Microsoft Fabric Updates Blog

Authenticate to Fabric data connections using Azure Key Vault stored secrets (Preview)

• Announcements
• Data Factory
• Microsoft Fabric

• May 1, 2025 by Aditya Jain 14,845 Views

Azure Key Vault support in Fabric Data connections is now in preview! With this capability, we are introducing a new concept called ‘Azure Key Vault references’ in Microsoft Fabric, using which, users can reuse their existing Azure key vault secrets for authentication to data source connections instead of copy-pasting passwords, slashing credential-management effort and audit risk.

Most organizations already rely on Azure Key Vault to store and rotate sensitive information such as passwords, tokens, and keys. Now Azure Key Vault (AKV) references can eliminate that pain. Instead of entering a credential, you select a reference; Fabric retrieves the secret just-in-time, uses it in memory, and immediately discards it. This empowers you with the following benefits:

• Single source of truth—rotate your secret once in Key Vault and every data connection in Fabric items will pick up the latest stored credential secret during each refresh.
• No more copy-paste—reduce configuration time and prevent typos while creating connections
• Least-privilege—Fabric’s Azure Key Vault reference only needs Get/List permission on your Azure Key Vault only; ensuring that nothing changes in your Key Vault.
• Built-in audit & rotation—continue to use your Azure Key Vault’s logging and rotation policies for credential management scenarios.

How it works

1. Create an Azure Key Vault reference

• Navigate to Settings ▸ Manage connections & gateways ▸ Azure Key Vault references ▸ New

• Provide a Reference alias and your Azure Key Vault name.
• Sign in via OAuth 2.0 to grant Fabric connections service Get and List permissions and click the create button.

2. Use the Azure Key Vault Reference

• In Manage connections & gateways ▸ Connections ▸ New, choose a supported cloud connector.
• Select one of the supported text-based authentication types (Basic, Service Principal, SAS/PAT, or Account Key).

• Click the Key Vault icon next to the secret field.

Pick your Azure Key Vault reference, enter the secret name, and hit Apply.

3. At connection Run time

Fabric connections resolve the Azure Key Vault reference, pulls the latest secret value, injects it into the connection string in memory only, then drops it after the handshake completes.

Note: Azure Key Vault references are available today for cloud connections only. Virtual Network and on-premises data gateways will light up in a future release.

Supported Fabric data connectors in Preview:

As part of the preview, we are starting out with support for the following connectors and authentication types:

(“✔️” = supported in this preview)

Current limitations

• You can’t create Azure Key Vault references with data connection from the Modern Get Data experience in Fabric items. Learn how to create Azure Key Vault references in Fabric from “Manage Connections & Gateways” instead.
• Azure Key Vault references are currently available for cloud connections only.
• Virtual network data gateways and on-premises data gateways aren’t supported.
• Fabric Lineage view doesn’t display Azure Key Vault references yet.
• Azure Key Vault reference fetches the latest version of a secret; versioning is not supported.

Plans ahead

You can expect Azure Key Vault references to support additional data connections-we aim to cover all supported connections by the time the feature becomes generally available. We also plan to add workspace-identity access to connect to Azure Key Vault, as well as support for on-premises and virtual network data gateways at feature General Availability.

More resources

• Learn more at Azure Key Vault Reference – Overview
• Step by step guide to Configure Azure Key Vault references
• Share your feedback for this new feature in the Data Factory forum