Microsoft Purview Data owner policies enable users to manage access to different data systems via a central data governance platform Microsoft Purview. In this blog, we will introduce how to use Microsoft Purview to manage storage access.
Prerequisites
- Check Azure storage regions are available.
- Configure the Azure subscription with AllowPurviewPolicyEnforcement.
- Registered storage account for Data Use Management in Microsoft Purview.
- Assign the Policy author role to create, update, and delete Data Owner policies; the Data source admin role can publish a policy.
Steps to create a data owner policy for Blob storage
- The first step is to check the region is in the current region support list from the following document. Region support
- Then go to configure the subscription where the Azure storage account be hosted; refer to How to configure the subscription
# Install the Az module Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force # Login into the subscription Connect-AzAccount -Subscription <SubscriptionID> # Register the feature Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage
After running the above PowerShell script, you will see the following state show as “registered”.
Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage FeatureName ProviderName RegistrationState ----------- ------------ ----------------- AllowPurviewPolicyEnforcement Microsoft.Storage Registered
- Registered Blob storage account for Data Use Management in Microsoft Purview.
- Create a data owner policy, I granted read permission to my principal in the sub-container “permissiontest” folder in this policy.
- Test my principal has permission to access the “permissiontest” folder using PowerShell script.
When you remove the access, it will show as the following the permission is required as we expected.az storage blob list --account-name stftapurviewdemo --container permissiontest --auth-mode login [ { "container": "permissiontest", "content": "", "deleted": null, "encryptedMetadata": null, "encryptionKeySha256": null, "encryptionScope": null, "hasLegalHold": null, "hasVersionsOnly": null, "immutabilityPolicy": { "expiryTime": null, "policyMode": null ...
You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following roles: "Storage Blob Data Contributor" "Storage Blob Data Reader" "Storage Queue Data Contributor" "Storage Queue Data Reader" "Storage Table Data Contributor" "Storage Table Data Reader"
Enjoy!
Updated Nov 28, 2022
Version 1.0AmberZhao
Microsoft
Joined October 01, 2019
FastTrack for Azure
Follow this blog board to get notified when there's new activity