One of the challenges for organizations is to manage and protect sensitive information, which may be distributed across data assets in different clouds or on-prem datacenters, to maintain customer trust and avoid potential penalties.
Microsoft Purview provides a unified solution and a single plane to centrally manage access of sensitive information across an organization’s multi-cloud data estate and that helps with compliance with data regulations set forth by various governing bodies, regulatory authorities, and legal jurisdictions.
Today, Purview identifies sensitive data elements in data assets, including Azure Blob Storage, ADLS Gen2 and Azure SQL Database, and can apply sensitivity labels to data assets. Please refer to Auto Label Assets for additional information.
This preview release enables Enterprise Admins to centrally define and manage cross cutting policies across data sources in a multi-cloud environment and set guardrails around the sensitive data in Azure SQL DB, ADLS Gen2 and Azure Blob Storage in addition to M365 assets and AWS S3.
Microsoft Purview Information Protection for Azure Blob Storage and ADLS Gen2,
- Purview identifies sensitive information and auto-applies labels to blob files and resource sets in Storage accounts. Please refer to How to label your assets for additional information.
- Storage Data Owners have flexibility to enable specific storage accounts for policy enforcement.
- Additionally, for each information protection policy on a sensitive label, Enterprise admins have granular control over which storage accounts the policy must be enforced.
- Information Protection policies are enforced on blob and resource sets and only authorized Azure Entra ID users/M365 user groups will be able to retrieve sensitive data. Non-authorized users will be blocked from reading the blob or resource set.
Microsoft Purview Information Protection for Azure SQL database,
- Purview identifies sensitive information and auto-applies labels to columns of a table. Please refer to How to label your assets for additional information.
- Data Owners of Azure SQL Database have flexibility to enable specific Azure SQL Servers for policy enforcement.
- Additionally, for each information protection policy configured on a Sensitivity Label, Enterprise admins have granular control over which Azure SQL Servers the policy must be enforced.
- Information Protection policies are enforced at column-level granularity thus protecting sensitive data without blocking access to non-sensitive data columns in database tables.
Configure policies from the Information Protection App in Microsoft Purview
Select Sensitivity Label on which policy must be enforced.
Select the data sources on which the policy must be enforced.
Select Entra ID Users and M365 User Groups. Azure Entra ID users/M365 user groups selected in the policy will be authorized to read data with the configured sensitivity label in the policy. Users not selected in the list will be blocked access to sensitive data even if they have resource-level access.
For Azure Blob Storage and ADLS Gen2, after a policy is created, when users access a blob or a resource set, based on the sensitivity label of the blob or resource set and the user’s Entra ID credentials, authorized users would be able to read data.
For Azure SQL database, after the policy is created, when users run a SQL query through an application or a SQL client, based on the sensitivity label of the columns in the query and the user’s Entra ID credentials, users would be authorized to read data.
Please refer to the video below for details of how Information Protection policies are enforced on Azure SQL DB, Azure Blob Storage, and ADLS Gen2.
<<Demo - Protection Policies for SQL and Storage>>
Get started!
- At Ignite we are launching a gated public preview of Microsoft Purview Information Protection policies.
- Learn more about Microsoft Purview Information Protection policies for AWS S3: MIP-Policy-Enforcement-S3
Updated Nov 13, 2023
Version 1.0