Unable to retrieve metaDataPolicy from Purview Policy Store after giving Collection Admin role through Add-AzPurviewAccountRootCollectionAdmin

Kartik Rana 21

I came across this error while I was trying to update the meta data policy of my root collection in purview. I created a service principal and gave it Purview Root Collection Admin role through Add-AzPurviewAccountRootCollectionAdmin and It does reflect in my purview account but still I am getting unauthorized error.
My sp Giving Access Reflects in Purview Generating token Unauthorized error

I tried waiting for 5-10 minutes and generated a new token I still got the unauthorized error. After that I revoked Collection Admin role from my service principal and manually gave it the role again through purview portal this time. After manually giving the role and generating a new access token I was able to retrieve the meta data policy of my account.
Revoking Role Re-granting the role through purview portal Able to retrieve the policy through "GET" method
Why am I not able to retrieve the meta data policy when I give the Collection Admin role through powershell? Is there anyone who is able to reproduce the bug?

Note: I do not think this is any transient issue as I have tried this many times still the same result.

1 answer

PRADEEPCHEEKATLA-MSFT 85,746 Reputation points Microsoft Employee

2021-12-10T08:34:21.09+00:00
Hello @Kartik Rana ,

Thanks for using MS Q&A platform.

This is an excepted behaviour (Will not retrieve metaDataPolicy from Purview Policy Store after giving Collection Admin role) when you adding Add-AzPurviewAccountRootCollectionAdmin.

You may checkout my previous answer "azure purview access permission" which addressing how to grant access to the Azure Purview account.

You may use the Purview-API-PowerShell to retrieve the metaDataPolicy from Purview Policy Store.

Full Documentation, Usage, Samples & Example Commands : https://github.com/Azure/Azure-Purview-API-PowerShell.

For more details, refer to Tutorial: Use REST APIs to manage role-based access control on Azure Purview collections.

Hope this will help. Please let us know if any further queries.

------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how

Want a reminder to come back and check responses? Here is how to subscribe to a notification

If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
Please sign in to rate this answer.
Kartik Rana 21 Reputation points

2021-12-10T09:45:42.84+00:00

But I am able to access the metaDataPolicy if I give the Collection Admin role through purview portal. How is it any different from giving the Collection Admin role through Powershell? You can see in the 3rd screenshot I shared that my service principal "workx1prsp" does get the Collection admin role in the root directory and that is the only role I need to access the meta data policy. The Rest API document states that too

If you're using the API, the service principal, user, or group that executes the API should have a Collection Admin role assigned in Azure Purview to execute this API successfully.

And it works if I give the role from inside the purview portal manually but fails when I use powershell command.

Using Add-AzPurviewAccountRootCollectionAdmin to grant the collection admin role is not the same as granting the role through purview portal? If yes, why?
Why does it still reflect as collection admin in purview?

EDIT: I have also tried giving the RootCollectionAdmin role through the rest Api by sending "POST" request on https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Purview/accounts/{accountName}/addRootCollectionAdmin?api-version=2021-07-01 and it gives the same error. The role reflects as granted in the purview portal but I still cannot access the meta data policy

Kartik Rana 21 Reputation points

2021-12-11T12:12:06.867+00:00

Any update here?

PRADEEPCHEEKATLA-MSFT 85,746 Reputation points Microsoft Employee

2021-12-13T04:59:07.55+00:00

Hello @Kartik Rana ,

This issue looks strange. For a deeper investigation and immediate assistance on this issue, if you have a support plan you may file a support ticket.

Kartik Rana 21 Reputation points

2021-12-13T11:39:07.5+00:00

Thank you for the response.
I don't have a support plan, is there anything that can be done? The issue is still present. I am only able to access the meta data policy if I give the Collection Admin role from Purview portal. If I use any other method to grant the Collection Admin role, Powershell, AzureCli or Rest APi, I get the "Unauthorized, Not authorized to access account error|

PRADEEPCHEEKATLA-MSFT 85,746 Reputation points Microsoft Employee

2021-12-14T06:01:07.44+00:00

Hello @Kartik Rana ,

We are reaching out to the internal team to get more details on this ask. I will be update you once I hear back from the team.

PRADEEPCHEEKATLA-MSFT 85,746 Reputation points Microsoft Employee

2021-12-17T09:23:46.04+00:00

Hello @Kartik Rana ,

Could you please confirm, if you are using the same SPN as root collection admin via Portal and PowerShell? Please do share the screenshot of the both user details.

Kartik Rana 21 Reputation points

2021-12-17T11:44:00.9+00:00

My service principal in ADD

Granting Purview Root Collection Admin role

Purview Roles

Generating access token

Unauthorized to access collection policy

PRADEEPCHEEKATLA-MSFT 85,746 Reputation points Microsoft Employee

2021-12-21T08:03:14.6+00:00

Hello @Kartik Rana ,

Make sure the authorization is passed correctly.

Kartik Rana 21 Reputation points

2021-12-21T08:35:46.893+00:00

I am pretty sure I have passed the authorization correctly, because the same request works if I manually assign the role through Purview Portal. Anyways, here is the screen shot of the error if I provide authorization through "Authorization" tab.

The Add-AzPurviewAccountRootCollectionAdmin command works and shows me that the role is assigned in my purview portal, but I still don't get the permissions to do anything I could do with that role. I can't add collections, can't get meta data policy, etc.

Kartik Rana 21 Reputation points

2021-12-24T07:06:20.86+00:00

So I've made a video of the error. I've used to the REST API method to grant RootCollectionAdmin role. The same error happens with Powershell and Azure cli, I just used to REST API method because its easier to record and edit that way.

https://youtu.be/Uw6KdBcrk-M

PRADEEPCHEEKATLA-MSFT 85,746 Reputation points Microsoft Employee

2021-12-24T10:14:30.133+00:00

Hello @Kartik Rana ,

Thanks for the additional details.

We are reaching out to the internal team to get more details on this ask. I will be update you once I hear back from the team.
Sign in to comment