Troubleshoot your connections in Azure Purview
This article describes how to troubleshoot connection errors while setting up scans on data sources in Azure Purview.
Permission the credential on the data source
If you're using a managed identity or service principal as a method of authentication for scans, you'll have to allow these identities to have access to your data source.
There are specific instructions for each source type:
- Azure multiple sources
- Azure Blob Storage
- Azure Cosmos DB
- Azure Data Explorer
- Azure Data Lake Storage Gen1
- Azure Data Lake Storage Gen2
- Azure SQL Database
- Azure SQL Database Managed Instance
- Azure Synapse Analytics
- SQL Server
- Power BI
- Amazon S3
Verifying Azure Role-based Access Control to enumerate Azure resources in Azure Purview Studio
Registering single Azure data source
To register a single data source in Azure Purview, such as an Azure Blog Storage or an Azure SQL Database, you must be granted at least Reader role on the resource or inherited from higher scope such as resource group or subscription. Note that some Azure RBAC roles, such as Security Admin do not have read access to view Azure resources in control plane.
Verify this by following the steps below:
- From the Azure portal, navigate to the resource that you are trying to register in Azure Purview. If you can view the resource, it is likely, that you already have at least reader role on the resource.
- Select Access control (IAM) > Role Assignments.
- Search by name or email address of the user who is trying to register data sources in Azure Purview.
- Verify if any role assignments such as Reader exists in the list or add a new role assignment if needed.
Scanning multiple Azure data sources
- From the Azure portal, navigate to the subscription or the resource group.
- Select Access Control (IAM) from the left menu.
- Select +Add.
- In the Select input box, select the Reader role and enter your Azure Purview account name (which represents its MSI name).
- Select Save to finish the role assignment.
- Repeat the steps above to add the identity of the user who is trying to create a new scan for multiple data sources in Azure Purview.
Scanning data sources using Private Link
If public endpoint is restricted on your data sources, to scan Azure data sources using Private Link, you need to setup a Self-hosted integration runtime and create a credential.
Important
Scanning multiple data sources which contain databases as Azure SQL database with Deny public network access, would fail. To scan these data sources using private Endpoint, instead use registering single data source option.
For more information about setting up a self-hosted integration runtime, see Ingestion private endpoints and scanning sources
For more information how to create a new credential in Azure Purview, see Credentials for source authentication in Azure Purview
Storing your credential in your key vault and using the right secret name and version
You must also store your credential in your Azure Key Vault instance and use the right secret name and version.
Verify this by following the steps below:
- Navigate to your Key Vault.
- Select Settings > Secrets.
- Select the secret you're using to authenticate against your data source for scans.
- Select the version that you intend to use and verify that the password or account key is correct by selecting Show Secret Value.
Verify permissions for the Purview managed identity on your Azure Key Vault
Verify that the correct permissions have been configured for the Purview managed identity to access your Azure Key Vault.
To verify this, do the following steps:
Navigate to your key vault and to the Access policies section
Verify that your Purview managed identity shows under the Current access policies section with at least Get and List permissions on Secrets
If you don't see your Purview managed identity listed, then follow the steps in Create and manage credentials for scans to add it.