Bring your own Azure key vault (preview)
Linking a dedicated Azure key vault to an Customer Insights environment helps organizations to meet compliance requirements. The dedicated key vault can be used to stage and use secrets in an organization's compliance boundary. Customer Insights can use the secrets in Azure Key Vault to set up connections to third-party systems.
Link the key vault to the Customer Insights environment
To configure the key vault in Customer Insights, the following prerequisites must be met:
You have an active Azure subscription.
You have the Contributor and User Access Administrator roles on the key vault or the resource group the key vault belongs to. For more information, go to Add or remove Azure role assignments using the Azure portal. If you don't have the User Access Administrator role on the key vault, you must set up the role-based access control permissions for the Azure service principal for Dynamics 365 Customer Insights separately. Follow the steps to use an Azure service principal for the key vault that should be linked.
The key vault must have Key Vault firewall disabled.
The key vault is in the same Azure location as the Customer Insights environment. The region of the environment in Customer Insights is listed under Admin > System > About > Region.
Link a key vault to the environment
- Go to Admin > Security, and then select the Key Vault tab.
- On the Key Vault tile, select Setup.
- Choose a Subscription.
- Choose a key vault from the Key Vault dropdown list. If too many key vaults are showing up, select a resource group to limit the search results.
- Accept the Data privacy and compliance statement.
- Select Save.
The Key Vault tile now shows the linked key vault name, resource group, and subscription. It's ready to be used in the connection setup. For details about which permissions on the key vault are granted to Customer Insights, go to Permissions granted on the key vault, later in this article.
Use the key vault in the connection setup
When setting up connections to third-party systems, the secrets from the linked Key Vault can be used to configure the connections.
- Go to Admin > Connections.
- Select Add connection.
- For the supported connection types, a Use Key Vault toggle is available if you linked a key vault.
- Instead of entering the secret manually, you can choose the secret name that points to the secret value in the key vault.
Supported connection types
The following export connections are supported:
- Google Ads
- Salesforce Marketing Cloud
Permissions granted on the key vault
Key Vault access policy
|Key||Get Keys, Get Key|
|Secret||Get Secrets, Get Secret|
|Certificate||Get Certificates, Get Certificate|
The preceding values are the minimum to list and read during execution.
Azure role-based access control
The Key Vault Reader and Key Vault Secrets User roles will be added for Customer Insights. For details about these roles, go to Azure built-in roles for Key Vault data plane operations.
Use a separate or dedicated key vault that contains only the secrets required for Customer Insights. Read more about why separate key vaults are recommended.
Follow the best practices to use Key Vault for control access, backup, audit, and recovery options.
Frequently asked questions
Can Customer Insights write secrets or overwrite secrets into the key vault?
No. Only the read and list permissions outlined in the granted permissions section earlier in this article are granted to Customer Insights. The system can't add, delete, or overwrite secrets in the key vault. That's also the reason why you can't enter credentials when a connection uses Key Vault.
Can I change a connection from using Key Vault secrets to default authentication?
No. You can't change back to a default connection after you've configured it by using a secret from a linked key vault. Create a separate connection, and delete the old one if you don't need it anymore.
How can I revoke access to a key vault for Customer Insights?
Depending on whether Key Vault access policy or Azure role-based access control is enabled, you need to remove the permissions for the service principal
0bfc4568-a4ba-4c58-bd3e-5d3e76bd7fff with the name
Dynamics 365 AI for Customer Insights. All connections that use the key vault will stop working.
A secret that's used in a connection got removed from the key vault. What can I do?
A notification appears in Customer Insights when a configured secret from the key vault isn't accessible anymore. Enable soft-delete on the key vault to restore secrets if they're accidentally removed.
A connection doesn't work, but my secret is in the key vault. What might be the cause?
A notification appears in Customer Insights when it can't access the key vault. The cause might be:
The permissions for the Customer Insights service principal got removed. They need to be manually restored.
The firewall on the key vault is enabled. The firewall must be disabled to make the key vault accessible for Customer Insights again.
Submit and view feedback for