Skip to main content

Announcing Bring Your Own Key (BYOK) Preview for Power BI Premium

Headshot of article author David Magar

Today, we are pleased to announce the preview of the latest addition in Power BI’s enterprise-grade feature set – Bring Your Own Key (BYOK) for Power BI Premium.

Power BI encrypts data at rest for all customers. With BYOK, organizations requiring additional controls over how their data is encrypted can exercise that control by configuring Power BI to use their own keys, stored in Azure Key Vaults, for data-at-rest encryption instead of Microsoft managed keys.

BYOK encryption applies to Power BI Premium capacities only, and organizations can choose to associate different capacities with different keys and\or different key vaults, as illustrated below:

Power BI will use customer-provided keys to encrypt the data of all datasets published to the workspaces assigned to the configured Premium Capacities. This means BYOK will not be applied for the following data:

  • Query result caches for tiles and visuals
  • Datasets configured to source from SQL Server Analysis Services via Live Connect, because the dataset resides in a customer owned Analysis Services Server.
  • Excel workbooks (unless data is first imported into Power BI Desktop)
  • Paginated Reports’ data
  • Dataflow Data

This feature, together with Power BI’s Multi Geo for Compliance, provides a suite of abilities that allow organizations to meet compliance and regulatory requirements, customized as necessary for specific locations, subsidiaries, or projects.

To turn on BYOK, Power BI tenant administrators should use a set of Power BI Management cmdlets added to the Power BI PowerShell module.

As any security and compliance feature, administrators should read through the BYOK documentation and follow recommended practices before turning on BYOK.