Microsoft Purview data owner policy for storage
Published Nov 28 2022 01:38 PM 2,782 Views
Microsoft

Microsoft Purview Data owner policies enable users to manage access to different data systems via a central data governance platform Microsoft Purview. In this blog, we will introduce how to use Microsoft Purview to manage storage access.

 

Prerequisites

  • Check Azure storage regions are available.
  • Configure the Azure subscription with AllowPurviewPolicyEnforcement.
  • Registered storage account for Data Use Management in Microsoft Purview.
  • Assign the Policy author role to create, update, and delete Data Owner policies; the Data source admin role can publish a policy.

 

Steps to create a data owner policy for Blob storage

  1. The first step is to check the region is in the current region support list from the following document. Region support 
  2. Then go to configure the subscription where the Azure storage account be hosted; refer to How to configure the subscription 
    # Install the Az module
    Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
    
    # Login into the subscription
    
    Connect-AzAccount -Subscription <SubscriptionID>
    
    # Register the feature
    
    Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage
    
    

    After running the above PowerShell script, you will see the following state show as “registered”. 

    Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage
    
    FeatureName                   ProviderName      RegistrationState
    -----------                   ------------      -----------------
    AllowPurviewPolicyEnforcement Microsoft.Storage Registered
  3. Registered Blob storage account for Data Use Management in Microsoft Purview.                                                                                     AmberData_1-1669665711103.png
  4. Create a data owner policy, I granted read permission to my principal in the sub-container “permissiontest” folder in this policy. AmberData_2-1669665711106.png
  5. Test my principal has permission to access the “permissiontest” folder using PowerShell script.
     az storage blob list --account-name stftapurviewdemo --container permissiontest --auth-mode login
    [
      {
        "container": "permissiontest",
        "content": "",
        "deleted": null,
        "encryptedMetadata": null,
        "encryptionKeySha256": null,
        "encryptionScope": null,
        "hasLegalHold": null,
        "hasVersionsOnly": null,
        "immutabilityPolicy": {
          "expiryTime": null,
          "policyMode": null
    ...
    When you remove the access, it will show as the following the permission is required as we expected. 
    You do not have the required permissions needed to perform this operation.
    Depending on your operation, you may need to be assigned one of the following roles:
        "Storage Blob Data Contributor"
        "Storage Blob Data Reader"
        "Storage Queue Data Contributor"
        "Storage Queue Data Reader"
        "Storage Table Data Contributor"
        "Storage Table Data Reader"​

Enjoy!

Co-Authors
Version history
Last update:
‎Nov 28 2022 12:51 PM
Updated by: