Key vault acces through full private network configuration

Great! that’s a solid setup and fully private infra on Azure always brings some interesting challenges.

You’re right about the general behavior. When "Allow trusted Microsoft services" is enabled on Key Vault, services like Databricks and Data Factory can access it without needing a private endpoint. When you turn that off, access should fail unless there’s another connection path.

Now, the reason why Data Factory still works even after disabling the trusted services flag is likely because you’re using a managed virtual network integration in Data Factory. That gives it an injected VNet and allows it to create managed private endpoints behind the scenes, even if you didn’t manually set one up.

Most likely, a managed private endpoint to Key Vault was automatically created during pipeline setup or testing. You can check this by going to your Data Factory workspace, clicking on Manage, and then checking the Managed private endpoints section. If you see a private endpoint there pointing to your Key Vault, that explains why it still works.

So yes, Data Factory can still access Key Vault without the trusted services option if it has a managed private endpoint in place. Let me know if you want help confirming or cleaning up those endpoints.