Bring your own Azure key vault (preview)
[This article is prerelease documentation and is subject to change.]
Note
Azure Active Directory is now Microsoft Entra ID. Learn more
Linking a dedicated Azure key vault to a Dynamics 365 Customer Insights - Data environment helps organizations to meet compliance requirements.
Link the key vault to the Customer Insights - Data environment
Set up the dedicated key vault to stage and use secrets in an organization's compliance boundary.
Prerequisites
An active Azure subscription.
An Administrator role assigned in Customer Insights - Data.
Contributor and User Access Administrator roles on the key vault or the resource group the key vault belongs to. For more information, go to Add or remove Azure role assignments using the Azure portal. If you don't have the User Access Administrator role on the key vault, set up the role-based access control permissions for the Microsoft Entra service principal for Customer Insights - Data separately. Follow the steps to use aa Microsoft Entra service principal for the key vault that should be linked.
Key vault must have Key Vault firewall disabled.
Key vault is in the same Azure location as the Customer Insights - Data environment. In Customer Insights - Data, go to Settings > System and the About tab to view the region of the environment.
Recommendations
Use a separate or dedicated key vault that contains only the secrets required for the system.
Follow the best practices to use Key Vault for control access, backup, audit, and recovery options.
Link a key vault to the environment
- Go to Settings > Permissions, and then select the Key Vault tab.
- On the Key Vault tile, select Setup.
- Choose a Subscription.
- Choose a key vault from the Key Vault dropdown list. If too many key vaults are available, select a resource group to limit the search results.
- Review the Data privacy and compliance and select I agree.
- Select Save.
The Key Vault tile shows the linked key vault name, subscription, and resource group. It's ready to be used in the connection setup. For details about which permissions on the key vault are granted to the system, go to Permissions granted on the key vault.
Use the key vault in the connection setup
When setting up connections to supported third-party systems, use the secrets from the linked Key Vault to configure the connections.
Go to Settings > Connections.
Select Add connection.
For the supported connection types, a Use Key Vault toggle is available if you linked a key vault.
Instead of entering the secret manually, choose the secret name that points to the secret value in the key vault.
Select Save to create the connection.
Supported connection types
The following export connections are supported:
- ActiveCampaign
- Autopilot
- DotDigital
- Google Ads
- Klaviyo
- LiveRamp
- Marketo
- Omnisend
- Salesforce Marketing Cloud
- Sendgrid
- Sendinblue
- SFTP
Permissions granted on the key vault
The following permissions are granted to Customer Insights - Data on a linked key vault if either Key Vault access policy or Azure role-based access control is enabled.
Key Vault access policy
| Type | Permissions |
|---|---|
| Key | Get Keys, Get Key |
| Secret | Get Secrets, Get Secret |
| Certificate | Get Certificates, Get Certificate |
The preceding values are the minimum to list and read during execution.
Azure role-based access control
The Key Vault Reader and Key Vault Secrets User roles will be added for Customer Insights - Data.
Frequently asked questions
Can Customer Insights - Data write secrets or overwrite secrets into the key vault?
No. Only the read and list permissions outlined in granted permissions are granted. The system can't add, delete, or overwrite secrets in the key vault. That's also the reason why you can't enter credentials when a connection uses Key Vault.
Can I change a connection from using Key Vault secrets to default authentication?
No. You can't change back to a default connection after you've configured it by using a secret from a linked key vault. Create a separate connection, and delete the old one if you don't need it anymore.
How can I revoke access to a key vault for Customer Insights - Data?
If the Key Vault access policy or Azure role-based access control is enabled, remove the permissions for the service principal 0bfc4568-a4ba-4c58-bd3e-5d3e76bd7fff with the name Dynamics 365 AI for Customer Insights. All connections that use the key vault will stop working.
A secret that's used in a connection got removed from the key vault. What can I do?
A notification appears in Customer Insights - Data when a configured secret from the key vault isn't accessible anymore. Enable soft-delete on the key vault to restore secrets if they're accidentally removed.
A connection doesn't work, but my secret is in the key vault. What might be the cause?
A notification appears in Customer Insights - Data when it can't access the key vault. The cause might be:
The permissions for the service principal got removed. They need to be manually restored.
The firewall on the key vault is enabled. The firewall must be disabled to make the key vault accessible for the system again.