top of page
Writer's pictureOscar Martinez

Securing Your API-Power BI Data with Azure Key Vault

Updated: Nov 13

Unlocking the Power of Secure API Coding

Are you looking to secure API secrets in your Power BI developments? With Azure Key Vault, you can unlock the power of secure API coding. It's an easy and reliable way to store secrets, giving you peace of mind that they are safely locked away. This blog post will look at Azure Key Vault and discuss some best practices developers should follow when incorporating it into their Power BI projects.

Introduction: What is Azure Key Vault, and How Can It Help with Power BI Reports with data from an API?

Azure Key Vault is a cloud-based security solution that enables organisations to securely store application secrets, such as passwords, API keys, and other sensitive data. With Azure Key Vault, organisations can protect these confidential credentials and ensure that only authorised users can access them.

Using Azure Key Vault in combination with Power BI Reports can be highly beneficial when dealing with data from an API. With the help of Azure Key Vault, organisations can quickly and easily secure keys and secrets, allowing only authorised users to access them via Power BI M Code. By storing all these secret tokens within Key Vault, admins have complete control over who has access to the data and can restrict access as necessary for compliance or any other purpose.

Overall, using Azure Key Vault with Power BI Reports is a great way to ensure that valuable API data remains secure while allowing authorised users to access it when necessary. This provides an extra layer of security and will enable organisations to maintain compliance standards easily while still using powerful reporting tools like Power BI.

Benefits of Using Azure Key Vault for Power BI

One of the most significant benefits of using Azure Key Vault in conjunction with Power BI is its scalability. An enterprise-wide solution that can be used for all Power BI projects helps ensure that users across multiple teams can consistently and securely access the data they need consistently and securely. This helps reduce errors due to manual entry and different versions of credentials being used across teams. With Azure Key Vault, organisations can also take advantage of built-in features like auditing and logging, which allow them to track any changes made to the vault and get visibility into who accessed what information and when.

Another key benefit of using Azure Key Vault for Power BI is its ability to protect sensitive information from unauthorised access or manipulation. Since all data stored in the vault is encrypted, only those with permission can view it or make changes. This ensures that confidential information remains secure and compliant with applicable regulations and industry standards such as GDPR.

Finally, using Azure Key Vault also helps streamline authentication processes by allowing administrators to securely store credentials needed for authentication without having them hard-coded into scripts or applications where they could easily be compromised. This eliminates the need to manually enter credentials each time someone needs them, saving time and reducing user frustration.

Overall, utilising Azure Key Vault with Power BI offers organisations a powerful toolset for handling sensitive business data while maintaining compliance requirements at scale. It provides users with greater security through encryption and enhanced audibility so that malicious activities can be tracked more quickly should they occur, and faster authentication processes reduce downtime caused by manual credential entry errors.

Step By step guide.


1. Setting up an Azure Key Vault Account

Here's a high-level description of how to create a key vault in Azure:

  1. Sign in to the Azure Portal with your subscription and select Create a resource.

  2. In the search box, type Key Vault and select it from the result

  3. On the Basics tab, provide a name for your Key Vault and your chosen subscription and resource group.

  4. Select Create to begin creating your Key Vault in your Azure subscription

  5. After creating the Key Vault, you must take note of the Vault URI (e.g. "https://contoso-vault2.vault.azure.net/"

Azure Key Vault account
Azure Key Vault account

If you have questions, please refer to the official Microsoft documentation.

https://learn.microsoft.com/en-us/azure/key-vault/general/quick-create-portal

2. Create your first secret in your Key Vault.

Creating the account itself is the first step to setting up an Azure Key Vault Account.

  1. Select your Key Vault from the list of available vaults.

  2. Select Secrets > Generate/Import to create a new secret or import an existing one.

  3. Please enter the name and value for the new secret, then select Create to save it in your Key Vault.

  4. You can also specify optional fields such as expiration date, content type and tags for the new secret or edit existing secrets with these properties if needed.

  5. When you're finished, select Save to add the secret to your Key Vault.

If you have questions, please refer to the official Microsoft documentation.

3. Configure Key Vault's access.

You need to ensure you have configured Key Vault's access policies correctly, and sometimes you also need to check the firewall settings. If you have doubts about this, please check the official Microsoft documentation:

4. Get the Key Vault's Power BI custom connector and change Power BI desktop settings.

Option 1 Easy 😀: Click here.

Option 2 Advanced🤔: Get the connector by cloning and building the solution from this GitHub repository.

Once you have the MEZ file connector, you need to save this on the connector folders of your computer ([Documents]\Power BI Desktop\Custom Connectors.) If the folder does not exist, you will need to create it.

Store the mez connector file
Store the mez connector file

You must ensure that the Power BI desktop is configured to allow any extension; for this, adjust the data extension security settings; in Power BI Desktop, select File > Options and settings > Options > Security.

Allow third party connectors
Allow third party connectors

If you have questions, please refer to the official Microsoft documentation.

5. Use the connector.

Now, it is time to use the connector; for this, you will need to open Power BI Desktop and, in the Get Data window, search for “Azure_Key_Vault.”

Using the connector
Using the connector

Click on “Continue” in the following prompt.

Accepting the connector use
Accepting the connector use

Now, you need to enter the Key Vault URI from Step 1.

Enter connector URL
Enter connector URL

For the next step, you must sign in using the same account with access to the Key Vault (usually your office account) and click on “Connect.”

Sign in
Sign in
Sign in two - select credentials
Sign in two - select credentials

And voila! You should see all the Secrets you can access in the Key Vault. Use the required one and integrate it in your M code #MIsForMagic.

Preview of credentials
Preview of credentials

6. Refresh from the service.

You will need a Gateway (this section focuses on an on-premises gateway) for refreshing this connector from the service; if you do not know how to install an on-premises Gateway, check the official Microsoft documentation:

Now that you have the Gateway installed, you will need to save the connector in the Custom Connectors folder; this folder can be changed on the Gateway’s settings:

Saving the mez file for gateway usage
Saving the mez file for gateway usage

Once you have saved the MEZ connector on the Gateway’s connector folder, it is your turn to create a new data source in the “Manage connections and gateways” section.

Power BI gateway config
Power BI gateway config

After clicking on the “+ New” connection button, we need to select the cluster where we saved the MEZ file and assign a name to the connections.

In the data source type, we search for “Azure_Key_Vault”; in “vaultBaseUrl”, we input the Key Vault URI from step 1.

On Authentication, we select OAuth2, and we click on “Edit Credentials”, where we will input and sign in with the credentials that can access the Key Vault and select the “Skip test connection” check box; finally, we click on “Create.”

Create a data source in Gateway
Create a data source in Gateway

Finally, on the settings of our published report, we need to map the gateway data source, and now our report is ready to schedule from the service!!

Mapping the connection to the data source
Mapping the connection to the data source

In conclusion.

In conclusion, integrating your Power BI reports containing API data with Azure Key Vault is a great way to ensure that sensitive secrets remain secure. We've outlined the steps you need to take for this integration process to be successful - from creating the Azure Key vault and creating a secret to obtaining the required custom connector and mapping it on your published report settings. With these instructions, you can now confidently set up an effective connection between Power BI Desktop and Azure Key Vault so that everyone who uses your dashboards has peace of mind about their privacy!

I hope you have found this post useful. Thank you for reading. Enjoy Power BI and bring your data to life! 🎉📊🤩⚡️​

5,748 views

2 comentários


Convidado:
21 de mar.

The problem that needs solving is that you do not want to expose the secrets in the keyvault, no person should be able to see them. You found a way to exposed them. A keyvault is used securely by an app during runtime. So the app identity is given access to the keyvault (not a person) Whenever a user uses the report and the report needs some credentials like an apikey to fetch data from an api, the report will get the secret using its own identity and include it on the api call that needs it. You need to make sure that no user can see this apikey anywhere.

Curtir
Oscar Martinez
Oscar Martinez
19 de abr.
Respondendo a

The same Power BI file opened on a different computer will never show the keys stored in KeyVault, as these are protected via the user's encrypted credentials in Power BI. Once this is set up, even if someone downloads the file from the Power BI service, the keys in the vault will not be visible.


If you use Power Automate, it is the same behaviour, you get the keys from KeyVault via the credentials the connector store.

Curtir
bottom of page