Bring your own Azure key vault (preview)

Linking a dedicated Azure key vault to an Customer Insights environment helps organizations to meet compliance requirements. The dedicated key vault can be used to stage and use secrets in an organization's compliance boundary. Customer Insights can use the secrets in Azure Key Vault to set up connections to third-party systems.

Prerequisites

To configure the key vault in Customer Insights, the following prerequisites must be met:

  1. Go to Admin > Security, and then select the Key Vault tab.
  2. On the Key Vault tile, select Setup.
  3. Choose a Subscription.
  4. Choose a key vault from the Key Vault dropdown list. If too many key vaults are showing up, select a resource group to limit the search results.
  5. Accept the Data privacy and compliance statement.
  6. Select Save.

Steps to set up a linked key vault in Customer Insights.

The Key Vault tile now shows the linked key vault name, resource group, and subscription. It's ready to be used in the connection setup. For details about which permissions on the key vault are granted to Customer Insights, go to Permissions granted on the key vault, later in this article.

Use the key vault in the connection setup

When setting up connections to third-party systems, the secrets from the linked Key Vault can be used to configure the connections.

  1. Go to Admin > Connections.
  2. Select Add connection.
  3. For the supported connection types, a Use Key Vault toggle is available if you linked a key vault.
  4. Instead of entering the secret manually, you can choose the secret name that points to the secret value in the key vault.

Connection pane with an SFTP connection that uses a Key Vault secret.

Supported connection types

The following export connections are supported:

Permissions granted on the key vault

The following permissions are granted to Customer Insights on a linked key vault if either Key Vault access policy or Azure role-based access control is enabled.

Key Vault access policy

Type Permissions
Key Get Keys, Get Key
Secret Get Secrets, Get Secret
Certificate Get Certificates, Get Certificate

The preceding values are the minimum to list and read during execution.

Azure role-based access control

The Key Vault Reader and Key Vault Secrets User roles will be added for Customer Insights. For details about these roles, go to Azure built-in roles for Key Vault data plane operations.

Recommendations

Frequently asked questions

Can Customer Insights write secrets or overwrite secrets into the key vault?

No. Only the read and list permissions outlined in the granted permissions section earlier in this article are granted to Customer Insights. The system can't add, delete, or overwrite secrets in the key vault. That's also the reason why you can't enter credentials when a connection uses Key Vault.

Can I change a connection from using Key Vault secrets to default authentication?

No. You can't change back to a default connection after you've configured it by using a secret from a linked key vault. Create a separate connection, and delete the old one if you don't need it anymore.

How can I revoke access to a key vault for Customer Insights?

Depending on whether Key Vault access policy or Azure role-based access control is enabled, you need to remove the permissions for the service principal 0bfc4568-a4ba-4c58-bd3e-5d3e76bd7fff with the name Dynamics 365 AI for Customer Insights. All connections that use the key vault will stop working.

A secret that's used in a connection got removed from the key vault. What can I do?

A notification appears in Customer Insights when a configured secret from the key vault isn't accessible anymore. Enable soft-delete on the key vault to restore secrets if they're accidentally removed.

A connection doesn't work, but my secret is in the key vault. What might be the cause?

A notification appears in Customer Insights when it can't access the key vault. The cause might be:

  • The permissions for the Customer Insights service principal got removed. They need to be manually restored.

  • The firewall on the key vault is enabled. The firewall must be disabled to make the key vault accessible for Customer Insights again.