(Updated) Microsoft Fabric: New settings to apply customer-managed keys (limited release)

Microsoft Fabric will introduce a Limited Release feature in mid-June 2025 to apply customer-managed encryption keys (CMK) at the workspace level, with an admin setting at the tenant level. This feature allows greater control over data protection, supporting various Fabric items, and will be on by default. Review configurations and notify users accordingly.

Updated June 10, 2025: We have updated the timeline below. Thank you for your patience.

Microsoft Fabric will introduce a feature in Limited Release to apply a customer-managed encryption key (CMK) at the user workspace level and a corresponding admin setting at the tenant level called Apply customer-managed keys (preview) in the Encryption section of the Fabric admin portal. By default, the new setting is on, which means the feature is available to all workspace admins. You can toggle it off in the Fabric admin center if you decide not to make this feature available to your Fabric users.

[When this will happen:]

Limited Release: We will begin rolling out mid-June 2025 and expect to complete by late June 2025.

We will communicate the plan for General Availability in a future post.

[How this will affect your organization:]

All Fabric data stores are encrypted at rest by using Microsoft-managed keys (MMK). Fabric data includes customer data as well as system data and metadata. While data can be processed in memory in an unencrypted state, it's never persisted to permanent storage while in an unencrypted state. In addition to using MMK, you can use customer-managed keys (CMK) to encrypt data at rest in Fabric. Workspace admins can enable encryption using new or existing keys in an Azure Key Vault (AKV) to protect their data using a key they control. CMK in Fabric supports a variety of key sizes, auto key rotation, and guarantees that data is inaccessible within 1 hour of key revocation.

This feature provides you with greater control over the protection of your data. With CMK, you can manage your own encryption keys, ensuring that your data is protected in accordance with security policies specific to your organization and regulatory requirements. If you revoke the customer key, Microsoft will lose access to your data and any read/write operations to that data will fail. This feature will be controlled by a new Encryption setting in the Workspace settings page:

In this Limited Release, we will support the following Fabric items: Lakehouse, Environment, Spark Job Definition, API for GraphQL, ML model, Experiment, Data Pipeline, Dataflow, Industry solutions and Mirrored databases. If you enable CMK for your workspace, you will not be able to create items that are not supported by CMK in Fabric. Conversely, if you have items in your workspace that are not supported by CMK in Fabric, you will not be able to enable CMK for that workspace.

Admin setting in the Fabric admin portal > Tenant settings > Encryption > Apply customer-managed keys (preview):

[What you need to do to prepare:]

If no actions are taken on the corresponding tenant setting, workspace admins will be able to enable CMK for their workspaces.

This rollout will happen automatically by the specified dates with no admin action required before the rollout. Review your current configuration to assess the impact on your organization. You may want to notify your users about this change and update any relevant documentation.

We encourage you to assess this new setting and make any necessary changes to align with your organization's security and access control policies.

If you have any questions or need further assistance, please do not hesitate to contact our support team.

Before rollout, we will update this post with new documentation.