Share via

Self-service access workflow – auto-provisioning support for Azure Synapse Dedicated SQL Pool

Pierre-Louis Bourgeois 0 Reputation points
2026-05-18T09:40:17.7066667+00:00

Hi,

We are currently implementing Microsoft Purview at Jet Aviation and evaluating whether the self-service data access workflow can cover our end-to-end access management needs.

Our setup is the following: data assets are hosted in Azure Synapse Analytics (Dedicated SQL Pool), and we are using the new Purview portal (Unified Catalog). We would like to enable a workflow where a user discovers a table in the catalog, submits an access request, and — after approval — automatically gains access to that table (e.g. via SSMS or Synapse Studio), without any manual intervention from a DBA.

From our investigation, it appears that:

  • Auto-provisioning of access policies after approval is currently only supported for Azure Blob Storage, ADLS Gen2, and Azure SQL Database.
  • Synapse Dedicated SQL Pool is not listed as a supported source for Data Policy Enforcement.
  • In the new Unified Catalog portal, even for supported sources, automatic permission provisioning does not yet appear to be available.

Could you help us clarify the following points?

  1. Is there a planned roadmap item to extend auto-provisioning support to Synapse Dedicated SQL Pool?
  2. Is there any supported workaround (e.g. Power Automate integration, custom workflow connector) that would allow us to trigger a permission grant on Synapse automatically upon approval in Purview?
  3. What is the recommended architecture for this use case in the context of the new Unified Catalog portal?

Thank you for your time.

Best regards,

Pierre-Louis Bourgeois

Data Engineer Intern – AI & Automation IT

Jet Aviation

Microsoft Security | Microsoft Purview
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pilladi Padma Sai Manisha 8,410 Reputation points Microsoft External Staff Moderator
    2026-05-20T06:15:54.7333333+00:00

    Hey Pierre-Louis Bourgeois,
    thanks for laying out your scenario so clearly. You’re right that today self-service auto-provisioning in Purview only covers ADLS Gen2, Blob storage and Azure SQL DB, and Dedicated SQL Pools (formerly SQL DW) aren’t on that list yet. Here’s a quick summary and some ideas you can try:

    1. Roadmap for Synapse Dedicated SQL Pool auto-provisioning • As of now there’s no public ETA for extending Data Policy Enforcement (DPE) auto-provisioning to Dedicated SQL Pools in the Unified Catalog. Microsoft is actively investing in Purview’s policy engine, so I’d recommend: – Watching the Azure Purview “What’s new” page and the Purview feedback portal for roadmap announcements. – Upvoting or commenting on the dedicated SQL pool item in the Purview GitHub/feedback site so it gains priority.
    2. Workaround via custom workflow integration While native auto-grant isn’t yet available, you can wire up your own automation “glue” between Purview’s approval workflow and Synapse. A common pattern is: • In Purview, build or modify your self-service workflow to include a webhook or event-hub/Kafka action on approval. • Hook that event into an Azure Function or Logic App (or Power Automate) that:
      1. Parses the approved request (user principal, resource/container/table name, etc.)
      2. Connects to the Dedicated SQL Pool using a service principal or managed identity
      3. Runs a T-SQL script such as: 
        
        CREATE USER [******@contoso.com] FROM EXTERNAL PROVIDER;

        ALTER ROLE db_datareader ADD MEMBER [******@contoso.com];

        GRANT SELECT ON schema.table TO [******@contoso.com];
      • This gives you fully unattended permission grants as soon as the request is approved.
    3. Recommended architecture in the Unified Catalog world Here’s a high-level pattern you could adopt:
      1. Catalog your Synapse workspace + Dedicated SQL Pool in Purview (register it for scanning).
      2. Author a self-service data access workflow in the new Unified Catalog portal and assign it to the collection containing your SQL Pool assets.
      3. In the workflow’s approval step, call out to an Azure Event Hub or webhook.
      4. Build an Azure Function (or Logic App) that: – Is triggered by the Purview event – Uses a managed identity or SPN with “Synapse SQL Admin” rights – Executes the necessary T-SQL GRANT/CREATE USER commands against the pool
      5. Return success/failure back to the workflow (optional) or simply rely on logging/alerts.
      6. Data consumer can then open SSMS or Synapse Studio and immediately see the newly granted access.

    Follow-up questions to fine-tune things:

    1. Are you using Azure AD (recommended) or SQL authentication on your Dedicated SQL Pool?
    2. Do you already have a home for your automation code (Functions, Logic Apps or Power Automate)?
    3. How do you plan to authenticate your automation – managed identity, service principal or shared key?
    4. Are you comfortable authoring a small Azure Function/Logic App to run T-SQL statements?

    Hope that gives you a clear path forward! Let me know if you need more details on any of the steps.

    Reference docs:

    • Data Policy Enforcement overview (supported sources + prerequisites)

    https://learn.microsoft.com/purview/how-to-enable-data-policy-enforcement

    • Self-service workflows authoring in Purview (hybrid data estates doc)

    https://learn.microsoft.com/purview/legacy/how-to-workflow-self-service-data-access-hybrid

    • How to register & scan Synapse Dedicated SQL pools in Purview

    https://learn.microsoft.com/purview/register-scan-azure-synapse-analytics

    • Synapse security & T-SQL permission grants for Dedicated SQL Pool

    https://learn.microsoft.com/azure/synapse-analytics/security/how-to-set-up-access-control#step-7b-configure-dedicated-sql-pools

    Was this answer helpful?

  2. AI answer

    2026-05-18T09:40:46.2766667+00:00
    1. The self-service data access policy and workflow-based auto-provisioning described in the context are currently supported only when the prerequisites for Data Policy Enforcement are satisfied, and only for specific data sources such as storage accounts, containers, folders, files, and Azure SQL Database. Synapse dedicated SQL pools are not listed as a supported source for Data Policy Enforcement in the provided material, and there is no documented roadmap item in the context indicating planned support for Synapse dedicated SQL pools.
    2. The documented self-service mechanism works by auto-generating and publishing a Microsoft Purview data policy to the data source when a request is approved, but only if that source is registered for Data Policy Enforcement and mapped to a self-service workflow at the collection level. The context does not describe any supported workaround such as Power Automate, custom workflow connectors, or other integration patterns to automatically grant permissions on Synapse dedicated SQL pools when a self-service request is approved. Only Azure SQL Database is explicitly called out as supported for Purview data policies in the feature-availability section.
    3. For the new Unified Catalog and hybrid estates, the recommended pattern in the context is:
      • Register data sources that are supported for Data Policy Enforcement.
      • Assign a self-service access workflow at the collection level.
      • Allow data consumers to discover assets, use Request access in the Purview governance portal, and have approvers grant access via the workflow.
      • On approval, Purview auto-generates and applies a self-service data access policy only for those sources that are enabled for Data Policy Enforcement (for example, Azure SQL Database and supported storage accounts).

    For Synapse dedicated SQL pools specifically, no recommended architecture or pattern for automatic permission provisioning is documented in the provided context beyond general scanning and metadata/catalog capabilities.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.