Hi @v-sgandrathi,

I have a few questions regarding the Azure Key Vault References setup. When you talk about fabric's managed identity, what do you mean by that? Because there are only workspace identities within Fabric.

Besides if you use "Allow public access from specific virtual networks and IP addresses" in your Azure Key Vault, how does Fabric access this? I consistently get the following error when trying to create an Azure Key Vault Reference when this is setting is enabled on my Key Vault:

Is there a way to solve this without opening up the key vault to public access?

Thank you in advance!

Hi @Lars_Moons,

To address your first question, when we refer to Fabric’s managed identity, we mean the system-assigned managed identity that is automatically created for each Fabric workspace. While you mainly interact with workspace identities, each Fabric workspace has its own managed identity used for secure authentication and access to resources such as Azure Key Vault.

For Key Vault references to function properly, this managed identity needs to be granted the following permissions on the Azure Key Vault:
- Get and List permissions on secrets
- At least the Key Vault Secrets User and Key Vault Reader roles

Regarding network access, if your Key Vault is configured to "Allow public access from specific virtual networks and IP addresses," Fabric services must be explicitly permitted. However, Fabric does not use static IP addresses and currently does not support private endpoint connectivity to Key Vault.

As a result, Key Vaults set to restrict public access will prevent Fabric from connecting, leading to the credential error you are experiencing. Therefore, it is necessary to temporarily set the Key Vault to "Allow public access from all networks" while maintaining access controls through policies or role assignments. This approach is required until Fabric supports more advanced network features such as VNets or private endpoints.

Thank you.

Hi @v-sgandrathi, so to confirm. In the picture below, this is the fabric managed identity you are talking about?

If not, where can I find the fabric managed identities?

Thanks again!

Hi @Lars_Moons,

Yes, to confirm, the identity shown in your picture is the Fabric-managed identity we are referencing. This is the system-assigned managed identity automatically generated for your specific Fabric workspace.

This identity is used by Power BI/Fabric to securely authenticate when connecting to external services such as Azure Key Vault. You will need to assign the appropriate permissions (like "Get" and "List" for secrets) and roles (such as Key Vault Secrets User and Key Vault Reader) to this identity in your Key Vault’s Access Control (IAM) settings.

Thank you.

Hi @SDHorita,

May I ask if you have gotten this issue resolved?

If it is solved, please mark the helpful reply or share your solution and accept it as solution, it will be helpful for other members of the community who have similar problems as yours to solve it faster.

Thank  you.

Hi @SDHorita,

we haven't heard back from you regarding our last response and wanted to check if your issue has been resolved.

If our response addressed by the community member for  your query, please mark it as Accept Answer and give us Kudos. Should you have any further questions, feel free to reach out.
Thank you for being a part of the Microsoft Fabric Community Forum!

Is that true? If you check the specific actions associated to each role:

- User acctions:

 So User actions are included in Officer actions.

On the other hand, according to documentation (Azure Key Vault Reference overview (Preview) - Microsoft Fabric | Microsoft Learn), you don't have to ensure Fabric’s system-assigned managed identity is granted Get and List permissions, doc says thet just with your Entra ID you are allowing Fabric to access:

When you add an Azure Key Vault reference in Fabric, the service records the vault URI and the secret name by using Microsoft Entra ID OAuth 2.0 consent. During the consent flow, you grant Fabric’s system-assigned managed identity Get and List permissions on the specified secrets; the secret values themselves never leave the key vault.