Connect to and manage Azure Synapse Analytics workspaces in Microsoft Purview
This article outlines how to register Azure Synapse Analytics workspaces and how to authenticate and interact with Azure Synapse Analytics workspaces in Microsoft Purview. For more information about Microsoft Purview, read the introductory article.
Supported capabilities
| Metadata Extraction | Full Scan | Incremental Scan | Scoped Scan | Classification | Labeling | Access Policy | Lineage | Data Sharing |
|---|---|---|---|---|---|---|---|---|
| Yes | Yes | Yes | No | Yes | No | No | Yes- Synapse pipelines | No |
Note
Currently, Azure Synapse lake databases are not supported.
Prerequisites
An Azure account with an active subscription. Create an account for free.
An active Microsoft Purview account.
You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our Microsoft Purview Permissions page for details.
Register
This section describes how to register Azure Synapse Analytics workspaces in Microsoft Purview using the Microsoft Purview governance portal.
Authentication for registration
Only a user with at least a Reader role on the Azure Synapse workspace and who is also data source administrators in Microsoft Purview can register an Azure Synapse workspace.
Steps to register
Open the Microsoft Purview governance portal by:
- Browsing directly to https://web.purview.azure.com and selecting your Microsoft Purview account.
- Opening the Azure portal, searching for and selecting the Microsoft Purview account. Selecting the the Microsoft Purview governance portal button.
On the left pane, select Sources.
Select Register.
Under Register sources, select Azure Synapse Analytics (multiple).
Select Continue.
On the Register sources (Azure Synapse Analytics) page, do the following:
a. Enter a Name for the data source to be listed in the data catalog.
b. Optionally, choose a subscription to filter down to.
c. In the Workspace name dropdown list, select the workspace that you're working with.
d. In the endpoints dropdown lists, the SQL endpoints are automatically filled in based on your workspace selection.
e. In the Select a collection dropdown list, choose the collection you're working with or, optionally, create a new one.
f. Select Register to finish registering the data source.
Scan
Follow the steps below to scan Azure Synapse Analytics workspaces to automatically identify assets and classify your data. For more information about scanning in general, see our introduction to scans and ingestion.
- You'll first need to set up authentication for enumerating for either your dedicated or serverless resources. This will allow Microsoft Purview to enumerate your workspace assets and perform scans.
- Then, you'll need to apply permissions to scan the contents of the workspace.
- Lastly, confirm your network is set up to allow access for Microsoft Purview.
Tip
To troubleshoot any issues with scanning:
- Confirm you have followed all prerequisites.
- Confirm you have set up enumeration authentication for your resources.
- Confirm authentication is properly set up.
- Check network by confirming firewall settings.
- Review our scan troubleshooting documentation.
Enumeration authentication
Authentication for enumerating dedicated SQL database resources
In the Azure portal, go to the Azure Synapse workspace resource.
On the left pane, select Access Control (IAM).
Note
You must be an owner or user access administrator to add a role on the resource.
Select the Add button.
Set the Reader role and enter your Microsoft Purview account name, which represents its managed service identity (MSI).
Select Save to finish assigning the role.
Note
If you're planning to register and scan multiple Azure Synapse workspaces in your Microsoft Purview account, you can also assign the role from a higher level, such as a resource group or a subscription.
Authentication for enumerating serverless SQL database resources
There are three places you'll need to set authentication to allow Microsoft Purview to enumerate your serverless SQL database resources:
The steps below will set permissions for all three.
Azure Synapse workspace
In the Azure portal, go to the Azure Synapse workspace resource.
On the left pane, select Access Control (IAM).
Note
You must be an owner or user access administrator to add a role on the resource.
Select the Add button.
Set the Reader role and enter your Microsoft Purview account name, which represents its managed service identity (MSI).
Select Save to finish assigning the role.
Storage account
In the Azure portal, go to the Resource group or Subscription that the storage account associated with the Azure Synapse workspace is in.
On the left pane, select Access Control (IAM).
Note
You must be an owner or user access administrator to add a role in the Resource group or Subscription fields.
Select the Add button.
Set the Storage blob data reader role and enter your Microsoft Purview account name (which represents its MSI) in the Select box.
Select Save to finish assigning the role.
Azure Synapse serverless database
- Go to your Azure Synapse workspace and open the Synapse Studio.
- Select the Data tab on the left menu.
- Select the ellipsis (...) next to one of your databases, and then start a new SQL script.
- Add the Microsoft Purview account MSI (represented by the account name) on the serverless SQL databases. You do so by running the following command in your SQL script:
CREATE LOGIN [PurviewAccountName] FROM EXTERNAL PROVIDER;
Apply permissions to scan the contents of the workspace
You can set up authentication for an Azure Synapse source any of the following options. Select your scenario below for steps to apply permissions.
- Use a managed identity
- Use a service principal
- Use SQL Authentication
Important
These steps for serverless databases do not apply to replicated databases. Currently in Synapse, serverless databases that are replicated from Spark databases are read-only. For more information, go here.
Note
You must set up authentication on each SQL database that you intended to register and scan from your Azure Synapse workspace.
Use a managed identity for dedicated SQL databases
Go to your Azure Synapse workspace.
Go to the Data section, and then look for one of your dedicated SQL databases.
Select the ellipsis (...) next to it, and then start a new SQL script.
Note
To run the commands in the following procedure, you must be an Azure Synapse administrator on the workspace. For more information about Azure Synapse Analytics permissions, see: Set up access control for your Azure Synapse workspace.
Add the Microsoft Purview account MSI (represented by the account name) as db_datareader on the dedicated SQL database. You do so by running the following command in your SQL script:
CREATE USER [PurviewAccountName] FROM EXTERNAL PROVIDER GO EXEC sp_addrolemember 'db_datareader', [PurviewAccountName] GOFollow the same steps for each database you want to scan.
Use a managed identity for serverless SQL databases
Go to your Azure Synapse workspace.
Go to the Data section, and select one of your SQL databases.
Select the ellipsis (...) next to your database, and then start a new SQL script.
Add the Microsoft Purview account MSI (represented by the account name) as db_datareader on the serverless SQL databases. You do so by running the following command in your SQL script:
CREATE USER [PurviewAccountName] FOR LOGIN [PurviewAccountName]; ALTER ROLE db_datareader ADD MEMBER [PurviewAccountName];Follow the same steps for each database you want to scan.
Grant permission to use credentials for external tables
If the Azure Synapse workspace has any external tables, the Microsoft Purview managed identity must be given References permission on the external table scoped credentials. With the References permission, Microsoft Purview can read data from external tables.
GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::[scoped_credential] TO [PurviewAccountName];
Set up Azure Synapse workspace firewall access
In the Azure portal, go to the Azure Synapse workspace.
On the left pane, select Networking.
For Allow Azure services and resources to access this workspace control, select ON.
Select Save.
Important
Currently, if you cannot enable Allow Azure services and resources to access this workspace on your Azure Synapse workspaces, when set up scan on Microsoft Purview governance portal, you will hit serverless DB enumeration failure. In this case, you can choose the "Enter manually" option to specify the database names that you want to scan, and proceed. Learn more from Create and run scan.
Create and run scan
To create and run a new scan, do the following:
Select the Data Map tab on the left pane in the Microsoft Purview governance portal.
Select the data source that you registered.
Select View details, and then select New scan. Alternatively, you can select the Scan quick action icon on the source tile.
On the Scan details pane, in the Name box, enter a name for the scan.
In the Credential dropdown list, select the credential to connect to the resources within your data source.
For Database selection method, choose From Synapse workspace or Enter manually. By default, Microsoft Purview tries to enumerate the databases under the workspace, and you can select the ones you want to scan. In case you hit error that Microsoft Purview fails to load the serverless databases, you can choose "Enter manually" to specify the type of database (dedicated or serverless) and the corresponding database name.
Option of "Enter manually":
Select Test connection to validate the settings. In case of any error, in the report page, hover on the "Connection status" to see details.
Select Continue to proceed.
Select Scan rule sets of type Azure Synapse SQL. You can also create scan rule sets inline.
Choose your scan trigger. You can schedule it to run weekly/monthly or once.
Review your scan, and then select Save to complete the setup.
View your scans and scan runs
To view existing scans:
- Go to the Microsoft Purview governance portal. Select the Data map tab on the left pane.
- Select the desired data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
- Select the scan that has results you want to view. The page shows you all of the previous scan runs, along with the status and metrics for each scan run.
- Click the run ID to check more about the scan run details.
Manage your scans - edit, delete, or cancel
To manage or delete a scan:
Go to the Microsoft Purview governance portal. Select the Data Map tab on the left pane.
Select the desired data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
Select the scan that you want to manage. You can then:
- Edit the scan by selecting Edit scan.
- Cancel an in-progress scan by selecting Cancel scan run.
- Delete your scan by selecting Delete scan.
Note
- Deleting your scan does not delete catalog assets created from previous scans.
- The asset will no longer be updated with schema changes if your source table has changed and you re-scan the source table after editing the description on the Schema tab of Microsoft Purview.
Set up scan using API
Here's an example of creating scan for serverless DB using API. Replace the {place_holder} and enum_option_1 | enum_option_2 (note) value with your actual settings. Learn more from Microsoft Purview REST API - Scans - Create Or Update.
PUT https://{purview_account_name}.purview.azure.com/scan/datasources/<data_source_name>/scans/{scan_name}?api-version=2022-02-01-preview
Important
The collection_id is not the friendly name for the collection, a 5-character ID. For the root collection, the collection_id will be the name of the collection. For all sub-collections, it is instead the ID that can be found in one of two places:
- The URL in the Microsoft Purview governance portal. Select the collection, and check the URL to find where it says collection=. That will be your ID. So, for our example below, the Investments collection has the ID 50h55c.
- You can list child collection names of the root collection to list the collections, and you'll use the 'name' instead of the 'friendly name'.
{
"properties":{
"resourceTypes":{
"AzureSynapseServerlessSql":{
"scanRulesetName":"AzureSynapseSQL",
"scanRulesetType":"System",
"resourceNameFilter":{
"resources":[ "{serverless_database_name_1}", "{serverless_database_name_2}", ...]
}
}
},
"credential":{
"referenceName":"{credential_name}",
"credentialType":"SqlAuth | ServicePrincipal | ManagedIdentity (if UAMI authentication)"
},
"collection":{
"referenceName":"{collection_id}",
"type":"CollectionReference"
},
"connectedVia":{
"referenceName":"{integration_runtime_name}",
"integrationRuntimeType":"SelfHosted (if self-hosted IR) | Managed (if VNet IR)"
}
},
"kind":"AzureSynapseWorkspaceCredential | AzureSynapseWorkspaceMsi (if system-assigned managed identity authentication)"
}
To schedule the scan, additionally create a trigger for it after scan creation, refer to Triggers - Create Trigger.
Next steps
Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.
Feedback
Submit and view feedback for