Create an Azure Policy exception for Purview

Many subscriptions have Azure Policies in place that restrict the creation of some resources. This is to maintain subscription security and cleanliness. However, Purview accounts deploy two other Azure resources when they are created: an Azure Storage account, and an Event Hub namespace. When you create Purview Account, these resources will be deployed. They will be managed by Azure, so you don't need to maintain them, but you will need to deploy them.

To maintain your policies in your subscription, but still allow the creation of these managed resources, you can create a policy exception.

Create a policy exception for Purview

  1. Navigate to the Azure portal and search for Policy

    Screenshot showing the Azure portal search bar, searching for Policy keyword.

  2. Follow Create a custom policy definition or modify existing policy to add two exceptions with not operator and resourceBypass tag:

    {
    "mode": "All",
      "policyRule": {
        "if": {
          "anyOf": [
          {
            "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Storage/storageAccounts"
            },
            {
              "not": {
                "field": "tags['<resourceBypass>']",
                "exists": true
              }
            }]
          },
          {
            "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.EventHub/namespaces"
            },
            {
              "not": {
                "field": "tags['<resourceBypass>']",
                "exists": true
              }
            }]
          }]
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {}
    }
    

    Note

    The tag could be anything beside resourceBypass and it's up to you to define value when creating Purview in latter steps as long as the policy can detect the tag.

    Screenshot showing how to create policy definition.

  3. Create a policy assignment using the custom policy created.

    Screenshot showing how to create policy assignment

Note

If you have Azure Policy and need to add exception as in Prerequisites, you need to add the correct tag. For example, you can add resourceBypass tag: Add tag to Purview account.

Next steps

To set up Azure Purview by using Private Link, see Use private endpoints for your Azure Purview account.