Edit

Create an exception to deploy Microsoft Purview

  • Article
  • 2 minutes to read

Many subscriptions have Azure Policies in place that restrict the creation or update of some resources. This is to maintain subscription security and cleanliness. However, Microsoft Purview accounts will deploy an Azure Storage account when it's created. It'll be managed by Azure, so you don't need to maintain it, but it is necessary for Microsoft Purview to run correctly. Existing policies may block this deployment, and you may receive an error when attempting to create a Microsoft Purview account.

Microsoft Purview also regularly updates its Azure Storage account after creation, so any policies blocking updates to this storage account will cause errors during scanning.

To maintain your policies in your subscription, but still allow the creation and updates to these managed resources, you can create an exception.

Create an Azure policy exception for Microsoft Purview

  1. Navigate to the Azure portal and search for Policy

    Screenshot showing the Azure portal search bar, searching for Policy keyword.

  2. Follow Create a custom policy definition or modify existing policy to add two exceptions with not operator and resourceBypass tag:

    {
"mode": "All",
  "policyRule": {
    "if": {
      "anyOf": [
      {
        "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "not": {
            "field": "tags['<resourceBypass>']",
            "exists": true
          }
        }]
      },
      {
        "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.EventHub/namespaces"
        },
        {
          "not": {
            "field": "tags['<resourceBypass>']",
            "exists": true
          }
        }]
      }]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

    Note

    The tag could be anything beside resourceBypass and it's up to you to define value when creating Microsoft Purview in later steps as long as the policy can detect the tag.

    Screenshot showing how to create policy definition.

  3. Create a policy assignment using the custom policy created.

    Screenshot showing how to create policy assignment

Note

If you have Azure Policy and need to add exception as in Prerequisites, you need to add the correct tag. For example, you can add resourceBypass tag: Add tag to Microsoft Purview account.

Next steps

To set up Microsoft Purview by using Private Link, see Use private endpoints for your Microsoft Purview account.