Share via

Microsoft Purview registering Integration Runtime logging and change management.

Amit Singh 60 Reputation points
2023-02-21T10:46:44.24+00:00

Hi,

I am setting up Self hosted runtime using below doc for Microsoft Purview.

https://learn.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory

From Security stand point, I have following questions when we register a self hosted IR using an authentication key from Microsoft Purview.

  1. Are there any change management logs when an IR is registered or deregistered with Purview either in Purview or at VM event logs?
  2. Are there any change management logs when authentication key is regenerated either in Purview or at VM event logs?
  3. Is there any expiry date for Purview IR registration Authentication Key
  4. What encryption technique is used to store Authentication key

Regarding Option 1 here

https://learn.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory#credentials-store

It talks about using key vault to store your credentials in Azure. The self-hosted integration runtime can directly get the credentials from Azure Key Vault.

  1. May I know steps to configure IR to get credentials from KV
  2. What encryption technique is used when credentials are store locally. In Option2 are we talking about data source credentials or IR registration authentication key?
Microsoft Security | Microsoft Purview
Accepted answer
  1. Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator
    2023-02-27T19:51:48.5066667+00:00

    Hello @Amit Singh,

    Welcome to the MS Q&A platform.

    Microsoft purview doesn't currently provide logs for IR registration, deregistered events or authentication key regeneration events. But you can monitor these events via Azure portal monitor activity logs.

    Regarding expiry data for the authentication key, the authentication key used to register a self-hosted IR with Microsoft Purview does not have an expiry date, but it is recommended to regenerate the key periodically for security reasons.

    The encryption keys generally use Advanced Encryption Standard, 128 and 256-bit encryptions. But I don't see any documentation for this.

    To configure a self-hosted integration runtime to retrieve credentials from Azure Key Vault, you can follow these steps:

    • Create an Azure Key Vault and store the required credentials in it.
    • Grant the necessary permissions to the self-hosted integration runtime to access the Azure Key Vault.
    • Configure the self-hosted integration runtime to retrieve the required credentials from the Azure Key Vault.

    When using Option 2 to store credentials locally, the credentials are encrypted using the DPAPI (Data Protection API) encryption mechanism provided by Windows. This encryption is used for data source credentials and the authentication key to register the self-hosted integration runtime with Microsoft Purview.

    I hope this helps. Please let me know if you have any further questions.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.