Share via

Not able to enumerate SQL Serverless Synapse database from purview

Parth Kapadia 5 Reputation points
2025-10-30T14:02:05.25+00:00

Our purview instance is in a different Subscription (Prod Subscription) and the synapse workspace that we are trying to connect is in a different subscription (Dev Subscription).

We followed this documentation and set up all the permissions (https://learn.microsoft.com/en-us/purview/register-scan-synapse-workspace).
The permissions we gave were:

  • Reader role to Purview MSI on Dev Synapse workspace
  • Storage blob data reader role to Purview MSI on Dev Storage account
  • Created a login:
    • CREATE LOGIN [PurviewAccountName] FROM EXTERNAL PROVIDER;
  • Gave permissions to scan: 
      CREATE USER [PurviewAccountName] FOR LOGIN [PurviewAccountName];
  ALTER ROLE db_datareader ADD MEMBER [PurviewAccountName];

      SELECT p.name AS UserName, r.name AS RoleName
  FROM sys.database_principals p
  LEFT JOIN sys.database_role_members rm ON p.principal_id = rm.member_principal_id
  LEFT JOIN sys.database_principals r ON rm.role_principal_id = r.principal_id
  WHERE p.authentication_type_desc = 'EXTERNAL'
  ORDER BY p.name;
  • We don't have any external tables as this query returns empty: 
      Select name, credential_identity
  from sys.database_scoped_credentials;
  • Firewall rule in Synapse already allows traffic from all Azure services.

If I try to run the scan after doing all of the above changes, we are getting an error:

Failed to load serverless databases from Synapse workspace, please give the managed identity of the Purview account permissions to enumerate serverless databases.

Note: We did the same changes on Prod synapse workspace (in Prod subscription) and it is working as expected and we are able to scan the database. I am not sure what we are missing.

Azure Synapse Analytics
Azure Synapse Analytics

An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 42,941 Reputation points MVP Volunteer Moderator
    2025-11-01T19:59:12.7666667+00:00

    Hello Parth !

    Thank you for posting on Microsoft Learn Q&A.

    Try to check if you created the LOGIN in master (the serverless endpoint) :

    -- master database
CREATE LOGIN [<Purview-MSI-Display-Name>] FROM EXTERNAL PROVIDER;

    Purview uses Entra ID and the name must match the Enterprise Application display name of the Purview account’s managed identity.

    https://learn.microsoft.com/en-us/purview/register-scan-synapse-workspace

    Grant workspace-wide read access that lets Purview enumerate databases/tables:

    GRANT CONNECT ANY DATABASE     TO [<Purview-MSI-Display-Name>];
GRANT SELECT ALL USER SECURABLES TO [<Purview-MSI-Display-Name>];

    this pair is the recommended pattern for serverless to list/scan databases without object changing rights.

    https://learn.microsoft.com/en-us/azure/synapse-analytics/metadata/database

    and create the USER in each serverless database you intend to scan for each database :

    -- run in each target db
CREATE USER [<Purview-MSI-Display-Name>] FOR LOGIN [<Purview-MSI-Display-Name>];
ALTER ROLE db_datareader ADD MEMBER [<Purview-MSI-Display-Name>];

    Purview needs a USER mapping per database, not only the LOGIN.

    If you have external tables with scoped credentials, grant REFERENCES on each DATABASE SCOPED CREDENTIAL :

    GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::[<credential_name>]
TO [<Purview-MSI-Display-Name>];

    Confirm Azure RBAC on the Azure side :

    • on the Dev Synapse workspace: give the Purview MSI reader
    • on the Dev ADLS Gen2 that backs serverless data: storage blob data reader

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.