Bring your own encryption keys for Power BI (preview)
Power BI encrypts data at-rest and in process. By default, Power BI uses Microsoft-managed keys to encrypt your data. In Power BI Premium you can also use your own keys for data at-rest that is imported into a dataset (see Data source and storage considerations for more information). This approach is often described as bring your own key (BYOK).
Why use BYOK?
BYOK makes it easier to meet compliance requirements that specify key arrangements with the cloud service provider (in this case Microsoft). With BYOK, you provide and control the encryption keys for your Power BI data at-rest at the application level. As a result, you can exercise control and revoke your organization's keys, should you decide to exit the service. By revoking the keys, the data is unreadable to the service.
Data source and storage considerations
To use BYOK, you must upload data to the Power BI service from a Power BI Desktop (PBIX) file. You cannot use BYOK in the following scenarios:
- Analysis Services Live Connection
- Excel workbooks (unless data is first imported into Power BI Desktop)
- Push datasets
- Streaming datasets
- Large models
BYOK applies only to the dataset associated with the PBIX file, not the query result caches for tiles and visuals.
Configure Azure Key Vault
In this section you learn how to configure Azure Key Vault, a tool for securely storing and accessing secrets, like encryption keys. You can use an existing key vault to store encryption keys, or you can create a new one specifically for use with Power BI.
The instructions in this section assume basic knowledge of Azure Key Vault. For more information, see What is Azure Key Vault?. Configure your key vault in the following way:
Add the Power BI service as a service principal for the key vault, with wrap and unwrap permissions.
Create an RSA key with a 4096-bit length (or use an existing key of this type), with wrap and unwrap permissions.
Power BI BYOK supports only RSA keys with a 4096-bit length.
Recommended: Check that the key vault has the soft delete option enabled.
Add the service principal
In the Azure portal, in your key vault, under Access policies , select Add New.
Under Select principal , search for and select Microsoft.Azure.AnalysisServices.
If you can't find "Microsoft.Azure.AnalysisServices", it's likely that the Azure subscription associated with your Azure Key Vault never had a Power BI resource associated with it. Try searching for the following string instead: 00000009-0000-0000-c000-000000000000.
Under Key permissions , select Unwrap Key and Wrap Key.
Select OK , then Save.
To revoke access of Power BI to your data in the future remove access rights to this service principal from your Azure Key Vault.
Create an RSA key
In your key vault, under Keys , select Generate/Import.
Select a Key Type of RSA and an RSA Key Size of 4096.
Under Keys , select the key you created.
Select the GUID for the Current Version of the key.
Check that Wrap Key and Unwrap Key are both selected. Copy the Key Identifier to use when you enable BYOK in Power BI.
Soft delete option
We recommend that you enable soft-delete on your key vault, to protect from data loss in case of accidental key – or key vault – deletion. You must use PowerShell to enable the "soft-delete" property on the key vault, because this option is not available from the Azure portal yet.
With Azure Key Vault properly configured, you're ready to enable BYOK on your tenant.
Enable BYOK on your tenant
You enable BYOK at the tenant level with PowerShell, by first introducing to your Power BI tenant the encryption keys you created and stored in Azure Key Vault. You then assign these encryption keys per Premium capacity for encrypting content in the capacity.
Before you enable BYOK, keep the following considerations in mind:
At this time, you cannot disable BYOK after you enable it. Depending on how you specify parameters for
Add-PowerBIEncryptionKey, you can control how you use BYOK for one or more of your capacities. However, you can't undo the introduction of keys to your tenant. For more information, see Enable BYOK.
You cannot directly move a workspace that uses BYOK from a dedicated capacity in Power BI Premium to shared capacity. You must first move the workspace to a dedicated capacity that doesn't have BYOK enabled.
If you move a workspace that uses BYOK from a dedicated capacity in Power BI Premium, to shared, reports and datasets will become inaccessible, as they are encrypted with the Key. To avoid this situation, you must first move the workspace to a dedicated capacity that doesn’t have BYOK enabled.
To enable BYOK, you must be a tenant administrator of the Power BI service, signed in using the
Connect-PowerBIServiceAccount cmdlet. Then use
Add-PowerBIEncryptionKey to enable BYOK, as shown in the following example:
Add-PowerBIEncryptionKey -Name'Contoso Sales' -KeyVaultKeyUri'https://contoso-vault2.vault.azure.net/keys/ContosoKeyVault/b2ab4ba1c7b341eea5ecaaa2wb54c4d2'
To add multiple keys, run
Add-PowerBIEncryptionKey with different values for -
The cmdlet accepts two switch parameters that affect encryption for current and future capacities. By default, neither of the switches are set:
-Activate: Indicates that this key will be used for all existing capacities in the tenant that aren't already encrypted.
-Default: Indicates that this key is now the default for the entire tenant. When you create a new capacity, the capacity inherits this key.
If you specify
-Default, all of the capacities created on your tenant from this point will be encrypted using the key you specify (or an updated default key). You cannot undo the default operation, so you lose the ability to create a premium capacity in your tenant that doesn't use BYOK.
After you enable BYOK on your tenant, set the encryption key for one or more Power BI capacities:
Get-PowerBICapacityto get the capacity ID that's required for the next step.
Get-PowerBICapacity -Scope Individual
The cmdlet returns output similar to the following output:
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx DisplayName : Test Capacity Admins : email@example.com Sku : P1 State : Active UserAccessRight : Admin Region : North Central US
Set-PowerBICapacityEncryptionKeyto set the encryption key:
Set-PowerBICapacityEncryptionKey-CapacityId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -KeyName 'Contoso Sales'
You have control over how you use BYOK across your tenant. For example, to encrypt a single capacity, call
-Default. Then call
Set-PowerBICapacityEncryptionKey for the capacity where you want to enable BYOK.
Power BI provides additional cmdlets to help manage BYOK in your tenant:
Get-PowerBICapacityto get the key that a capacity is currently using:
Get-PowerBICapacity -Scope Organization -ShowEncryptionKey
Get-PowerBIEncryptionKeyto get the key that your tenant is currently using:
Get-PowerBIWorkspaceEncryptionStatusto see whether the datasets in a workspace are encrypted and whether their encryption status is in sync with the workspace:
Get-PowerBIWorkspaceEncryptionStatus -Name'Contoso Sales'
Note that encryption is enabled at the capacity level, but you get encryption status at the dataset level for the specified workspace.
Switch-PowerBIEncryptionKeyto switch (or rotate) the version of the key being used for encryption. The cmdlet simply updates the
-KeyVaultKeyUrifor a key
Switch-PowerBIEncryptionKey -Name'Contoso Sales' -KeyVaultKeyUri'https://contoso-vault2.vault.azure.net/keys/ContosoKeyVault/b2ab4ba1c7b341eea5ecaaa2wb54c4d2'