Microsoft Purview Data owner policies enable users to manage access to different data systems via a central data governance platform Microsoft Purview. In this blog, we will introduce how to use Microsoft Purview to manage storage access.
Prerequisites
Steps to create a data owner policy for Blob storage
# Install the Az module
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
# Login into the subscription
Connect-AzAccount -Subscription <SubscriptionID>
# Register the feature
Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage
After running the above PowerShell script, you will see the following state show as “registered”.
Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage
FeatureName ProviderName RegistrationState
----------- ------------ -----------------
AllowPurviewPolicyEnforcement Microsoft.Storage Registered
az storage blob list --account-name stftapurviewdemo --container permissiontest --auth-mode login
[
{
"container": "permissiontest",
"content": "",
"deleted": null,
"encryptedMetadata": null,
"encryptionKeySha256": null,
"encryptionScope": null,
"hasLegalHold": null,
"hasVersionsOnly": null,
"immutabilityPolicy": {
"expiryTime": null,
"policyMode": null
...
When you remove the access, it will show as the following the permission is required as we expected. You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
Enjoy!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.