Share via

how to scan azure sql with purview

David Broggy 5,701 Reputation points MVP
2024-07-08T02:13:30.62+00:00

I'd like to do a scan of Azure SQL with Purview using the Purview managed identity.

I'm aware of the following pieces to this puzzle:

  • Purview managed identity
  • IAM Reader role - at the subscription level for my use case
  • SQL Server Networking: Allow Azure services and resources to access this server
  • SQL Server Networking: Private Access - I've created a private endpoint
  • Azure Entra credentials - enabled
  • Configure Entra Identity access to Azure SQL: ok - ran sql commands to allow managed identity to login to sql server.

What I'm asking is, say I have 100 Azure sql servers. Do I have to set this up 100 times or is there a more scalable solution? What are the specific steps, assuming I know the pieces above? Are any IAM roles needed to be assigned to the Purview managed identity just for scanning? (eg. Reader role)

Thanks!

Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,036 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA-MSFT 84,771 Reputation points Microsoft Employee
    2024-07-08T03:16:06.95+00:00

    @David Broggy - Thanks for the question and using MS Q&A platform.

    To scan multiple Azure SQL servers with Purview using the Purview managed identity, you can use the Microsoft Purview MSI Configuration script. This script helps you configure any missing role-based access control (RBAC) or required network configurations across your data sources in Azure.

    To use the script, you'll need to prepare a list of data source subscriptions where your Azure SQL servers are located. You'll also need an Azure Key Vault resource in each subscription that has data sources like Azure SQL Database, Azure Synapse Analytics, or Azure SQL Managed Instance.

    Once you have the prerequisites in place, you can run the Microsoft Purview MSI Configuration script to configure the required authentication and network rules for Microsoft Purview across your data sources. The script will configure the necessary IAM roles and network settings for each Azure SQL server, so you don't have to set it up 100 times.

    Regarding IAM roles, the Purview managed identity requires the Data Reader role to register a source and manage it in the Microsoft Purview governance portal. However, for scanning, the managed identity requires the Data Source Administrator role. You can assign these roles at the subscription level for your use case.

    For more details, refer to Tutorial: Configure access to data sources for Microsoft Purview MSI at scale

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments