Tutorial: Access provisioning by data owner to Azure Storage datasets (preview)

Important

This feature is currently in PREVIEW. The Supplemental Terms of Use for Microsoft Azure Previews include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Policies in Microsoft Purview allow you to enable access to data sources that have been registered to a collection. This tutorial describes how a data owner can use Microsoft Purview to enable access to datasets in Azure Storage through Microsoft Purview.

In this tutorial, you learn how to:

• Prepare your Azure environment
• Configure permissions to allow Microsoft Purview to connect to your resources
• Register your Azure Storage resource for Data Use Management
• Create and publish a policy for your resource group or subscription

Prerequisites

• An Azure account with an active subscription. Create an account for free.
• Create a new, or use an existing Microsoft Purview account. You can follow our quick-start guide to create one.
• Create a new, or use an existing resource group, and place new data sources under it. Follow this guide to create a new resource group.

Enable access policy enforcement for the Azure Storage account

To enable Microsoft Purview to manage policies for one or more Azure Storage accounts, execute the following PowerShell commands in the subscription where you'll deploy your Azure Storage account. These PowerShell commands will enable Microsoft Purview to manage policies on all newly created Azure Storage accounts in that subscription.

If you’re executing these commands locally, be sure to run PowerShell as an administrator. Alternatively, you can use the Azure Cloud Shell in the Azure portal: https://shell.azure.com.

# Install the Az module
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
# Login into the subscription
Connect-AzAccount -Subscription <SubscriptionID>
# Register the feature
Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage

If the output of the last command shows RegistrationState as Registered, then your subscription is enabled for access policies. If the output is Registering, wait at least 10 minutes, and then retry the command. Do not continue unless the RegistrationState shows as Registered.

Important

The access policy feature is only available on new Azure Storage accounts. Storage accounts must meet the following requirements to enforce access policies published from Microsoft Purview.

• Storage account versions >= 81.x.x.
• Created in the subscription after the feature AllowPurviewPolicyEnforcement is Registered.

Create a new Azure Storage account

After you’ve enabled the access policy above, create new Azure Storage account(s) in one of the regions listed below. You can follow this guide to create one.

Currently, Microsoft Purview access policies can only be enforced in the following Azure Storage regions:

• France Central
• Canada Central
• East US
• East US2
• South Central US
• West US
• West US2
• North Europe
• West Europe
• UK South
• Southeast Asia
• Australia East

Configuration

Register Microsoft Purview as a resource provider in other subscriptions

Execute this step only if the data sources and the Microsoft Purview account are in different subscriptions. Register Microsoft Purview as a resource provider in each subscription where data sources reside by following this guide: Register resource provider.

The Microsoft Purview resource provider is:

Microsoft.Purview

Configure permissions for policy management actions

This section discusses the permissions needed to:

• Make a data resource available for Data Use Management. This step is needed before a policy can be created in Microsoft Purview for that resource.
• Author and publish policies in Microsoft Purview.

Important

Currently, Microsoft Purview roles related to policy operations must be configured at root collection level.

Permissions to make a data resource available for Data Use Management

To enable the Data Use Management (DUM) toggle for a data source, resource group, or subscription, the same user needs to have both certain IAM privileges on the resource and certain Microsoft Purview privileges.

1. User needs to have either one of the following IAM role combinations on the resource's ARM path or any parent of it (using inheritance).

   • IAM Owner
   • Both IAM Contributor + IAM User Access Administrator

   Follow this guide to configure Azure RBAC role permissions. The following screenshot shows how to access the Access Control section in Azure portal experience for the data resource to add a role assignment:

2. In addition, the same user needs to have Microsoft Purview Data source administrator (DSA) role at the root collection level. See the guide on managing Microsoft Purview role assignments. The following screenshot shows how to assign Data Source Admin at root collection level:

Permissions for policy authoring and publishing

The following permissions are needed in Microsoft Purview at the root collection level:

• Policy authors role can create or edit policies.
• Data source administrator role can publish a policy.

Check the section on managing Microsoft Purview role assignments in this guide.

Note

Known issues related to permissions

• In addition to Microsoft Purview Policy authors role, user may need Directory Reader permission in Azure Active Directory to create data owner policy. This is a common permission for users in an Azure tenant. You can check permissions for Azure AD Directory Reader

Delegation of access control responsibility to Microsoft Purview

Warning

• IAM Owner role for a data source can be inherited from parent resource group, subscription or subscription Management Group.
• Once a resource has been enabled for Data Use Management, any Microsoft Purview root-collection policy author will be able to create access policies against it, and any Microsoft Purview root-collection Data source admin will be able to publish those policies at any point afterwards.
• Any Microsoft Purview root Collection admin can assign new root-collection Data Source Admin and Policy author roles.
• If the Microsoft Purview account is deleted then any published policies will stop being enforced within an amount of time that is dependent on the specific data source. This can have implications both on security and data access availability.

With these warnings in mind, here are some suggested best practices for permissions:

• Minimize the number of people that hold Microsoft Purview root Collection admin, root Data Source Admin or root Policy author roles.
• To ensure check and balances, assign the Microsoft Purview Policy author and Data source admin roles to different people in the organization. With this, before a data policy takes effect, a second person (the Data source admin) must review it and explicitly approve it by publishing it.
• A Microsoft Purview account can be deleted by Contributor and Owner roles in IAM. You can check these permissions by navigating to the Access control (IAM) section for your Microsoft Purview account and selecting Role Assignments. You can also place a lock to prevent the Microsoft Purview account from being deleted through ARM locks.

Register the data sources in Microsoft Purview for Data Use Management

Your Azure Storage account needs to be registered in Microsoft Purview to later define access policies, and during registration we'll enable Data Use Management. Data Use Management is an available feature in Microsoft Purview that allows users to manage access to a resource from within Microsoft Purview. This allows you to centralize data discovery and access management, however it's a feature that directly impacts your data security.

Warning

Before enabling Data Use Management for any of your resources, read through our Data Use Management article.

This article includes Data Use Management best practices to help you ensure that your information is secure.

To register your resource and enable Data Use Management, follow these steps:

Note

You need to be an owner of the subscription or resource group to be able to add a managed identity on an Azure resource.

1. From the Azure portal, find the Azure Blob storage account that you would like to register.

   

2. Select Access Control (IAM) in the left navigation and then select + Add --> Add role assignment.

   

3. Set the Role to Storage Blob Data Reader and enter your Microsoft Purview account name under the Select input box. Then, select Save to give this role assignment to your Microsoft Purview account.

   

4. If you have a firewall enabled on your Storage account, follow these steps as well:

   1. Go into your Azure Storage account in Azure portal.

   2. Navigate to Security + networking > Networking.NET

   3. Choose Selected Networks under Allow access from.

   4. In the Exceptions section, select Allow trusted Microsoft services to access this storage account and select Save.

      

5. Once you have set up authentication for your storage account, go to the Microsoft Purview governance portal.

6. Select Data Map on the left menu.

   

7. Select Register.

   

8. On Register sources, select Azure Blob Storage.

   

9. Select Continue.

10. On the Register sources (Azure) screen, do the following:

    1. In the Name box, enter a friendly name that the data source will be listed with in the catalog.

    2. In the Subscription dropdown list boxes, select the subscription where your storage account is housed. Then select your storage account under Storage account name. In Select a collection select the collection where you'd like to register your Azure Storage account.

       

    3. In the Select a collection box, select a collection or create a new one (optional).

    4. Set the Data Use Management toggle to Enabled, as shown in the image below.

       

       Tip

       If the Data Use Management toggle is greyed out and unable to be selected:

       1. Confirm you have followed all prerequisites to enable Data Use Management across your resources.
       2. Confirm that you have selected a storage account to be registered.
       3. It may be that this resource is already registered in another Microsoft Purview account. Hover over it to know the name of the Microsoft Purview account that has registered the data resource.first. Only one Microsoft Purview account can register a resource for Data Use Management at at time.

    5. Select Register to register the resource group or subscription with Microsoft Purview with Data Use Management enabled.

Tip

For more information about Data Use Management, including best practices or known issues, see our Data Use Management article.

Create a data owner policy

1. Sign in to the Microsoft Purview governance portal.

2. Navigate to the Data policy feature using the left side panel. Then select Data policies.

3. Select the New Policy button in the policy page.

   

4. The new policy page will appear. Enter the policy Name and Description.

5. To add policy statements to the new policy, select the New policy statement button. This will bring up the policy statement builder.

   

6. Select the Effect button and choose Allow from the drop-down list.

7. Select the Action button and choose Read or Modify from the drop-down list.

8. Select the Data Resources button to bring up the window to enter Data resource information, which will open to the right.

9. Under the Data Resources Panel do one of two things depending on the granularity of the policy:

   • To create a broad policy statement that covers an entire data source, resource group, or subscription that was previously registered, use the Data sources box and select its Type.
   • To create a fine-grained policy, use the Assets box instead. Enter the Data Source Type and the Name of a previously registered and scanned data source. See example in the image.

   

10. Select the Continue button and transverse the hierarchy to select and underlying data-object (for example: folder, file, etc.). Select Recursive to apply the policy from that point in the hierarchy down to any child data-objects. Then select the Add button. This will take you back to the policy editor.

    

11. Select the Subjects button and enter the subject identity as a principal, group, or MSI. Then select the OK button. This will take you back to the policy editor

    

12. Repeat the steps #5 to #11 to enter any more policy statements.

13. Select the Save button to save the policy.

    

Publish a data owner policy

1. Sign in to the Microsoft Purview governance portal.

2. Navigate to the Data policy feature using the left side panel. Then select Data policies.

   

3. The Policy portal will present the list of existing policies in Microsoft Purview. Locate the policy that needs to be published. Select the Publish button on the right top corner of the page.

   

4. A list of data sources is displayed. You can enter a name to filter the list. Then, select each data source where this policy is to be published and then select the Publish button.

   

Important

• Publish is a background operation. It can take up to 2 hours for the changes to be reflected in Storage account(s).

Clean up resources

To delete a policy in Microsoft Purview, follow these steps:

1. Sign in to the Microsoft Purview governance portal.

2. Navigate to the Data policy feature using the left side panel. Then select Data policies.

   

3. The Policy portal will present the list of existing policies in Microsoft Purview. Select the policy that needs to be updated.

4. The policy details page will appear, including Edit and Delete options. Select the Edit button, which brings up the policy statement builder. Now, any parts of the statements in this policy can be updated. To delete the policy, use the Delete button.

   

Next steps

Check our demo and related tutorials:

Demo of access policy for Azure Storage Concepts for Microsoft Purview data owner policies Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group