Credentials for source authentication in Azure Purview

This article describes how you can create credentials in Azure Purview. These saved credentials let you quickly reuse and apply saved authentication information to your data source scans.

Prerequisites

Introduction

A credential is authentication information that Azure Purview can use to authenticate to your registered data sources. A credential object can be created for various types of authentication scenarios, such as Basic Authentication requiring username/password. Credential capture specific information required to authenticate, based on the chosen type of authentication method. Credentials use your existing Azure Key Vaults secrets for retrieving sensitive authentication information during the Credential creation process.

Use Purview managed identity to set up scans

If you are using the Purview managed identity to set up scans, you will not have to explicitly create a credential and link your key vault to Purview to store them. For detailed instructions on adding the Purview managed identity to have access to scan your data sources, refer to the data source-specific authentication sections below:

Create Azure Key Vaults connections in your Azure Purview account

Before you can create a Credential, first associate one or more of your existing Azure Key Vault instances with your Azure Purview account.

  1. From the Azure portal, select your Azure Purview account. Navigate to the Management Center and then navigate to credentials.

  2. From the Credentials page, select Manage Key Vault connections.

    Manage Azure Key Vault connections

  3. Select + New from the Manage Key Vault connections page.

  4. Provide the required information, then select Create.

  5. Confirm that your Key Vault has been successfully associated with your Azure Purview account as shown in this example:

    View Azure Key Vault connections to confirm.

Grant the Purview managed identity access to your Azure Key Vault

  1. Navigate to your Azure Key Vault.

  2. Select the Access policies page.

  3. Select Add Access Policy.

    Add Purview MSI to AKV

  4. In the Secrets permissions dropdown, select Get and List permissions.

  5. For Select principal, choose the Purview managed identity. You can search for the Purview MSI using either the Purview instance name or the managed identity application ID. We do not currently support compound identities (managed identity name + application ID).

    Add access policy

  6. Select Add.

  7. Select Save to save the Access policy.

    Save access policy

Create a new credential

These credential types are supported in Purview:

  • Basic authentication: You add the password as a secret in key vault.
  • Service Principal: You add the service principal key as a secret in key vault.
  • SQL authentication: You add the password as a secret in key vault.
  • Account Key: You add the account key as a secret in key vault.

For more information, see Add a secret to Key Vault.

After storing your secrets in the key vault:

  1. In Azure Purview, go to the Credentials page.

  2. Create your new Credential by selecting + New.

  3. Provide the required information. Select the Authentication method and a Key Vault connection from which to select a secret from.

  4. Once all the details have been filled in, select Create.

    New credential

  5. Verify that your new credential shows up in the list view and is ready to use.

    View credential

Manage your key vault connections

  1. Search/find Key Vault connections by name

    Search key vault

  2. Delete one or more Key Vault connections

    Delete key vault

Manage your credentials

  1. Search/find Credentials by name.

  2. Select and make updates to an existing Credential.

  3. Delete one or more Credentials.

Next steps

Create a scan rule set