Skip to main content

Announcing General Availability of Bring Your Own Key (BYOK) for Power BI Premium

 

What’s Happening?

Today, we are happy to announce the General Availability (GA) of Bring Your Own Key (BYOK) for Power BI Premium. This feature gives enterprises the ability to configure the encryption key used to encrypt their data when it’s stored in the Microsoft cloud.
With BYOK, each premium capacity can be set to encrypt data at rest using separate keys. As a result, you can exercise control over each capacity separately, revoke your organization’s keys and make the data in each separate capacity unreadable to the service within 1 hour.

How does it work?

When users publish reports and apps to Power BI Premium capacities, the capacities keep all data-at-rest encrypted, on their 100Tb storage.
With BYOK, when publishing Power BI reports, each capacity calls your organization’s Azure Key Vault (AKV) and fetches the encryption key associated with that capacity, to use it during the encryption process. When the dataset is loaded into the capacities’ memory the same key is fetched again to use in the decryption process.
If you ever wish to do so, you can revoke Power BI’s access to each key separately and exercise control over power BI’s access to data in each capacity separately.

When Should I Use BYOK?

This feature, together with Power BI’s Multi Geo for Compliance, and the latest data protection capabilities in Power BI provides a suite of abilities that allow organizations to meet compliance and regulatory requirements, customized as necessary, and achieve best-in-class data protection.

How Do I Turn It On?

To turn on BYOK, Power BI Tenant administrators must use a set of Admin PowerShell Cmdlets added to the Power BI Admin Cmdlets.

What Else Do I Need To Know?

Encryption using customer owned keys applies only to datasets and only to datasets in import mode. Data pulled into a dataset during run time using DirectQuery and datasets configured to source from a SQL Server Analysis Services server via Live Connect do not store the data at rest, therefore are not covered by BYOK.
Click here to learn more about BYOK’s applicability to all artifacts in Power BI.

As any security and compliance feature, administrators should read through the BYOK documentation and follow recommended practices before turning on BYOK.