Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
dipalisk
Frequent Visitor

How to access Azure KeyVault from Power BI Query to read Appsecret

‎12-14-2022 04:06 AM

Hi All, I would like to know if there is any way to access Azure KeyVault from Power BI Query? The ask is to read the appsecret and then pass it along with ClientID to access the data.

 

My understanding is 

1.In Azure KeyVault, Power BI Service is added to Access Policies with Get and List permissions

2.Next step is to generate the access token to access the keyvault in Power BI / Power Query Editor

3. I was able to generate the token using ClientID and ClientSecret with Granttype as ClientCredential

4. But any idea how to generate it using Power BI Service? Main purpose is not to expose client secret.

 

Any leads on this topic would help me in proceeding my work.

 

Thanks,

Deepali 

Labels:
Message 1 of 4
5,504 Views
3 REPLIES 3
BIBB
Frequent Visitor

‎08-27-2023 10:42 AM

@dipalisk, this blog talks about how to retrieve a KeyVault secret; it requires a custom connector. https://www.bibb.pro/post/securing-your-api-power-bi-data-with-azure-key-vault#:~:text=Using%20Azure....

Message 4 of 4
3,381 Views
0
v-yalanwu-msft
Community Support
Community Support

‎12-14-2022 11:33 PM

Hi, @dipalisk ;

  1. you can use azure key vault with power BI premium. Power BI encrypts data at-rest and in process. By default, Power BI uses Microsoft-managed keys to encrypt your data. In Power BI Premium you can also use your own keys for data at-rest that is imported into a dataset . This approach is often described as bring your own key (BYOK). We can configure Azure Key Vault, a tool for securely storing and accessing secrets, like encryption keys. You can use an existing key vault to store encryption keys, or you can create a new one specifically for use with Power BI.

Configure your key vault in the following way:

- Add the Power BI service as a service principal for the key vault, with wrap and unwrap permissions.

  • Create an RSA key with a 4096-bit length (or use an existing key of this type), with wrap and unwrap permissions

  • Recommended: Check that the key vault has the soft delete option enabled.

    Note: Power BI BYOK supports only RSA keys with a 4096-bit length. Configure Key vault and service principal

  1. We can connect azure sql db with power BI. The process is not much complicated. All the steps are straight forward.
  • first you need to configure firewall settings for azure sql db server.
  • use sql DB connector to connect to SQL DB
  • select the sql server and database to query the data. Reference


Best Regards,
Community Support Team _ Yalan Wu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

How to get your questions answered quickly -- How to provide sample data
Message 2 of 4
5,445 Views
0
dipalisk
Frequent Visitor
In response to v-yalanwu-msft

‎12-18-2022 10:08 PM

Hi @v-yalanwu-msft , I created RSA key with wrap/unwarp permission as what you mentioned in the solution. This creates a separate key which we need to enable in Power BI Capacity. but then this key does not have access to Azure app. is there any way we can add this key to azure app?

The main purpose of accessing azure keyvault is to read the application secret which further enables few Graph API permissions for Azure App to read the data for the report.

Also if you can help me to know to read secret value stored in key vault from Power BI

Message 3 of 4
5,416 Views

Helpful resources

Announcements
LearnSurvey

Fabric certifications survey

Certification feedback opportunity for the community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All