Unauthorized: Not authorized to access Purview account using API requests

Question

We are trying to configure Purview accounts using its REST APIs.
I have create a Purview account (purview-api-demo), and registered an Azure Blob Storage type source with it.
Following the REST APIs documentation here, I have created a service principal (purview-app-registration) and added its trust permissions as following:

Now, upon trying two different GET requests. One of them works, i.e. from tutorial in documentation. Here's the code for it:

def call_api(atlas_endpoint, access_token):  
    url = f"{atlas_endpoint}/api/atlas/v2/types/typedefs"  
    payload={}  
    headers = {  
    'Authorization': f'Bearer {access_token}'  
    }  
    response = request("GET", url, headers=headers, data=payload)  
    print(response.text)  

atlas_endpoint="https://purview-api-demo.catalog.purview.azure.com"  
call_api(atlas_endpoint=atlas_endpoint, access_token=output)  

Although, when trying a similar GET requests, to list data sources, as documented here. It gives the following response:

Here's the code for the second GET request:

def list_data_sources(access_token, Endpoint, api_version="2018-12-01-preview"):  
    url = f"{Endpoint}/datasources?api-version={api_version}"  
    payload={}  
    headers = {  
    'Authorization': f'Bearer {access_token}'  
    }  
    response = request("GET", url, headers=headers, data=payload)  
    print(response.text)  
  
scan_endpoint = "https://purview-api-demo.scan.purview.azure.com"  
list_data_sources(access_token=output, Endpoint=scan_endpoint)  

It would be great to have an explanation of why we are able to make one request successfully, while the other request to the same purview account returns unauthorized.
Thanks.

Answer 1

Hi @Waqas Kayani ,
Thanks for using Microsoft Q&A !!

You are getting this error while using the scan endpoint as you have not provided proper permissions to your registered application/service principal of Purview Data Source Administrator as this role can manage the scans. I have tried this with the same and it worked fine with this role.

Please refer to the documentation for role details -

Please note that the Purview Data Source Administrator role has two supported scenarios. The first scenario is for users who are already Purview Data Readers or Purview Data Curators that also need to be able to create scans. Those users need to be in two roles, at least one of Purview Data Reader or Purview Data Curator as well as being placed in the Purview Data Source Administrator Role.
The other scenario for Purview Data Source Administrator is for programmatic processes, such as service principals, that need to be able to set up and monitor scans but should not have access to any of the catalog's data.

Also, I suggest you to use Azure Purview pre-defined Data plane roles like Purview Data Curator Reader, Purview Data Curator Role etc. instead of giving owner permissions to service principals.

Please let me know if you have any questions.

Thanks
Saurabh

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 2

Hi @Saurabh Sharma and Others,

In Azure functions, I have the code which creates Atlas Entities from the json and finally loads into Azure Purview.

Everytime, I run the code I'm encountering this error "Failure Exception: RequestException: {"error":{"code":"AccountProtectedByPrivateEndpoint","message":"Not authorized to access account"}}"

I have provided the Role access to the Service Principal as mentioned above. Still encountering this error. Could someone help me here ??

Note: My Fucntions app and ( Azure Purview , Service Principal) are in Different RGs. Will this cause any impacts ??