Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
kstepha0
Frequent Visitor

Power BI Service - Key Vault Reference

‎06-03-2025 05:43 AM

Following this documentation https://learn.microsoft.com/en-us/fabric/data-factory/azure-key-vault-reference-overview

 

I was successfully able to set up a key vault reference to Key Vault A (KVA) with oAuth credentials.  KVA is not in the same region as the power BI tenant. 

 

I am now attempting to set up a second key vault reference to Key Vault B (KVB), which is functionally identical to KVA with the exception of the region. KVB is in the same region as the Power BI tenant. OAuth credentials are repeatedly failing.

 

I've verified the access configuration and credentials, policies, networking restrictions are identical between the two. I attempted to create the key vault reference to KVB while KVB had no network restriction at all. I also attempted with two different sets of user credentials (one as the signed-in Power BI Pro user, and a second set)

 

OAuth continues to fail. Looking for any insight on the issue. Thanks!

Labels:
Message 1 of 8
407 Views
0
1 ACCEPTED SOLUTION
rohit1991
Super User
Super User

‎06-09-2025 05:19 AM

hI @kstepha0 ,
The issue you're encountering may be related to the regional pairing and backend service limitations in Power BI Service when integrating with Azure Key Vault via OAuth. Even though both Key Vaults have identical configurations, certain Power BI Fabric services can have stricter region affinity or latency-sensitive validations when using OAuth, especially when compared to cross-region scenarios that may rely on slightly different authentication pathways. Since KVA (out-of-region) succeeded while KVB (in-region) is failing, it's possible that Power BI is enforcing stricter OAuth validation or token audience matching due to the regional alignment.

 

Additionally, OAuth failures can sometimes stem from subtle mismatches in the service principal permissions, Azure AD conditional access policies, or tenant restrictions that behave differently depending on the region. I would suggest verifying whether Managed Identity might provide a more stable alternative for your KVB integration, as Managed Identity often simplifies regional and network dependencies. If OAuth remains essential, it may be best to engage Microsoft support directly to review backend logs, as these types of region-specific authentication issues may require internal diagnostics.

 


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!

View solution in original post

Message 8 of 8
270 Views
0
7 REPLIES 7
rohit1991
Super User
Super User

‎06-09-2025 05:19 AM

hI @kstepha0 ,
The issue you're encountering may be related to the regional pairing and backend service limitations in Power BI Service when integrating with Azure Key Vault via OAuth. Even though both Key Vaults have identical configurations, certain Power BI Fabric services can have stricter region affinity or latency-sensitive validations when using OAuth, especially when compared to cross-region scenarios that may rely on slightly different authentication pathways. Since KVA (out-of-region) succeeded while KVB (in-region) is failing, it's possible that Power BI is enforcing stricter OAuth validation or token audience matching due to the regional alignment.

 

Additionally, OAuth failures can sometimes stem from subtle mismatches in the service principal permissions, Azure AD conditional access policies, or tenant restrictions that behave differently depending on the region. I would suggest verifying whether Managed Identity might provide a more stable alternative for your KVB integration, as Managed Identity often simplifies regional and network dependencies. If OAuth remains essential, it may be best to engage Microsoft support directly to review backend logs, as these types of region-specific authentication issues may require internal diagnostics.

 


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 8 of 8
271 Views
0
BhavinVyas3003
Memorable Member
Memorable Member

‎06-03-2025 05:58 AM

Use Managed Identity instead of OAuth to connect to Key Vault B.

In Azure Key Vault B:

  1. Go to Access policies → Add Access Policy
  2. Grant Get and List permissions to the Microsoft Fabric Managed Identity search for “Microsoft Fabric” or your workspace name
  3. Save changes

Then, in Power BI Service (Data Factory), create the Key Vault reference using Managed Identity.


Thanks,
Bhavin
Problem solved? Hit “Accept as Solution” and high-five me with a Kudos! Others will thank you later!
Message 2 of 8
396 Views
0
kstepha0
Frequent Visitor
In response to BhavinVyas3003

‎06-03-2025 06:06 AM

Managed identity is not available as an authentication method in the Key Vault Reference connection feature. 

 

The workspace managed identity has an access policy on the key vault with Get and List permissions. 

Message 3 of 8
382 Views
0
v-achippa
Community Support
Community Support
In response to kstepha0

‎06-05-2025 01:30 AM

Hi @kstepha0,

 

Thank you for reaching out to Microsoft Fabric Community.

 

Currently the Key Vault Reference feature in Microsoft Fabric supports only OAuth authentication method. Managed Identity is currently not supported for this feature, even if the workspace has been assigned one.

Since there are OAuth failures with Key Vault B, the issue here is might be due to tenant level settings or regional OAuth token validation differences.

  • Instead, try creating an Azure AD App Registration in your tenant. Grant it Get and List permissions on Key Vault B and use that app’s credentials to set up the OAuth connection. This resolves the OAuth related issues.

 

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it! 

 

Thanks and regards,

Anjan Kumar Chippa

Message 4 of 8
324 Views
0
v-achippa
Community Support
Community Support
In response to v-achippa

‎06-09-2025 05:03 AM

Hi @kstepha0,

 

As we haven’t heard back from you, we wanted to kindly follow up to check if the solution I have provided for the issue worked? or let us know if you need any further assistance.
If my response addressed, please mark it as "Accept as solution" and click "Yes" if you found it helpful.

 

Thanks and regards,

Anjan Kumar Chippa

Message 5 of 8
273 Views
0
v-achippa
Community Support
Community Support
In response to v-achippa

‎06-12-2025 09:58 PM

Hi @kstepha0,

 

We wanted to kindly follow up to check if the solution I have provided for the issue worked.
If my response addressed, please mark it as "Accept as solution" and click "Yes" if you found it helpful.

 

Thanks and regards,

Anjan Kumar Chippa

Message 6 of 8
208 Views
0
v-achippa
Community Support
Community Support
In response to v-achippa

‎06-16-2025 05:59 AM

Hi @kstepha0,

 

As we haven’t heard back from you, we wanted to kindly follow up to check if the solution I have provided for the issue worked.
If my response addressed, please mark it as "Accept as solution" and click "Yes" if you found it helpful.

 

Thanks and regards,

Anjan Kumar Chippa

Message 7 of 8
177 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All