Prepare your Azure data sources at scale to onboard into Azure Purview for registration and scanning

Published 06-02-2021 03:16 PM 808 Views

If you are planning to register and scan Azure data sources into Azure Purview, there are a series of prerequisites you may need to look into first. Azure Purview account requires access both in terms of network and identity so registration and scanning of your Azure data sources can happen.

 

Running readiness check script on data sources Azure subscriptions 

Azure Purview account needs a credential to connect to data sources to scan them. This can be done using different methods such as Azure Purview Managed Identity (MSI), Service Principal, SQL Credential, etc. For example, if your data source is an Azure SQL Database, you could save SQL admin credentials inside an Azure Key Vault as a Secret and create a new credential inside Azure Purview to use that secret when scanning. When setting up a new scan, you can use this credential to connect to the data source and bring information about metadata. For setting up a credential, we recommend using Azure Purview managed identity whenever is possible, so this way, you can reduce complexity of setting up additional resources and credentials. In this case, the managed identity needs to have access to each data source through Azure RBAC control plane and data plane.

 

Use the following decision tree if you are unsure what credential type is the most suitable for your data sources:  

Create and manage credentials for scans - Azure Purview | Microsoft Docs

 

If you are protecting your data sources using Azure Service Endpoint, you would need to allow AzureServices to connect to your data sources. 

 

Validating if these requirements are in place and setting them up, may be time consuming if you have hundred of Azure resources and subscriptions, therefore, we have recently included a series of tools inside Azure Purview documentation, so you can validate readiness of your data sources in Azure and configure required RBAC, SQL authentication and network access.

 

Currently, the following data sources are supported in the scripts:

  • Azure Blob Storage (BlobStorage)
  • Azure Data Lake Storage Gen 2 (ADLSGen2)
  • Azure Data Lake Storage Gen 1 (ADLSGen1)
  • Azure SQL Database (AzureSQLDB)
  • Azure SQL Managed Instance (AzureSQLMI)
  • Azure Synapse (Synapse)

 

Use the following guide, if you are interested in first validating the readiness of your Azure resources such as Azure SQL Database, Synapse, Azure Blob Storage, or Azure Data Lake:

Tutorial: Check data sources readiness at scale (preview) - Azure Purview | Microsoft Docs

 

The guide walks you through steps and provide you access to a PowerShell script to automate the readiness check. Once you run the tool, the output report helps you to discover current state of your Azure data sources and highlights the missing configurations that is needed for registering and scanning them inside Azure Purview.

Whether you are the Azure subscription or data services resource owner, or you need to reach out those who have access to these Azure resources, using this output report you will have a clear list of required settings to apply.

 

Configure Azure Purview MSI settings at scale 

We have also developed a tool that can help you to automate configuring the required network, SQL authentication and Azure RBAC control and data plane assignments at data sources at scale.

 

Follow the guide provided in the following link for more information about the tool and how to use it: 

Tutorial: Configure access to data sources for Azure Purview MSI at scale (preview) - Azure Purview ...

 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2408965%22%20slang%3D%22en-US%22%3EPrepare%20your%20Azure%20data%20sources%20at%20scale%20to%20onboard%20into%20Azure%20Purview%20for%20registration%20and%20scanning%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2408965%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20are%20planning%20to%20register%20and%20scan%20Azure%20data%20sources%20into%20Azure%20Purview%2C%20there%20are%20a%20series%20of%20prerequisites%20you%20may%20need%20to%20look%20into%20first.%20Azure%20Purview%20account%20requires%20access%20both%20in%20terms%20of%20network%20and%20identity%20so%20registration%20and%20scanning%20of%20your%20Azure%20data%20sources%20can%20happen.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%225%22%3ERunning%20readiness%20check%20script%20on%20data%20sources%20Azure%20subscriptions%26nbsp%3B%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAzure%20Purview%20account%20needs%20a%20credential%20to%20connect%20to%20data%20sources%20to%20scan%20them.%20This%20can%20be%20done%20using%20different%20methods%20such%20as%20Azure%20Purview%20Managed%20Identity%20(MSI)%2C%20Service%20Principal%2C%20SQL%20Credential%2C%20etc.%20For%20example%2C%20if%20your%20data%20source%20is%20an%20Azure%20SQL%20Database%2C%20you%20could%20save%20SQL%20admin%20credentials%20inside%20an%20Azure%20Key%20Vault%20as%20a%20Secret%20and%20create%20a%20new%20credential%20inside%20Azure%20Purview%20to%20use%20that%20secret%20when%20scanning.%20When%20setting%20up%20a%20new%20scan%2C%20you%20can%20use%20this%20credential%20to%20connect%20to%20the%20data%20source%20and%20bring%20information%20about%20metadata.%20For%20setting%20up%20a%20credential%2C%20we%20recommend%20using%20Azure%20Purview%20managed%20identity%20whenever%20is%20possible%2C%20so%20this%20way%2C%20you%20can%20reduce%20complexity%20of%20setting%20up%20additional%20resources%20and%20credentials.%20In%20this%20case%2C%20the%20managed%20identity%20needs%20to%20have%20access%20to%20each%20data%20source%20through%20Azure%20RBAC%20control%20plane%20and%20data%20plane.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUse%20the%20following%20decision%20tree%20if%20you%20are%20unsure%20what%20credential%20type%20is%20the%20most%20suitable%20for%20your%20data%20sources%3A%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fpurview%2Fmanage-credentials%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20and%20manage%20credentials%20for%20scans%20-%20Azure%20Purview%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20protecting%20your%20data%20sources%20using%20Azure%20Service%20Endpoint%2C%20you%20would%20need%20to%20allow%20%3CEM%3EAzureServices%3C%2FEM%3E%26nbsp%3Bto%20connect%20to%20your%20data%20sources.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EValidating%20if%20these%20requirements%20are%20in%20place%20and%20setting%20them%20up%2C%20may%20be%20time%20consuming%20if%20you%20have%20hundred%20of%20Azure%20resources%20and%20subscriptions%2C%20therefore%2C%20we%20have%20recently%20included%20a%20series%20of%20tools%20inside%20Azure%20Purview%20documentation%2C%20so%20you%20can%20validate%20readiness%20of%20your%20data%20sources%20in%20Azure%20and%20configure%20required%20RBAC%2C%20SQL%20authentication%20and%20network%20access.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECurrently%2C%20the%20following%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Edata%20sources%26nbsp%3Bare%20supported%20in%20the%20scripts%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAzure%20Blob%20Storage%20(BlobStorage)%3C%2FLI%3E%0A%3CLI%3EAzure%20Data%20Lake%20Storage%20Gen%202%20(ADLSGen2)%3C%2FLI%3E%0A%3CLI%3EAzure%20Data%20Lake%20Storage%20Gen%201%20(ADLSGen1)%3C%2FLI%3E%0A%3CLI%3EAzure%20SQL%20Database%20(AzureSQLDB)%3C%2FLI%3E%0A%3CLI%3EAzure%20SQL%20Managed%20Instance%20(AzureSQLMI)%3C%2FLI%3E%0A%3CLI%3EAzure%20Synapse%20(Synapse)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUse%20the%20following%20guide%2C%20if%20you%20are%20interested%20in%20first%20validating%26nbsp%3Bthe%20readiness%20of%20your%20Azure%20resources%20such%20as%20Azure%20SQL%20Database%2C%20Synapse%2C%20Azure%20Blob%20Storage%2C%20or%20Azure%20Data%20Lake%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fpurview%2Ftutorial-data-sources-readiness%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETutorial%3A%20Check%20data%20sources%20readiness%20at%20scale%20(preview)%20-%20Azure%20Purview%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20guide%20walks%20you%20through%20steps%20and%20provide%20you%20access%20to%20a%20PowerShell%20script%20to%20automate%20the%20readiness%20check.%20Once%20you%20run%20the%20tool%2C%20the%20output%20report%26nbsp%3Bhelps%20you%20to%20discover%20current%20state%20of%20your%20Azure%20data%20sources%20and%20highlights%20the%20missing%20configurations%20that%20is%20needed%20for%20registering%20and%20scanning%20them%20inside%20Azure%20Purview.%3C%2FP%3E%0A%3CP%3EWhether%20you%20are%20the%20Azure%20subscription%20or%20data%20services%20resource%20owner%2C%20or%20you%20need%20to%20reach%20out%20those%20who%20have%20access%20to%20these%20Azure%20resources%2C%20using%20this%20output%20report%20you%20will%20have%20a%20clear%20list%20of%20required%20settings%20to%20apply.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%225%22%3EConfigure%20Azure%20Purview%20MSI%20settings%20at%20scale%26nbsp%3B%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20have%20also%20developed%20a%20tool%20that%20can%20help%20you%20to%20automate%20configuring%20the%20required%20network%2C%20SQL%20authentication%20and%20Azure%20RBAC%20control%20and%20data%20plane%20assignments%20at%20data%20sources%20at%20scale.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFollow%20the%20guide%20provided%20in%20the%20following%20link%20for%20more%20information%20about%20the%20tool%20and%20how%20to%20use%20it%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fpurview%2Ftutorial-msi-configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETutorial%3A%20Configure%20access%20to%20data%20sources%20for%20Azure%20Purview%20MSI%20at%20scale%20(preview)%20-%20Azure%20Purview%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2408965%22%20slang%3D%22en-US%22%3E%3CP%3ELearn%20how%20to%20prepare%20your%20Azure%20subscriptions%20to%20onboard%20data%20sources%20to%20Azure%20Purview%20at%20scale.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2408965%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Purview%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edata%20catalog%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Governance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Jun 02 2021 10:25 AM