Microsoft Purview data owner policy for storage

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Microsoft Purview Data owner policies enable users to manage access to different data systems via a central data governance platform Microsoft Purview. In this blog, we will introduce how to use Microsoft Purview to manage storage access.

 

Prerequisites

  • Check Azure storage regions are available.
  • Configure the Azure subscription with AllowPurviewPolicyEnforcement.
  • Registered storage account for Data Use Management in Microsoft Purview.
  • Assign the Policy author role to create, update, and delete Data Owner policies; the Data source admin role can publish a policy.

 

Steps to create a data owner policy for Blob storage

  1. The first step is to check the region is in the current region support list from the following document. Region support 
  2. Then go to configure the subscription where the Azure storage account be hosted; refer to How to configure the subscription # Install the Az module Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force # Login into the subscription Connect-AzAccount -Subscription <SubscriptionID> # Register the feature Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage

    After running the above PowerShell script, you will see the following state show as “registered”. 

    Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage FeatureName ProviderName RegistrationState ----------- ------------ ----------------- AllowPurviewPolicyEnforcement Microsoft.Storage Registered
  3. Registered Blob storage account for Data Use Management in Microsoft Purview.                                                                                     AmberData_1-1669665711103.png
  4. Create a data owner policy, I granted read permission to my principal in the sub-container “permissiontest” folder in this policy. AmberData_2-1669665711106.png
  5. Test my principal has permission to access the “permissiontest” folder using PowerShell script. az storage blob list --account-name stftapurviewdemo --container permissiontest --auth-mode login [ { "container": "permissiontest", "content": "", "deleted": null, "encryptedMetadata": null, "encryptionKeySha256": null, "encryptionScope": null, "hasLegalHold": null, "hasVersionsOnly": null, "immutabilityPolicy": { "expiryTime": null, "policyMode": null ...When you remove the access, it will show as the following the permission is required as we expected. You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following roles: "Storage Blob Data Contributor" "Storage Blob Data Reader" "Storage Queue Data Contributor" "Storage Queue Data Reader" "Storage Table Data Contributor" "Storage Table Data Reader"​

Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.