Microsoft Purview (formerly Azure Purview) deployment checklist
This article lists prerequisites that help you get started quickly on planning and deployment for your Microsoft Purview (formerly Azure Purview) account.
If you are creating a plan to deploy Microsoft Purview, and also want to consider best practices as you develop your deployment strategy, then use our deployment best practices guide to get started.
If you are looking for a strictly technical deployment guide, this deployment checklist is for you.
|No.||Prerequisite / Action||Required permission||More guidance and recommendations|
|1||Azure Active Directory Tenant||N/A||An Azure Active Directory tenant should be associated with your subscription.
|2||An active Azure Subscription||Subscription Owner||An Azure subscription is needed to deploy Microsoft Purview and its managed resources. If you don't have an Azure subscription, create a free subscription before you begin.|
|3||Define whether you plan to deploy a Microsoft Purview with a managed event hub||N/A||You can choose to deploy configure an existing Event Hubs namespace during Microsoft Purview account creation, see Microsoft Purview account creation. With this managed namespace you can publish messages to the event hub kafka topic ATLAS_HOOK and Microsoft Purview will consume and process it. Microsoft Purview will notify entity changes to the event hub kafka topic ATLAS_ENTITIES and user can consume and process it. You can enable or disable this feature any time after account creation.|
|4||Register the following resource providers:
||Subscription Owner or custom role to register Azure resource providers (/register/action)||Register required Azure Resource Providers in the Azure Subscription that is designated for Microsoft Purview Account. Review Azure resource provider operations.|
|5||Update Azure Policy to allow deployment of the following resources in your Azure subscription:
||Subscription Owner||Use this step if an existing Azure Policy prevents deploying such Azure resources. If a blocking policy exists and needs to remain in place, follow our Microsoft Purview exception tag guide and follow the steps to create an exception for Microsoft Purview accounts.|
|6||Define your network security requirements.||Network and Security architects.||
|7||An Azure Virtual Network and Subnet(s) for Microsoft Purview private endpoints.||Network Contributor to create or update Azure VNet.||Use this step if you're planning to deploy private endpoint connectivity with Microsoft Purview:
Deploy Azure Virtual Network if you need one.
|8||Deploy private endpoint for Azure data sources.||Network Contributor to set up private endpoints for each data source.||Perform this step, if you're planning to use Private Endpoint for Ingestion.|
|9||Define whether to deploy new or use existing Azure Private DNS Zones.||Required Azure Private DNS Zones can be created automatically during Purview Account deployment using Subscription Owner / Contributor role||Use this step if you're planning to use Private Endpoint connectivity with Microsoft Purview. Required DNS Zones for Private Endpoint:
|10||A management machine in your CorpNet or inside Azure VNet to launch the Microsoft Purview governance portal.||N/A||Use this step if you're planning to set Allow Public Network to deny on your Microsoft Purview Account.|
|11||Deploy a Microsoft Purview Account||Subscription Owner / Contributor||Purview account is deployed with one Capacity Unit and will scale up based on demand.|
|12||Deploy a Managed Integration Runtime and Managed private endpoints for Azure data sources.||Data source admin to set up Managed VNet inside Microsoft Purview.
Network Contributor to approve managed private endpoint for each Azure data source.
|Perform this step if you're planning to use Managed VNet. within your Microsoft Purview account for scanning purposes.|
|13||Deploy Self-hosted integration runtime VMs inside your network.||Azure: Virtual Machine Contributor
On-premises: Application owner
|Use this step if you're planning to perform any scans using Self-hosted Integration Runtime.|
|14||Create a Self-hosted integration runtime inside Microsoft Purview.||Data curator
VM Administrator or application owner
|Use this step if you're planning to use Self-hosted Integration Runtime instead of Managed Integration Runtime or Azure Integration Runtime.
|15||Register your Self-hosted integration runtime||Virtual machine administrator||Use this step if you have on-premises or VM-based data sources (for example, SQL Server).
Use this step are using Private Endpoint to scan to any data sources.
|16||Grant Azure RBAC Reader role to Microsoft Purview MSI at data sources' Subscriptions||Subscription owner or User Access Administrator||Use this step if you're planning to register multiple or any of the following data sources:|
|17||Grant Azure RBAC Storage Blob Data Reader role to Microsoft Purview MSI at data sources Subscriptions.||Subscription owner or User Access Administrator||Skip this step if you're using Private Endpoint to connect to data sources. Use this step if you have these data sources:|
|18||Enable network connectivity to allow AzureServices to access data sources:
for example, Enable "Allow trusted Microsoft services to access this storage account".
|Owner or Contributor at Data source||Use this step if Service Endpoint is used in your data sources. (Don't use this step if Private Endpoint is used)|
|19||Enable Azure Active Directory Authentication on Azure SQL Servers, Azure SQL Managed Instance and Azure Synapse Analytics||Azure SQL Server Contributor||Use this step if you have Azure SQL DB or Azure SQL Managed Instance or Azure Synapse Analytics as data source. Skip this step if you're using Private Endpoint to connect to data sources.|
|20||Grant Microsoft Purview MSI account with db_datareader role to Azure SQL databases and Azure SQL Managed Instance databases||Azure SQL Administrator||Use this step if you have Azure SQL DB or Azure SQL Managed Instance as data source. Skip this step if you're using Private Endpoint to connect to data sources.|
|21||Grant Azure RBAC Storage Blob Data Reader to Synapse SQL Server for staging Storage Accounts||Owner or User Access Administrator at data source||Use this step if you have Azure Synapse Analytics as data sources. Skip this step if you're using Private Endpoint to connect to data sources.|
|22||Grant Azure RBAC Reader role to Microsoft Purview MSI at Synapse workspace resources||Owner or User Access Administrator at data source||Use this step if you have Azure Synapse Analytics as data sources. Skip this step if you're using Private Endpoint to connect to data sources.|
|23||Grant Azure Purview MSI account with db_datareader role||Azure SQL Administrator||Use this step if you have Azure Synapse Analytics (Dedicated SQL databases).
Skip this step if you're using Private Endpoint to connect to data sources.
|24||Grant Microsoft Purview MSI account with sysadmin role||Azure SQL Administrator||Use this step if you have Azure Synapse Analytics (Serverless SQL databases). Skip this step if you're using Private Endpoint to connect to data sources.|
|25||Create an app registration or service principal inside your Azure Active Directory tenant||Azure Active Directory Global Administrator or Application Administrator||Use this step if you're planning to perform a scan on a data source using Delegated Author Service Principal.|
|26||Create an Azure Key Vault and a Secret to save data source credentials or service principal secret.||Contributor or Key Vault Administrator||Use this step if you have on-premises or VM-based data sources (for example, SQL Server).
Use this step are using ingestion private endpoints to scan a data source.
|27||Grant Key Vault Access Policy to Microsoft Purview MSI: Secret: get/list||Key Vault Administrator||Use this step if you have on-premises / VM-based data sources (for example, SQL Server)
Use this step if Key Vault Permission Model is set to Vault Access Policy.
|28||Grant Key Vault RBAC role Key Vault Secrets User to Microsoft Purview MSI.||Owner or User Access Administrator||Use this step if you have on-premises or VM-based data sources (for example, SQL Server)
Use this step if Key Vault Permission Model is set to Azure role-based access control.
|29||Create a new connection to Azure Key Vault from the Microsoft Purview governance portal||Data source admin||Use this step if you're planning to use any of the following authentication options to scan a data source in Microsoft Purview:
|30||Deploy a private endpoint for Power BI tenant||Power BI Administrator
|Use this step if you're planning to register a Power BI tenant as data source and your Microsoft Purview account is set to deny public access.
For more information, see How to configure private endpoints for accessing Power BI.
|31||Connect Azure Data Factory to Microsoft Purview from Azure Data Factory Portal. Manage -> Microsoft Purview. Select Connect to a Purview account.
Validate if Azure resource tag catalogUri exists in ADF Azure resource.
|Azure Data Factory Contributor / Data curator||Use this step if you have Azure Data Factory.|
|32||Verify if you have at least one Microsoft 365 required license in your Azure Active Directory tenant to use sensitivity labels in Microsoft Purview.||Azure Active Directory Global Reader||Perform this step if you're planning to extend sensitivity labels to Microsoft Purview Data Map
For more information, see licensing requirements to use sensitivity labels on files and database columns in Microsoft Purview
|33||Consent "Extend labeling to assets in Microsoft Purview Data Map"||Compliance Administrator
Azure Information Protection Administrator
|Use this step if you're interested in extending sensitivity labels to your data in the data map.
For more information, see Labeling in the Microsoft Purview Data Map.
|34||Create new collections and assign roles in Microsoft Purview||Collection admin||Create a collection and assign permissions in Microsoft Purview.|
|36||Govern Data Sources in Microsoft Purview||Data Source admin
Data Reader or Data Curator
|For more information, see supported data sources and file types|
|35||Grant access to data roles in the organization||Collection admin||Provide access to other teams to use Microsoft Purview:
For more information, see Access control in Microsoft Purview.