Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
dipalisk
Frequent Visitor

How to access Azure KeyVault from Power BI Query to read Appsecret

Hi All, I would like to know if there is any way to access Azure KeyVault from Power BI Query? The ask is to read the appsecret and then pass it along with ClientID to access the data.

 

My understanding is 

1.In Azure KeyVault, Power BI Service is added to Access Policies with Get and List permissions

2.Next step is to generate the access token to access the keyvault in Power BI / Power Query Editor

3. I was able to generate the token using ClientID and ClientSecret with Granttype as ClientCredential

4. But any idea how to generate it using Power BI Service? Main purpose is not to expose client secret.

 

Any leads on this topic would help me in proceeding my work.

 

Thanks,

Deepali 

3 REPLIES 3
BIBB
Frequent Visitor

@dipalisk, this blog talks about how to retrieve a KeyVault secret; it requires a custom connector. https://www.bibb.pro/post/securing-your-api-power-bi-data-with-azure-key-vault#:~:text=Using%20Azure....

v-yalanwu-msft
Community Support
Community Support

Hi, @dipalisk ;

  1. you can use azure key vault with power BI premium. Power BI encrypts data at-rest and in process. By default, Power BI uses Microsoft-managed keys to encrypt your data. In Power BI Premium you can also use your own keys for data at-rest that is imported into a dataset . This approach is often described as bring your own key (BYOK). We can configure Azure Key Vault, a tool for securely storing and accessing secrets, like encryption keys. You can use an existing key vault to store encryption keys, or you can create a new one specifically for use with Power BI.

Configure your key vault in the following way:

- Add the Power BI service as a service principal for the key vault, with wrap and unwrap permissions.

  • Create an RSA key with a 4096-bit length (or use an existing key of this type), with wrap and unwrap permissions

  • Recommended: Check that the key vault has the soft delete option enabled.

    Note: Power BI BYOK supports only RSA keys with a 4096-bit length. Configure Key vault and service principal

  1. We can connect azure sql db with power BI. The process is not much complicated. All the steps are straight forward.
  • first you need to configure firewall settings for azure sql db server.
  • use sql DB connector to connect to SQL DB
  • select the sql server and database to query the data. Reference


Best Regards,
Community Support Team _ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hi @v-yalanwu-msft , I created RSA key with wrap/unwarp permission as what you mentioned in the solution. This creates a separate key which we need to enable in Power BI Capacity. but then this key does not have access to Azure app. is there any way we can add this key to azure app?

The main purpose of accessing azure keyvault is to read the application secret which further enables few Graph API permissions for Azure App to read the data for the report.

Also if you can help me to know to read secret value stored in key vault from Power BI

Helpful resources

Announcements
September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

Top Solution Authors