Create an exception to deploy Microsoft Purview

Many subscriptions have Azure Policies in place that restrict the creation of some resources. This is to maintain subscription security and cleanliness. However, Microsoft Purview accounts deploy two other Azure resources when they're created: an Azure Storage account, and an Event Hubs namespace. When you create Microsoft Purview Account, these resources will be deployed. They'll be managed by Azure, so you don't need to maintain them, but you'll need to deploy them. Existing policies may block this deployment, and you may receive an error when attempting to create a Microsoft Purview account.

To maintain your policies in your subscription, but still allow the creation of these managed resources, you can create an exception.

Create an Azure policy exception for Microsoft Purview

  1. Navigate to the Azure portal and search for Policy

    Screenshot showing the Azure portal search bar, searching for Policy keyword.

  2. Follow Create a custom policy definition or modify existing policy to add two exceptions with not operator and resourceBypass tag:

    {
    "mode": "All",
      "policyRule": {
        "if": {
          "anyOf": [
          {
            "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Storage/storageAccounts"
            },
            {
              "not": {
                "field": "tags['<resourceBypass>']",
                "exists": true
              }
            }]
          },
          {
            "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.EventHub/namespaces"
            },
            {
              "not": {
                "field": "tags['<resourceBypass>']",
                "exists": true
              }
            }]
          }]
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {}
    }
    

    Note

    The tag could be anything beside resourceBypass and it's up to you to define value when creating Microsoft Purview in later steps as long as the policy can detect the tag.

    Screenshot showing how to create policy definition.

  3. Create a policy assignment using the custom policy created.

    Screenshot showing how to create policy assignment

Note

If you have Azure Policy and need to add exception as in Prerequisites, you need to add the correct tag. For example, you can add resourceBypass tag: Add tag to Microsoft Purview account.

Next steps

To set up Microsoft Purview by using Private Link, see Use private endpoints for your Microsoft Purview account.