Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started
Hello BI Community,
i'm in struggle with getting informations to the ability for "bring your own key" (BYOK) with the premium per user license.
We actually have the pro per user license because we only have a few users in our company. So the premium per capacity license is too expensive.
Nearly all sources i found to this topic say that BYOK is not an option within the PPU license.
Now the official Microsoft Premium Per User page says that there is a possible way to use BYOK:
I can't find any more information about it than this.
I don't know if it's a new option or something but maybe i can find someone here who has a bit of information for me.
The main questions are:
1. is it at least possible to bring your own key with the PPU license?
2. if yes, are there some limitations i have to know about?
Thanks for all replies
Nico
Solved! Go to Solution.
Hi, @Anonymous ;
I think You may not be getting it right,Not everyone in the tenant needs to have a PPU, but the Settings need to be turned on in the tenant.
You enable BYOK at the tenant level with PowerShell, by first introducing to your Power BI tenant the encryption keys you created and stored in Azure Key Vault.
To enable BYOK, you must be a Power BI admin, signed in using the Connect-PowerBIServiceAccount
cmdlet.
https://docs.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok
Best Regards,
Community Support Team _ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
As Yalan Wu said, you can only enable this at the tenant level when using Premium Per User.
With Powershell I had to use the '-Default' and '-Activate' flags to get this working:
Add-PowerBIEncryptionKey -Name 'xxxxx' -KeyVaultKeyUri 'yyy' -Activate -Default
Without '-Activate' and '-Default' the request always resulted in a BadRequest:
Hi, @Anonymous ;
I think You may not be getting it right,Not everyone in the tenant needs to have a PPU, but the Settings need to be turned on in the tenant.
You enable BYOK at the tenant level with PowerShell, by first introducing to your Power BI tenant the encryption keys you created and stored in Azure Key Vault.
To enable BYOK, you must be a Power BI admin, signed in using the Connect-PowerBIServiceAccount
cmdlet.
https://docs.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok
Best Regards,
Community Support Team _ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
i have encrypted data in snowflake can i decrypt in power bi service on the fly while i use direct query or can i achive by having udf at report server level .as of now i use cognos bi and snowflake encrypted data where i am creating udf to decrypt on the fly in cognos while using direct query .need same functionality in power bi can we do it with byok pls confirm
Thanks for replying Yalan Wu.
does "enabled across the entire tenant" mean that every user has to have a PPU license?
Nico
Hi, @Anonymous ;
The main questions are:
1. is it at least possible to bring your own key with the PPU license?
2. if yes, are there some limitations i have to know about?
For me, I think official documentation is more trustworthy, with real-time information and feature updates. According to the documentation,“Premium Per User (PPU) only supports BYOK when it's enabled across the entire tenant.”
which indicates that the PPU is supported. But the requirement is to enable across the entire tenant.
so I found a documentation about Tenant settings guidance; here has about Block ResourceKey Authentication setting.
https://docs.microsoft.com/en-us/power-bi/guidance/admin-tenant-settings
https://docs.microsoft.com/en-us/power-bi/enterprise/service-encryption-byok
Best Regards,
Community Support Team _ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.