This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
APPLIES TO: 
Azure Data Factory
Azure Synapse Analytics
Tip
Try out Data Factory in Microsoft Fabric, an all-in-one analytics solution for enterprises. Microsoft Fabric covers everything from data movement to data science, real-time analytics, business intelligence, and reporting. Learn how to start a new trial for free!
You can store credentials for data stores and computes in an Azure Key Vault. Azure Data Factory retrieves the credentials when executing an activity that uses the data store/compute.
Currently, all activity types except custom activity support this feature. For connector configuration specifically, check the "linked service properties" section in each connector topic for details.
This feature relies on the data factory managed identity. Learn how it works from Managed identity for Data factory and make sure your data factory have an associated one.
To reference a credential stored in Azure Key Vault, you need to:
The following properties are supported for Azure Key Vault linked service:
| Property | Description | Required |
|---|---|---|
| type | The type property must be set to: AzureKeyVault. | Yes |
| baseUrl | Specify the Azure Key Vault URL. | Yes |
Using authoring UI:
Select Connections -> Linked Services -> New. In New linked service, search for and select "Azure Key Vault":
Select the provisioned Azure Key Vault where your credentials are stored. You can do Test Connection to make sure your AKV connection is valid.
JSON example:
{
"name": "AzureKeyVaultLinkedService",
"properties": {
"type": "AzureKeyVault",
"typeProperties": {
"baseUrl": "https://<azureKeyVaultName>.vault.azure.net"
}
}
}
The following properties are supported when you configure a field in linked service referencing a key vault secret:
| Property | Description | Required |
|---|---|---|
| type | The type property of the field must be set to: AzureKeyVaultSecret. | Yes |
| secretName | The name of secret in Azure Key Vault. | Yes |
| secretVersion | The version of secret in Azure Key Vault. If not specified, it always uses the latest version of the secret. If specified, then it sticks to the given version. |
No |
| store | Refers to an Azure Key Vault linked service that you use to store the credential. | Yes |
Using authoring UI:
Select Azure Key Vault for secret fields while creating the connection to your data store/compute. Select the provisioned Azure Key Vault Linked Service and provide the Secret name. You can optionally provide a secret version as well.
Tip
For connectors using connection string in linked service like SQL Server, Blob storage, etc., you can choose either to store only the secret field e.g. password in AKV, or to store the entire connection string in AKV. You can find both options on the UI.
JSON example: (see the "password" section)
{
"name": "DynamicsLinkedService",
"properties": {
"type": "Dynamics",
"typeProperties": {
"deploymentType": "<>",
"organizationName": "<>",
"authenticationType": "<>",
"username": "<>",
"password": {
"type": "AzureKeyVaultSecret",
"secretName": "<secret name in AKV>",
"store":{
"referenceName": "<Azure Key Vault linked service>",
"type": "LinkedServiceReference"
}
}
}
}
}
For a list of data stores supported as sources and sinks by the copy activity in Azure Data Factory, see supported data stores.
Training
Module
Manage secrets in your server apps with Azure Key Vault - Training
Learn how to create an Azure Key Vault to store secret values and how to enable secure access to the vault.
Certification
Microsoft Certified: Azure Data Engineer Associate - Certifications
Demonstrate understanding of common data engineering tasks to implement and manage data engineering workloads on Microsoft Azure, using a number of Azure services.