Referenced Azure Key Vault requires public access ...

apturlov · ‎10-08-2025

Hello Fabric community. I'd like to pick your collective brain for this situation.

I am working on an initial Fabric implementation for the financial organization that follows CIS minimum standard framework and NIST where applicable. Under these frameworks they configure all Azure Key Vaults for private access only (in networking public access is diabled). I need to create a mirrored database from the on-premise SQL server using On-premise Data Gateway. For that, I need to configure a connection to the SQL Server using SQL authentication for which I must supply user name and password. I'd like to supply the password from the Key Vault which requires creating a Key Vault reference in Fabric. I can only create a Key Vault reference in Fabric if the Key Vault has public access enabled, otherwise the private connection between Fabric and Key Vault would fail. Such requirement for the public access to the Key Vault contradicts with the organization security framework. Are there any ways to mitigate this situation?

apturlov

Hello @tayloramy @v-prasare, thank you for your support. While @tayloramy 's answers were infromative and helful, I, unfortunately, cannot accept them as a solution as my question uncovered an architectural limitation in the current state of Microsoft Fabric and the issue cannot be resolved directly. In the scenario I described, I have chosen not to use the Key Vault (as I usually did when I worked with Azure Data Factory or Azure Synapse) for storing credentials because from my assesment public Azure Key Vault presents a larger attack surface compared to storing credentials in the connections in Microsoft Fabric. Please consider this question closed unless there is more information on this topic that you could add for further considerations.

Fabric Data Days starts November 4th!

Referenced Azure Key Vault requires public access enabled for Fabric integration