Microsoft purview

Question

Microsoft purview

Prasant Chettri 146

Upgrading to the enterprise version of Microsoft Purview in M365 allows access to all governance applications and capabilities, including support for various data sources. However, it does not specifically mention the use of private endpoints or integration runtimes like the self-hosted integration runtime or managed virtual network integration runtime, which are essential for scanning on-premises data sources or ensuring network isolation.

On the other hand, deploying a self-hosted integration runtime in Azure Purview is specifically designed to scan on-premises data sources and requires a setup within a private network for resource on the cloud.

Can I avoid deploying SHIR or Azure managed IR for implementing purview data security for Azure DB resources, if I just upgrade the M365 purview to the enterprise version? If so, is there way to deploy it in private network?

Accepted answer

0 additional answers

Your answer

Answer 1

Smaran Thoomu 21,610 Microsoft External Staff

Hi @Prasant Chettri
Welcome to Microsoft Q&A platform.
Thank you for the detailed question! You’ve raised an important point about integrating Microsoft Purview with Azure DB resources and the role of integration runtimes.

Upgrading to the enterprise version of Microsoft Purview in M365 does indeed unlock a wide range of governance applications and capabilities. However, for specific tasks like scanning on-premises data sources or ensuring secure connectivity to Azure DB resources, integration runtimes (either self-hosted or Azure-managed) play a critical role.

If your primary use case is securing Azure DB resources without deploying a self-hosted integration runtime (SHIR) or Azure-managed IR, you can leverage the native capabilities of Microsoft Purview within Azure. For example:

Azure Purview natively supports scanning Azure resources through its built-in connectors, which don't necessarily require SHIR or managed IR for Azure-native data sources.
For enhanced security and network isolation, you can integrate Microsoft Purview with a managed virtual network (VNet) in Azure. This enables you to securely scan and manage Azure resources without exposing them to the public internet.

If you're considering deploying Purview entirely within a private network, the managed virtual network integration is your go-to solution. This allows Purview to operate in a secure, private environment while still accessing and securing your Azure DB resources.

For more information refer the below articles:

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Prasant Chettri 146 Reputation points

2024-12-06T15:27:40.3133333+00:00

In other words if I am only scanning Azure DBs I can do it by upgrading to enterprise without needing use Azure managed IR or SHIR. But I am still not sure about how to keep the line of sight for network between Office 365 enterprise purview and Azure DB private using private network, if both are in different tenant. Does it also require private link before setting up private endpoints?
Smaran Thoomu 21,610 Reputation points Microsoft External Staff

2024-12-06T16:16:47.2266667+00:00
Thank you for the follow-up!
If your focus is solely on scanning Azure databases (e.g., Azure SQL, Cosmos DB), you can achieve this by upgrading to the enterprise version of Microsoft Purview. This is possible because Purview provides native connectors for Azure data sources, which typically do not require an integration runtime.

However, when it comes to ensuring network isolation for communication between Office 365 Enterprise Purview and Azure DBs:

If your Office 365 Enterprise Purview instance is in a different tenant than your Azure DBs, you will need to ensure that the network traffic between the two tenants is secure.

Private Links are a crucial component in this setup. They allow Azure resources (like Azure SQL) to be accessed privately over a secure network using private endpoints.

To establish secure connectivity, you would need to configure a Private Link for your Azure DBs in the Azure tenant.

Once the Private Link is configured, set up Private Endpoints to ensure that traffic between your resources remains private and does not traverse the public internet.

If Purview in your Office 365 tenant needs to access Azure DBs in another tenant, you may need to configure cross-tenant permissions for Private Link resources.

Virtual Network (VNet) integration in Purview can be extended to securely communicate with the private endpoint of Azure DBs, ensuring full network isolation.

Reference:

https://learn.microsoft.com/en-us/azure/private-link/private-link-overview

https://learn.microsoft.com/en-us/azure/architecture/networking/guide/cross-tenant-secure-access-private-endpoints

I hope this helps! Let me know if you have any other questions.

Share via

Microsoft purview

0 additional answers

Your answer