Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
pennyhoho117
Helper IV
Helper IV

For BYOK, the key can create by our own service?

‎02-25-2025 01:04 AM

For BYOK, the key can create by our own service?

Labels:
Message 1 of 10
395 Views
2 ACCEPTED SOLUTIONS
v-aatheeque
Community Support
Community Support
In response to pennyhoho117

‎03-13-2025 02:31 AM

Hi @pennyhoho117 

Yes, it's perfectly acceptable to use keys generated by your own system and import them into Azure Key Vault if needed. This practice is known as "Bring Your Own Key" (BYOK).

 

While Azure Key Vault is designed for secure key management, some services allow for BYOK options, enabling you to use your own keys for encryption and access control.

 

 

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

View solution in original post

Message 8 of 10
211 Views
0
Poojara_D12
Super User
Super User

‎06-05-2025 09:56 PM

Hi @pennyhoho117 

Yes, in Microsoft Fabric and Power BI, Bring Your Own Key (BYOK) allows organizations to use their own encryption keys—generated and managed via their own service—to encrypt data at rest, offering greater control over data security and compliance. These keys must be managed in Azure Key Vault, which acts as the trusted key store that Microsoft services can reference. While the key itself can be generated by your organization using your own internal service or security system, it must be uploaded to and managed through Azure Key Vault to be compatible with BYOK in Microsoft 365 services like Power BI or Fabric. Once configured, BYOK ensures that your tenant's sensitive data (e.g., data in workspaces, semantic models, etc.) is encrypted using your customer-managed key (CMK), and access to data becomes dependent on key availability, allowing you to revoke access by disabling or deleting the key. However, setting up BYOK requires strict compliance with Microsoft's prerequisites and should be coordinated with your security, compliance, and Azure administration teams.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS

View solution in original post

Message 10 of 10
88 Views
0
9 REPLIES 9
Poojara_D12
Super User
Super User

‎06-05-2025 09:56 PM

Hi @pennyhoho117 

Yes, in Microsoft Fabric and Power BI, Bring Your Own Key (BYOK) allows organizations to use their own encryption keys—generated and managed via their own service—to encrypt data at rest, offering greater control over data security and compliance. These keys must be managed in Azure Key Vault, which acts as the trusted key store that Microsoft services can reference. While the key itself can be generated by your organization using your own internal service or security system, it must be uploaded to and managed through Azure Key Vault to be compatible with BYOK in Microsoft 365 services like Power BI or Fabric. Once configured, BYOK ensures that your tenant's sensitive data (e.g., data in workspaces, semantic models, etc.) is encrypted using your customer-managed key (CMK), and access to data becomes dependent on key availability, allowing you to revoke access by disabling or deleting the key. However, setting up BYOK requires strict compliance with Microsoft's prerequisites and should be coordinated with your security, compliance, and Azure administration teams.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 10 of 10
89 Views
0
v-aatheeque
Community Support
Community Support

‎02-25-2025 02:18 AM

Hi @pennyhoho117 ,

Thanks for reaching out to Microsoft Fabric Community Forum.

@Akash_Varuna Thanks for your prompt response.In addition to that :

Yes, you can create your own key for Bring Your Own Key (BYOK) scenarios.

In the context of Bring Your Own Key (BYOK), we can generate own encryption keys using various methods:

  • Options to create and store your own key: Created in Azure Key Vault. Create and store your key in Azure Key Vault as an HSM-protected key or a software-protected key.
  • Created on-premises. Create your key on-premises and transfer it to Azure Key Vault using one of the following options:
  • HSM-protected key, transferred as an HSM-protected key. The most typical method chosen,While this method has the most administrative overhead, it may be required for your organization to follow specific regulations. The HSMs used by Azure Key Vault have FIPS 140 validation.

References :
Bring Your Own Key (BYOK) details - Azure Information Protection | Microsoft Learn

 

https://learn.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok?tabs=azure-cli

 

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

Message 3 of 10
361 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎03-03-2025 01:13 AM

Hi @pennyhoho117 ,

 

If our response addressed by the community member for your query, please mark it as Accept Answer and click Yes if you found it helpful.

 

Should you have any further questions, feel free to reach out.
Thank you for being a part of the Microsoft Fabric Community Forum!

Message 4 of 10
309 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎03-06-2025 03:31 AM

Hi @pennyhoho117 ,

 

If our response addressed by the community member for your query, please mark it as Accept Answer and click Yes if you found it helpful.

 

Should you have any further questions, feel free to reach out.
Thank you for being a part of the Microsoft Fabric Community Forum!

Message 5 of 10
288 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎03-10-2025 11:13 AM

Hi @pennyhoho117 ,

Just checking in to see if you've made any progress with the information provided. If you found the guidance helpful, please click "Accept Answer" and "Yes" to the question "Was this answer helpful?"

And of course, if you have any further questions or need more assistance, feel free to reach out.

Thank you!

Message 6 of 10
254 Views
0
pennyhoho117
Helper IV
Helper IV
In response to v-aatheeque

‎03-12-2025 05:59 PM

Hi, I means if we want to use our own keys generated by our own system, but not use the key generation from Azure Vault, is it ok?

Message 7 of 10
231 Views
0
v-aatheeque
Community Support
Community Support
In response to pennyhoho117

‎03-13-2025 02:31 AM

Hi @pennyhoho117 

Yes, it's perfectly acceptable to use keys generated by your own system and import them into Azure Key Vault if needed. This practice is known as "Bring Your Own Key" (BYOK).

 

While Azure Key Vault is designed for secure key management, some services allow for BYOK options, enabling you to use your own keys for encryption and access control.

 

 

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

Message 8 of 10
212 Views
0
v-aatheeque
Community Support
Community Support
In response to v-aatheeque

‎06-05-2025 06:28 PM

Hi @pennyhoho117 ,

Since we haven’t heard back from you for a while, we are planning to close this ticket. If you have any further questions or need assistance in the future, please don’t hesitate to reach out by opening a new ticket in the Fabric Community.

 

Thank you for being an active part of our community we’re always here to help!

Message 9 of 10
97 Views
0
Akash_Varuna
Community Champion
Community Champion

‎02-25-2025 02:12 AM

Hi @pennyhoho117 ,Yes you can create the encryption key using your own service, provided it supports integration with Azure Key Vault
If this post helped please do give a kudos and accept this as a solution
Thanks In Advance

Message 2 of 10
371 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All