My Blog Bertalan Rónai
  • MS Fabcon Vienna
  • SQL Saturday in 2025
  • SQL Saturday in 2019
  • Lisbon in about 2023
  • Stockholm in 2023
  • I live around here.
Read this if you are Vibe coding with MS Fabric!
Bertalan
October 5, 2025
Fabric

Today using AI for supporting development is expected but copy pasting code for AI can bring dangers as well. It's a basic requirement for all developers to protect all sensitive information from accidentally sharing sensitive information with AI when we are asking it to help out with a coding problem.

I have vibe coded multiple useful applications in the past months, which is why I can see the dangers of accidentally pasting sensitive information. I'll explain how to store your sensitive information for example passwords in a MS Key Vault.

Create a Service Principal

This step is necessary for the Key Vault example, if you are familiar with the process, just scroll down to the next part. A Service Principal (SPN) is a dedicated, non-human account for applications and scripts. It's a "digital employee" that doesn't go on vacation or forget its password.

Let’s create a new SPN in MS Azure portal: (https://portal.azure.com )
The Service Principal is created through a process called "App Registration."
I’ll name it Fabric2025RW (RW stands for Read-Write)
Manage – Owners : If your admin agrees with you, you or your team can be the owner.
Once it’s created, go and open it in App registrations:

Then use the Power BI service as Application Type.

I recommend having multiple SPN-s setup, one with Tenant.Read.All, one with Tenant.ReadWrite.All
and others if you need to select permissions with a narrow scope.

The Administrator SPN Tenant.ReadWrite.All
It has the highest level of authority and can perform any action that a Power BI Administrator can for example downloading Power BI reports. Because of its power, it must be used with extreme caution and protected vigorously. The Admin consent required is a setting where the tenant admin needs to allow the SPN to access these endpoints. After clicking on Grand admin consent, the yellow icons turn to green.

The Specialist SPN (Specific, Scoped Permissions)
This is the recommended best practice for over 90% of all automation tasks. You create a dedicated SPN for a specific application or script and grant it only the precise permissions it needs to do its job, and nothing more. For example: A dataset refresher SPN.

Stay in the Application Registration interface to create a new secret. Securely save the following three values, as we will need them in the next step: the Client Secret Value, the Application (client) ID, and the Directory (tenant) ID. Pay attention to the expiration date of the secret. New secrets should be created periodically or when someone with access leaves the company.

Create the following secrets:

Name: spn-client-id - The application ID, client ID of the SPN.
Name: spn-tenant-id The Directory (tenant) ID.
Name: spn-client-secret The Client Secret Value

    Create an MS Entra (Active Directory) group for the Service Principal, I named it PBAdmins in my example. Enable using the Admin API for read only and or updates (read-write) in the Fabric Admin portal.

    This post or article assumes that you have access to these settings for brevity only, in real life you do these steps together with the tenant or capacity admin.

    The Digital Safe – Securing Your Credentials with Azure Key Vault

    Now that you have your powerful Service Principal, you're faced with a critical question: where do you store its Client ID, Tenant ID, and especially its very sensitive Client Secret? The worst thing you can do is hard-code them directly into your scripts or notebooks.

    This is where Azure Key Vault comes in. Think of it as a highly secure, managed digital safe in the cloud. You put your secrets inside, and you create strict rules about who (or what) is allowed to open it and retrieve them.

    Create the following secrets:

    • Name: spn-client-id - The application ID of the SPN.
      Name: spn-tenant-id The Directory (tenant) ID.
      Name: spn-client-secret The Client Secret Value

      Grant Access to the Key Vault

      "When granting access to Key Vault, we need to set up permissions for two different 'identities':

      Your User Account: To run the demo notebook in Fabric, the code runs as you. Therefore, you need to add your own user account to the Key Vault's access policies with Secret Permissions of Get and List.
      This allows the demo notebook to read the secrets.

      The Service Principal (via a Group): For more advanced unattended scenarios, like an Azure Function that needs to access the vault, you would add the PBAdmins security group to the access policy, also with Get and List permissions.

      MS Fabrix Key Vault demo notebook

      I just uploaded this to my github repo, see the last cell where you can see that I actually ran this notebook with success. This is the key part from the notebook:
      tenant_id = mssparkutils.credentials.getSecret(key_vault_uri, "spn-tenant-id")
      client_id = mssparkutils.credentials.getSecret(key_vault_uri, "spn-client-id")
      client_secret = mssparkutils.credentials.getSecret(key_vault_uri, "spn-client-secret")

      Complete notebook: https://github.com/RonaiBertalan/PowerBI/blob/master/KeyVault%20Demo.ipynb

      Following these steps is essential to handle access to sensitive data and it's a simpler way to periodically replace passwords to data sources without knowing all the dependencies.

      Share on Facebook
      Share on Twitter

      Leave a Reply

      Your email address will not be published. Required fields are marked *