Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Next up in the FabCon + SQLCon recap series: The roadmap for Microsoft SQL and Maximizing Developer experiences in Fabric. All sessions are available on-demand after the live show. Register now

Reply
pennyhoho117
Helper IV
Helper IV

For BYOK, the key can create by our own service?

‎02-25-2025 01:04 AM

For BYOK, the key can create by our own service?

Labels:
Message 1 of 10
1,486 Views
2 ACCEPTED SOLUTIONS
v-aatheeque
Community Support
Community Support
In response to pennyhoho117

‎03-13-2025 02:31 AM

Hi @pennyhoho117 

Yes, it's perfectly acceptable to use keys generated by your own system and import them into Azure Key Vault if needed. This practice is known as "Bring Your Own Key" (BYOK).

 

While Azure Key Vault is designed for secure key management, some services allow for BYOK options, enabling you to use your own keys for encryption and access control.

 

 

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

View solution in original post

Message 8 of 10
1,302 Views
0
Poojara_D12
Super User
Super User

‎06-05-2025 09:56 PM

Hi @pennyhoho117 

Yes, in Microsoft Fabric and Power BI, Bring Your Own Key (BYOK) allows organizations to use their own encryption keys—generated and managed via their own service—to encrypt data at rest, offering greater control over data security and compliance. These keys must be managed in Azure Key Vault, which acts as the trusted key store that Microsoft services can reference. While the key itself can be generated by your organization using your own internal service or security system, it must be uploaded to and managed through Azure Key Vault to be compatible with BYOK in Microsoft 365 services like Power BI or Fabric. Once configured, BYOK ensures that your tenant's sensitive data (e.g., data in workspaces, semantic models, etc.) is encrypted using your customer-managed key (CMK), and access to data becomes dependent on key availability, allowing you to revoke access by disabling or deleting the key. However, setting up BYOK requires strict compliance with Microsoft's prerequisites and should be coordinated with your security, compliance, and Azure administration teams.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS

View solution in original post

Message 10 of 10
1,179 Views
0
9 REPLIES 9
Poojara_D12
Super User
Super User

‎06-05-2025 09:56 PM

Hi @pennyhoho117 

Yes, in Microsoft Fabric and Power BI, Bring Your Own Key (BYOK) allows organizations to use their own encryption keys—generated and managed via their own service—to encrypt data at rest, offering greater control over data security and compliance. These keys must be managed in Azure Key Vault, which acts as the trusted key store that Microsoft services can reference. While the key itself can be generated by your organization using your own internal service or security system, it must be uploaded to and managed through Azure Key Vault to be compatible with BYOK in Microsoft 365 services like Power BI or Fabric. Once configured, BYOK ensures that your tenant's sensitive data (e.g., data in workspaces, semantic models, etc.) is encrypted using your customer-managed key (CMK), and access to data becomes dependent on key availability, allowing you to revoke access by disabling or deleting the key. However, setting up BYOK requires strict compliance with Microsoft's prerequisites and should be coordinated with your security, compliance, and Azure administration teams.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 10 of 10
1,180 Views
0
v-aatheeque
Community Support
Community Support

‎02-25-2025 02:18 AM

Hi @pennyhoho117 ,

Thanks for reaching out to Microsoft Fabric Community Forum.

@Akash_Varuna Thanks for your prompt response.In addition to that :

Yes, you can create your own key for Bring Your Own Key (BYOK) scenarios.

In the context of Bring Your Own Key (BYOK), we can generate own encryption keys using various methods:

  • Options to create and store your own key: Created in Azure Key Vault. Create and store your key in Azure Key Vault as an HSM-protected key or a software-protected key.
  • Created on-premises. Create your key on-premises and transfer it to Azure Key Vault using one of the following options:
  • HSM-protected key, transferred as an HSM-protected key. The most typical method chosen,While this method has the most administrative overhead, it may be required for your organization to follow specific regulations. The HSMs used by Azure Key Vault have FIPS 140 validation.

References :
Bring Your Own Key (BYOK) details - Azure Information Protection | Microsoft Learn

 

https://learn.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok?tabs=azure-cli

 

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

Message 3 of 10
1,452 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎03-03-2025 01:13 AM

Hi @pennyhoho117 ,

 

If our response addressed by the community member for your query, please mark it as Accept Answer and click Yes if you found it helpful.

 

Should you have any further questions, feel free to reach out.
Thank you for being a part of the Microsoft Fabric Community Forum!

Message 4 of 10
1,400 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎03-06-2025 03:31 AM

Hi @pennyhoho117 ,

 

If our response addressed by the community member for your query, please mark it as Accept Answer and click Yes if you found it helpful.

 

Should you have any further questions, feel free to reach out.
Thank you for being a part of the Microsoft Fabric Community Forum!

Message 5 of 10
1,379 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎03-10-2025 11:13 AM

Hi @pennyhoho117 ,

Just checking in to see if you've made any progress with the information provided. If you found the guidance helpful, please click "Accept Answer" and "Yes" to the question "Was this answer helpful?"

And of course, if you have any further questions or need more assistance, feel free to reach out.

Thank you!

Message 6 of 10
1,345 Views
0
pennyhoho117
Helper IV
Helper IV
In response to v-aatheeque

‎03-12-2025 05:59 PM

Hi, I means if we want to use our own keys generated by our own system, but not use the key generation from Azure Vault, is it ok?

Message 7 of 10
1,322 Views
0
v-aatheeque
Community Support
Community Support
In response to pennyhoho117

‎03-13-2025 02:31 AM

Hi @pennyhoho117 

Yes, it's perfectly acceptable to use keys generated by your own system and import them into Azure Key Vault if needed. This practice is known as "Bring Your Own Key" (BYOK).

 

While Azure Key Vault is designed for secure key management, some services allow for BYOK options, enabling you to use your own keys for encryption and access control.

 

 

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

Message 8 of 10
1,303 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎06-05-2025 06:28 PM

Hi @pennyhoho117 ,

Since we haven’t heard back from you for a while, we are planning to close this ticket. If you have any further questions or need assistance in the future, please don’t hesitate to reach out by opening a new ticket in the Fabric Community.

 

Thank you for being an active part of our community we’re always here to help!

Message 9 of 10
1,188 Views
0
Akash_Varuna
Super User
Super User

‎02-25-2025 02:12 AM

Hi @pennyhoho117 ,Yes you can create the encryption key using your own service, provided it supports integration with Azure Key Vault
If this post helped please do give a kudos and accept this as a solution
Thanks In Advance

Message 2 of 10
1,462 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All
Top Solution Authors
View All