mssparkutils.credentials.getSecret(), here are a few troubleshooting stesps to look out for:

  • Make sure your Fabric workspace's managed identity has both the Key Vault Reader and Key Vault Secrets User roles assigned in Azure Key Vault's "Access Control (IAM)".
  • Verify the Key Vault name and secret name in your code — they are case-sensitive. Even minor typos can cause silent failures.
  • Check that the secret is active — not disabled or expired.
  • If your Key Vault uses private endpoints or has public access fully disabled, Fabric won’t be able to reach it. Fabric currently doesn’t support connecting to Key Vaults through private endpoints.
  • This code will only work inside a Fabric notebook — it won’t function in an external IDE or local script.
  • To confirm which identity your notebook is using to call the Key Vault, run:
            from notebookutils import mssparkutils
            print(mssparkutils.credentials.getIdentityName()
    Let me know if you need help checking any of these or interpreting what you find!

Note:For refrence check the below link for supported connectors and authentication types.
Azure Key Vault Reference overview (Preview) - Microsoft Fabric | Microsoft Learn

FYI 

vcsrikanth_0-1750851106016.png

If the above information is helpful, please give us Kudos and mark the response as Accepted as solution.
Best Regards,
Community Support Team _ C Srikanth.

Message 18 of 18
34 Views
0
v-csrikanth
Community Support
Community Support

‎06-13-2025 04:47 AM

Hi @willparker1 
Please check the below points that might resolve your issue:

  • Azure Key Vault references currently work directly only with Blob Storage connections in Fabric; other connectors like Power BI or ArcGIS don’t support this yet.
  • In the “Manage Connections and Gateways” section, you can define a Key Vault reference, but only compatible connectors will expose it during credential entry.
  • For other use cases, use Fabric notebooks to securely fetch secrets with this code:

from notebookutils import mssparkutils

secret = mssparkutils.credentials.getSecret("YourKeyVaultName", "YourSecretName")

  • Ensure the Fabric workspace managed identity has the "Key Vault Secrets User" role assigned to the Key Vault.
  • After fetching the secret in the notebook, you can use it to connect to APIs, databases, or secured storage, and then store the processed data in a Lakehouse or Warehouse.
  • Connect Power BI, ArcGIS, or other services to that processed data rather than trying to inject secrets directly into unsupported connectors.
  • This method maintains security while enabling integration across Fabric workloads.
  • Azure Key Vault support in Fabric is still evolving—wider connector support is expected in future updates, so keep an eye on the roadmap.

Best Regards,
Cheri Srikanth 

Message 16 of 18
680 Views
onerbreno
Frequent Visitor
In response to v-csrikanth

‎06-13-2025 05:21 AM

Hi, @v-csrikanth!

I tested these steps but wasn’t successful. Could you help me understand what might be missing?

  • For other use cases, use Fabric notebooks to securely fetch secrets with this code:

from notebookutils import mssparkutils

secret = mssparkutils.credentials.getSecret("YourKeyVaultName", "YourSecretName")

  • Ensure the Fabric workspace managed identity has the "Key Vault Secrets User" role assigned to the Key Vault.
Message 17 of 18
673 Views
0
burakkaragoz
Community Champion
Community Champion

‎06-10-2025 12:25 AM

Hi @willparker1 ,

You’ve raised a spot-on summary of the current Azure Key Vault References feature in Microsoft Fabric. As of now, the implementation is indeed quite limited and mainly targets specific scenarios:

  • The native Key Vault reference integration only works seamlessly with Azure Blob Storage connections. In these cases, a Key Vault icon appears next to the authentication field, letting you select and inject a secret directly from your Azure Key Vault.
  • For other types of connections, the feature isn’t fully available yet. There’s no dynamic content option or Key Vault reference picker in the connection setup dialogs, which means the experience is inconsistent.
  • The recommended (and currently only) way to access Azure Key Vault secrets from within Fabric is using msaparkutils in Fabric notebooks, not standalone Python scripts. Example:
     
    from notebookutils import mssparkutils
secret = mssparkutils.credentials.getSecret("YourKeyVaultName", "YourSecretName")
    Your Fabric workspace identity must have the "Key Vault Secrets User" role for this to work. This approach is not supported in non-notebook scripts.
  • For Power BI, ArcGIS, or other scenarios, the usual workflow is to preprocess or inject secrets via notebooks, then consume the output with the relevant tool.

Community feedback (including yours) is very valuable here—Microsoft often expands these features in response to real-world use cases. If you haven’t already, consider submitting your experience and requirements via the official Fabric Ideas portal.

If you need workarounds for other connection types, or want to discuss secure secret management strategies, happy to brainstorm further! You’re definitely not alone in wanting a more universal and documented solution.

Let me know if you have any follow-up questions or want more concrete examples.

Message 11 of 18
830 Views
onerbreno
Frequent Visitor
In response to burakkaragoz

‎06-12-2025 10:32 AM

Hi @burakkaragoz!

I tried using this method with mssparkutils, but I couldn’t access the secret. Could you explain it a bit more or help me understand what might be missing? I’m using a notebook in Fabric and have already assigned the "Key Vault Secrets User" role to the workspace, but it still didn’t work.

Message 12 of 18
757 Views
0
burakkaragoz
Community Champion
Community Champion
In response to onerbreno

‎06-13-2025 05:25 AM

@onerbreno ,

Thanks for sharing your experience—this is a common stumbling block! Let’s go through a checklist and some troubleshooting steps to get mssparkutils working with Azure Key Vault in Fabric notebooks:

  1. Role Assignment Propagation:

    • After assigning the “Key Vault Secrets User” role, it can take several minutes (sometimes up to an hour) for the permission to propagate across Azure AD and Fabric. If you assigned the role very recently, try waiting a bit and then re-running your notebook.

  2. Scope of Role Assignment:

    • Double-check that the role is assigned to the correct security principal (e.g., the workspace-managed identity, not your personal account), and that it’s assigned at the right scope (i.e., to the Key Vault resource, not just at a resource group or subscription level).

  3. Key Vault Firewall/Networking:

    • Ensure your Key Vault’s firewall/networking settings allow access from Fabric. If “Public access from selected networks” is enabled, make sure the Fabric service’s IP or VNet is permitted.

  4. Secret Name and Case Sensitivity:

    • Secret names in Azure Key Vault are case-sensitive. Make sure the secret name in your code exactly matches what’s in the Key Vault, with no extra spaces.

  5. Notebook Identity:

    • In Fabric, notebooks usually run under the workspace’s managed identity. Make sure this identity is the one with “Key Vault Secrets User” on the vault.

  6. Sample Working Code:

    • Here’s a typical working snippet (replace placeholders with your actual values):
      Python
       
      import mssparkutils
secret = mssparkutils.credentials.getSecret("YourKeyVaultName", "YourSecretName")
print(secret)
    • If this throws an error, please share the exact error message—sometimes the error text gives a clue (e.g., “Forbidden”, “NotFound”, or “Network” errors).

  7. Testing from Azure Portal:

    • As a sanity check, try accessing the secret using the “Test access” feature in the Azure Key Vault portal, logged in as the same identity as your notebook uses.

If after all this you’re still getting blocked, could you paste the exact error message you receive? That’ll help narrow down whether it’s a permissions, network, or configuration issue.

Let me know how it goes—I’m happy to help you troubleshoot further!

If my response resolved your query, kindly mark it as the Accepted Solution to assist others. Additionally, I would be grateful for a 'Kudos' if you found my response helpful.

Message 13 of 18
669 Views
onerbreno
Frequent Visitor
In response to burakkaragoz

Friday

Hi, @burakkaragoz!


After some research, I understand that it's still not possible to authenticate to Azure Key Vault using the workspace identity in notebooks.


If there's any additional detail or update about this, I’d really appreciate it if you could share.

 

Thank you!

Message 15 of 18
237 Views
0
onerbreno
Frequent Visitor
In response to burakkaragoz

‎06-13-2025 07:04 AM

Hello, @burakkaragoz! Thank you very much for your reply.

Unfortunately, I still haven't been successful.

I granted the "Key Vault Secrets User" role to the Workspace Identity, and to be sure, I also assigned the "Admin" permission to the Fabric workspace.

 

onerbreno_4-1749822562367.png

 

To test, I’m asking a user without permissions on the Azure Key Vault to run the notebook in the configured workspace. This user has the "Contributor" role in the workspace.


onerbreno_2-1749822214897.png

 

Below is the error returned:

403 Forbidden
{
  "error": {
    "code": "Forbidden",
    "message": "Caller is not authorized to perform action on resource.
If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.

Caller: 
  appid={user_entra_id}
  oid={id}
  iss=https://sts.windows.net/c91d481c-40b4-4ff9-8f2e-a00df534d8b7/

Action: 
  'Microsoft.KeyVault/vaults/secrets/getSecret/action'

Resource: 
  '/subscriptions/{subscription_id}/resourcegroups/rg-demos/providers/microsoft.keyvault/vaults/akv-dtx-demo/secrets/teste'

Assignment: (not found)
DenyAssignmentId: null
DecisionReason: null
Vault: akv-dtx-demo; location=eastus2",
    "innererror": {
      "code": "ForbiddenByRbac"
    }
  }
}

 

In the error body, under "Caller", I noticed that the "oid" field corresponds to the Entra ID of the user running the notebook, which indicates that this identity is being used to authenticate with the Key Vault, not the Workspace Identity.

I wasn't able to identify which resource the provided "appid" refers to.

Additional notes:

  • Key Vault firewall/network settings: configured to Allow public access from all networks

  • Secret name: confirmed to be correct

  • Role propagation: I’ll wait a few hours to see if the issue persists

If you have any further suggestions or if I missed something, I’d really appreciate your input.

 

 

 

Message 14 of 18
628 Views
0
v-csrikanth
Community Support
Community Support

‎06-10-2025 12:15 AM

Hi @willparker1 
Following up on our last response. Was it useful? If you need more details, we’re glad to help.
If it worked for you, consider clicking Accept as Solution and adding a Kudos.

Best Regards,
Community Support Team _ C Srikanth.

Message 10 of 18
830 Views
0
v-csrikanth
Community Support
Community Support

‎06-03-2025 10:42 PM

Hi @willparker1 

I wanted to follow up since I haven't heard from you in a while. Have you had a chance to try the suggested solutions?
If your issue is resolved, please consider marking the post as solved. However, if you're still facing challenges, feel free to share the details, and we'll be happy to assist you further.
Looking forward to your response!

Best Regards,
Community Support Team _ C Srikanth.

Message 9 of 18
963 Views
0
v-csrikanth
Community Support
Community Support

‎06-01-2025 08:38 PM

Hi @willparker1 
We haven't heard from you since last response and just wanted to check whether the solution provided has worked for you. If yes, please Accept as Solution to help others benefit in the community.
Thank you.

If the above information is helpful, please give us Kudos and mark the response as Accepted as solution.
Best Regards,
Community Support Team _ C Srikanth.

Message 8 of 18
1,003 Views
0
v-csrikanth
Community Support
Community Support

‎05-16-2025 05:35 AM

Hi @willparker1 
You're right, mssparkutils is deprecated in Microsoft Fabric. The supported way to access Azure Key Vault secrets in Fabric is by using mssparkutils inside Fabric notebooks only:

from notebookutils import mssparkutils

secret = mssparkutils.credentials.getSecret("YourKeyVaultName", "YourSecretName")

This works only inside Fabric notebooks, not in standalone Python scripts. Make sure your Fabric workspace identity has access to the Key Vault with the "Key Vault Secrets User" role. No need to store usernames or passwords manually. For external Python scripts, use Azure SDK instead.

If the above information helps you, please give us a Kudos and marked the Accept as a solution.
Best Regards,
Community Support Team _ C Srikanth.

Message 7 of 18
1,230 Views
0
v-csrikanth
Community Support
Community Support

‎04-28-2025 06:04 AM

Hi @willparker1
The current partial implementation and limitations, the best approach to use Azure Key Vault references in Microsoft Fabric is:

  • For integrating Azure Key Vault with Microsoft Fabric is to use mssparkutils in Fabric notebooks with a service account for authentication.

  • Use Azure Key Vault references primarily with Azure Blob Storage connections, where native UI support exists to select and inject secrets securely.

  • For ArcGIS and Power BI scenarios, use Fabric notebooks to preprocess data with Key Vault secrets, then connect Power BI to the processed data, ensuring the latest Power BI Desktop version for compatibility. 

 

If the above information helps you, please give us a Kudos and marked the Accept as a solution.
Best Regards,
Community Support Team _ C Srikanth.

 

Message 5 of 18
1,569 Views
0
willparker2
New Member
In response to v-csrikanth

‎04-28-2025 12:01 PM

Hi Support

 

Thanks for the response.

 

One follow on query - you mentioned mssparkutils. I understood this was demised for Fabric in favour of notebookutils? Certainly mssaprkutils unavailable for Python scripts.

 

Appreciate any advice.

 

Kind Regards

Will

 

 

Message 6 of 18
1,556 Views
0
dcsearle
Frequent Visitor

‎04-17-2025 04:01 AM

2nd the fact there is no documentation, also noticed that at the same time this feature was released all of a sudden Conditional Access policies started blocking us using our pre-existing Web2 connections to our AKV... effectively downing any pipelines which were using it.
Really poor behaviour in terms of releasing features like this - expect much more in terms of release notes and how to use.

Message 4 of 18
1,748 Views
0
DianaGeyer
Frequent Visitor

‎04-09-2025 04:28 AM

Hi @willparker1

 

I haven't tested it yet myself, but I would assume it's meant to work similarly to how Azure Key Vault references are used in other Azure resources. The expected format seems to follow the same structure as in, for example, App Services or Logic Apps.

You can try referencing your secret using one of the following formats:

@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret)

Or alternatively:

@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)

If that works for you, feel free to mark this as the solution so others can benefit as well!

Message 2 of 18
1,898 Views
0
willparker1
New Member
In response to DianaGeyer

‎04-09-2025 05:14 AM

Hi Diana

 

Thanks so much for responding.

 

Unfortunately there is no option to use dynamic content in the connection set up field.

 

There is actually one type of connection that allows you to reference the key vault - a Blob Storage connection. In that dialog, you are given a side icon allows you to select a property from an Azure Key Vault then it replaces it with the value, (see below). However this elegant solution is unavailable on any other connection type I can find, (and no other option I can see is available to reference the Azure Key References, making them kinda useless...

 

willparker1_1-1744200722655.png

 

Thanks

Will

 

Message 3 of 18
1,891 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All