Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Azure Key Vault references in Fabric are available as a preview feature.
Azure Key Vault (AKV) is Microsoft’s cloud service for storing secrets, keys, and certificates centrally, so you don’t have to hardcode them into your apps. With Azure Key Vault references in Microsoft Fabric, you can just point to a secret in your vault instead of copying and pasting credentials. Fabric grabs the secret automatically whenever it’s needed for a data connection.
How Azure Key Vault references work
When you add an Azure Key Vault reference in Fabric, you’re just telling Fabric where to find the secret—using the vault’s link and the name of the secret. The service records the vault URI and the secret name by using Microsoft Entra ID OAuth 2.0 consent. During the consent flow, you grant Fabric’s system-assigned managed identity Get and List permissions on the specified secrets; the secret values themselves never leave the key vault.
Fabric doesn’t store the secret itself, just an encrypted token. When it’s time to connect to your data, Fabric quietly grabs the secret, uses it to build the connection, and then lets it go. Nothing is saved to disk or sent through your browser. The secret is held just long enough to establish the connection and is then discarded.
Prerequisites
- A Microsoft Fabric tenant account with an active subscription. Create an account for free.
- You need an Azure subscription with Azure Key Vault resource to test this feature.
- Read the Azure Key Vault quick start guide on learn.microsoft.com to learn more about creating an AKV resource.
- The Azure Key Vault needs to be accessible from public network.
- The creator of Azure Key Vault reference connection must have at least Key Vault Certificate User permission on the Key Vault.
Supported connectors and authentication types
| Supported Connector | Category | Account key | Basic (Username/Password) | Token (Shared Access Signature or Personal Access Token) | Service Principal |
|---|---|---|---|---|---|
Azure Blob Storage |
Azure | 
|
|
|
|
|
Azure Data Lake Storage Gen2 |
Azure |
|
|
|
|
Azure Table Storage |
Azure |
|
|
|
|
Databricks |
Services and apps |
|
|
|
|
Dataverse |
Services and apps |
|
|
|
|
OData |
Generic protocol |
|
|
|
|
Oracle Cloud Storage |
File |
|
|
|
|
PostgreSQL |
Database |
|
|
|
|
SharePoint Online list |
Services and apps |
|
|
|
|
Snowflake |
Services and apps |
|
|
|
|
SQL Server (Cloud) |
Database |
|
|
|
|
Web API/Webpage |
Generic Protocol |
|
|
|
|
Limitations and considerations
- Azure Key Vault references can be used only with cloud connections.
- Virtual network data gateways and on-premises data gateways aren’t supported.
- Fabric Lineage view isn't available for AKV references.
- You can’t create AKV references with connection from the "Modern Get Data” pane in Fabric items. Learn how to create Azure Key Vault references in Fabric from "Manage Connections & Gateways".
- Azure Key Vault references in Fabric always retrieve the current (latest) version of a secret; Azure Key Vault credential versioning is not supported.