Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
Anonymous
Not applicable

Bring your own key with Premium per User License

Hello BI Community,

 

i'm in struggle with getting informations to the ability for "bring your own key" (BYOK) with the premium per user license. 

We actually have the pro per user license because we only have a few users in our company. So the premium per capacity license is too expensive. 

Nearly all sources i found to this topic say that BYOK is not an option within the PPU license.

 

Nico78_0-1647248831119.png

 

Now the official Microsoft Premium Per User page says that there is a possible way to use BYOK:

 

Nico78_1-1647248912167.png

 

I can't find any more information about it than this. 

I don't know if it's a new option or something but maybe i can find someone here who has a bit of information for me. 

 

The main questions are:

1. is it at least possible to bring your own key with the PPU license?

2. if yes, are there some limitations i have to know about?

 

Thanks for all replies

Nico

 

1 ACCEPTED SOLUTION
v-yalanwu-msft
Community Support
Community Support

Hi, @Anonymous ;

I think  You may not be getting it right,Not everyone in the tenant needs to have a PPU, but the Settings need to be turned on in the tenant.

You enable BYOK at the tenant level with PowerShell, by first introducing to your Power BI tenant the encryption keys you created and stored in Azure Key Vault.
 To enable BYOK, you must be a Power BI admin, signed in using the Connect-PowerBIServiceAccount cmdlet. 

https://docs.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok


Best Regards,
Community Support Team _ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

5 REPLIES 5
jeroenmaes
New Member

As Yalan Wu said, you can only enable this at the tenant level when using Premium Per User.

With Powershell I had to use the '-Default' and '-Activate' flags to get this working:

 

Add-PowerBIEncryptionKey -Name 'xxxxx' -KeyVaultKeyUri 'yyy' -Activate -Default

 

 

Without '-Activate' and '-Default' the request always resulted in a BadRequest:

jeroenmaes_0-1671100835989.png

v-yalanwu-msft
Community Support
Community Support

Hi, @Anonymous ;

I think  You may not be getting it right,Not everyone in the tenant needs to have a PPU, but the Settings need to be turned on in the tenant.

You enable BYOK at the tenant level with PowerShell, by first introducing to your Power BI tenant the encryption keys you created and stored in Azure Key Vault.
 To enable BYOK, you must be a Power BI admin, signed in using the Connect-PowerBIServiceAccount cmdlet. 

https://docs.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok


Best Regards,
Community Support Team _ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

i have encrypted data in snowflake can i decrypt in power bi service on the fly while i use direct query or can i achive by having udf at report server level .as of now i use cognos bi and snowflake encrypted data where i am creating udf to decrypt on the fly in cognos while using direct query .need same functionality in power bi can we do it with byok pls confirm

Anonymous
Not applicable

Thanks for replying Yalan Wu.

 

does "enabled across the entire tenant" mean that every user has to have a PPU license? 

 

Nico 

v-yalanwu-msft
Community Support
Community Support

Hi, @Anonymous ;

Nico78_1-1647248912167.png

 

The main questions are:

1. is it at least possible to bring your own key with the PPU license?

2. if yes, are there some limitations i have to know about?


For me, I think official documentation is more trustworthy, with real-time information and feature updates. According to the documentation,Premium Per User (PPU) only supports BYOK when it's enabled across the entire tenant.”

which indicates that the PPU is supported. But the requirement is to enable across the entire tenant.

 

so I found a documentation about Tenant settings guidance; here has about Block ResourceKey Authentication setting.

vyalanwumsft_0-1647498525696.png

https://docs.microsoft.com/en-us/power-bi/guidance/admin-tenant-settings

https://docs.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok


Best Regards,
Community Support Team _ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Helpful resources

Announcements
September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

Top Solution Authors