Back to Blog
Azure
3 min read

Microsoft Fabric and Key Vault Integration

Microsoft FabricKey VaultSecurityPrivate Endpoints

Microsoft Fabric needs to access secrets from Key Vault for database connections and API keys. When your Key Vault has public access disabled, the setup isn't straightforward.

The Challenge

You have:

  • Key Vault with public access disabled (security best practice)
  • Microsoft Fabric workspace needing secrets
  • No direct private endpoint support from Fabric

Understanding Fabric Networking

Microsoft Fabric uses a managed VNET internally. Unlike Synapse, you don't have direct control over private endpoints from Fabric workspaces.

Option 1: Trusted Microsoft Services

The simplest approach - allow Fabric to access Key Vault via the trusted services exception.

Key Vault Configuration

resource "azurerm_key_vault" "this" {
  name                = "kv-production"
  resource_group_name = azurerm_resource_group.this.name
  location            = azurerm_resource_group.this.location
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  # Network rules
  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"  # This allows Fabric
    ip_rules       = []
  }

  # Purge protection for production
  purge_protection_enabled = true
  soft_delete_retention_days = 90
}

Grant Fabric Access

Create a managed identity in Fabric and grant it access:

resource "azurerm_key_vault_access_policy" "fabric" {
  key_vault_id = azurerm_key_vault.this.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = var.fabric_managed_identity_object_id

  secret_permissions = [
    "Get",
    "List"
  ]
}

Option 2: Fabric VNET Data Gateway

For more control, use a VNET data gateway.

Deploy the Gateway

  1. Create a VNET in your Azure subscription
  2. Deploy a VNET data gateway
  3. Create private endpoint to Key Vault in that VNET
# Private endpoint to Key Vault
resource "azurerm_private_endpoint" "keyvault" {
  name                = "pe-keyvault-fabric"
  location            = azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name
  subnet_id           = azurerm_subnet.gateway.id

  private_service_connection {
    name                           = "psc-keyvault"
    private_connection_resource_id = azurerm_key_vault.this.id
    subresource_names              = ["vault"]
    is_manual_connection           = false
  }

  private_dns_zone_group {
    name                 = "dns-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.keyvault.id]
  }
}

Using Secrets in Fabric

In Fabric Notebooks (Spark)

from notebookutils import mssparkutils

# Get secret from linked Key Vault
secret = mssparkutils.credentials.getSecret(
    "https://kv-production.vault.azure.net/",
    "my-secret-name"
)

# Use in connection
connection_string = f"Server=myserver.database.windows.net;Database=mydb;Password={secret}"

In Dataflows

Use the Web connector with Key Vault linked as a data source.

In Pipelines

Reference Key Vault in pipeline parameters:

{
  "name": "MyParameter",
  "type": "SecureString",
  "value": {
    "type": "AzureKeyVaultSecret",
    "secretName": "my-secret",
    "store": {
      "referenceName": "MyKeyVaultLinkedService",
      "type": "LinkedServiceReference"
    }
  }
}

Creating a Linked Service

In Fabric/Synapse workspace:

{
  "name": "KeyVaultLinkedService",
  "properties": {
    "type": "AzureKeyVault",
    "typeProperties": {
      "baseUrl": "https://kv-production.vault.azure.net/"
    }
  }
}

Common Issues

"Access Denied" Even with Trusted Services

Check:

  1. Managed identity is correctly assigned
  2. Access policy or RBAC permission is granted
  3. Key Vault network rules include "AzureServices" bypass

Secret Not Found

Verify:

  1. Secret name matches exactly (case-sensitive)
  2. Secret is not disabled
  3. Secret hasn't expired

Timeout Connecting to Key Vault

If using private endpoints:

  1. Verify private endpoint is approved
  2. Check DNS resolution from gateway VNET
  3. Ensure gateway has network path to Key Vault

Best Practices

  1. Use Managed Identity - Don't store Key Vault credentials in code
  2. Minimum Permissions - Grant only Get and List for secrets
  3. Audit Access - Enable Key Vault diagnostic logging
  4. Rotate Secrets - Set up secret rotation with Fabric awareness
// Monitor Key Vault access from Fabric
AzureDiagnostics
| where ResourceType == "VAULTS"
| where OperationName == "SecretGet"
| where identity_claim_appid_g != ""
| summarize count() by identity_claim_appid_g, ResultType

Need help integrating Microsoft Fabric with your secure infrastructure? Get in touch - we help organisations implement secure data platforms.

Previous
Azure Monitor Private Link Scope - Selective Configuration
Next
Azure Storage Tiers - Stop Paying Hot Prices for Cold Data

Need help with your Azure environment?

Get in touch for a free consultation.

Get in Touch