Create consent model packages and publishing profiles in consent management (preview)

A consent model package is used to generate the configuration file for consent models. The package is used to deploy on endpoints. You can add multiple consent models to a package and manage the deployment as a group. For example, you might create an explicit consent model for your European Union (EU) customers and an implicit consent model for your customers in the rest of the world. You might also create different models depending on from where a visitor arrives at your site; for example, if they come from Microsoft Teams or from a web browser. Using packages, you can manage multiple models as one deployment package.

Publishing profiles are then used to connect different websites with multiple consent models associated to them, so that you can publish multiple packages to a group of websites at once.

Manage packages and profiles

The Packages and publishing page in consent management is where you create consent model packages and manage publishing profiles of consent models.

The Packages tab lists your organization’s consent packages and includes details such as their status and the number of consent models included within each package.

The Profiles tab lists your organization’s publishing profiles and details about profile type and the number of associated websites.

The Websites tab lists your organization’s registered websites completed in tracker scanning. From here, you can also register any websites that you need to associate with Profiles.

Create a package

Use a simple, guided process to create a consent package for your consent models.

What to know before creating consent packages

• Packages are based on the consent model type and can only contain one type. For example, a package can’t contain both a tracker consent model and a generic consent model.

• A consent model must be marked as Complete before it can be added to a consent package. Marking as complete indicates that the model is ready to be published.

Package creation steps

1. On the Packages and publishing page in consent management, select the Packages tab, then select New package.

2. On the Basic details page, enter a Package name (names can’t contain spaces), Description, and select one of the following Consent model types:

   • Tracker consent: When you select Tracker, you have the option to Enable tracker blocking, which enables the script to look for scripts or iframes tagged with the tracker category name. If you enable tracker blocking, you have another option to Enable unknown tag blocking, which is used for blocking tags that aren't associated with a tracker category. (Learn more about tracker categories.)
   • Generic consent: When you select Generic, select which models should be grouped together. You can enable consent sharing if the models should be considered the same, which creates a shared Consent ID.

   When done, select Next.

3. On the Consent models page, select the consent model to be included in the package, then select Next.

4. On the Default consent model page, select a fallback consent model for the package to use if visitor conditions are unknown; such as, the region is unsupported or unknown.

5. Select Create to finish creating the package.

The package is now listed on the Packages tab. Select a package to view its details page. A status displays next to the package name at the top. The status reads Active while the configuration file is being built. The status reads Complete when the configuration file is ready. Select Refresh to check its updated status.

Once a package is complete, it can be published.

Editing a package

You can edit an existing packing after it's complete and add another consent model you created. To edit a package, select it from the list on the Packages tab to open its details page. Select Edit to enter the package builder and add or remove consent models as needed. Editing a package regenerates the configuration file.

Create a publishing profile

A publishing profile allows you to set up a specific profile for your collection of websites. You can set up a profile that connects different websites that have multiple consent models associated with them, across different model types. You can publish multiple packages to a group of websites at once.

Setting up publishing profiles is typically done by a user who manages your organization’s websites, as opposed to the user who creates a consent model. Users must hold the Privacy Curator role in order to create a publishing profile.

Consent management supports two profile types. Each type requires setup work before you can create a publishing profile:

• Content delivery network (CDN)/Storage for publishing the package to a central CDN or storage account, which can be connected to multiple websites. Consent management supports Azure Web Apps and Cloudflare. See the CDN and Storage setup instructions. In order to set up a storage account, you need to set up a key vault as outlined in the CDN setup instructions.

• Offline for manual deployments, from which you can download the package and website configuration. This is a system-created offline profile. Select the download button to select the package and website to download. Once selected, the zip file containing both package and website configuration will download to your system.

After you complete the setup process for CDNs and storage accounts, follow the steps below for creating each type of publishing profile.

Storage profile creation

1. On the Packages and publishing page in consent management, select the Profiles tab, then select New profile.

2. On the Type selection page, select Storage, then select Next.

3. On the Basic details page, enter a Name, Description, and a Contact.

4. For Provider, select Azure.

5. For Client Credential name, enter the name you create in step 5 of Set up a storage account.

6. For Azure storage sub path, enter the path in this format: <container-name>/<folder-name>/<sub-path>. If left blank, the system creates a container named msft-privacy and a package folder will upload directly to this container.

7. Select Save and close.

The publishing profile is created with a status of Active while it finishes its setup. Select Refresh to see when its status updates to Complete.

CDN profile creation

After you set up a CDN, follow these steps to create a CDN publishing profile:

1. On the Packages and publishing page in consent management, select the Profiles tab, then select New profile.

2. On the Type selection page, select CDN, then selectNext

3. On the Basic details page, enter a Name, Description, and a Contact.

4. Select a Provider of Azure or Cloudflare.

5. For Storage, select the storage profile you created.

6. For Client credential name, select the name created in Azure key vault of the credentials associated to that provider.

7. For Public endpoint URL, enter the endpoint hostname created at the time of CDN creation.

8. For Purge URL, enter the URL using this format: https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group> /providers/Microsoft.Cdn/profiles/<CDN-name>/endpoints/<Endpoint-name>/purge?api-version=2021-06-01

9. Enter a Purge content filter, which can be something like /* or any specific subpath that needs to be purged before the packages and websites are published. Then select Next.

10. On the Associate websites page, check the boxes next to the sites you want to associate with the publishing profiles. The list of sites is pulled from tracker scanning. Then select Next.

11. On the Associate packages page, select one or more publishing packages.

12. Select Save and close.

The publishing profile is created with a status of Active while it finishes its setup. Select Refresh to see when its status updates to Complete.

Generate a snippet

When the profile is in the Complete stage, you can select Generate snippet on the profile’s details page to generate a code snippet. In the Generate snippet window, choose a package and a website, then select Generate snippet. The window then displays the code, which you can download as a text file. You can then do a live preview once the snippet is added to the website and latest version of website is deployed.

Publish the profile to the CDN

Once the publishing profile shows a status of Complete, you can select Publish, which pushes the packages to the CDN account. You can now test the models on the websites. If you need to make any changes, you can edit the consent models and then follow all of the steps again.

Set up a content delivery network (CDN)

To set up a CDN as a publishing profile, you need to configure the following resources on Azure:

• Azure Key Vault, which should be under the same tenant as the Purview account; needed to store the keys required for accessing the other resources.
• Storage account.
• CDN and public endpoint.
• App registration, which has access to the CDN, to call the purge API.

Key vault setup

1. Create a key vault.

2. Go to the key vault’s Settings, then Access configuration, and:

   • If Azure role-based access control is selected, go to Access Control (IAM) in key vault and add your Microsoft Purview account to Key Vault Secrets User.

   • If vault access policy is selected, go to Access Policies in key vault and grant your Microsoft Purview account all Key, Secrets, and Certificate permissions.

3. Go to your Microsoft Purview account, select Management, select Credentials, then select Manage key vault connections.

4. Create a new key vault connection and select the subscription chosen for the key vault, then in the dropdown menu, select the key vault you created.

CDN setup

Azure CDN setup

1. Register an app in Azure by following these instructions. After registering the app, go to Certificates & secrets and select Create a new client secret (learn more about secrets).

2. Go to the key vault you created as part of key vault setup, and at Objects, select Secrets.

3. Select Generate/Import and create a secret with any secret name and value as the secret generated in step 1.

4. Create a storage account following these instructions. In the account, at Security + networking, select Azure CDN, then select Create a new CDN profile (learn more). If you don’t want to create CDN in a storage account, you can follow these CDN creation steps.

5. Go to the CDN created in step 4. Then go to Access Control (IAM) and add a contributor role to the app registered in step 1.

6. In your organization’s Microsoft Purview account, navigate to Data Map. Select Source management, then select Credentials. Create a credential by selecting New and follow these basic steps, using the following inputs:

   • Enter a Name.
   • At Authentication method, select Service Principal.
   • For Key Vault connection and Secret name, select the key vault name and enter the secret name you created in step 1. For Service Principal ID, enter the Client ID (Application ID) of the app registered. For Tenant ID enter the Azure tenant ID in which app is registered.

   Tip

   If you don’t see your key vault name listed on the Credentials page, select Manage Key Vault connections to add your key vault connection.

Cloudflare CDN setup

1. Select the global Api Token from your Cloudflare account.

2. Go to the key vault you created as part of key vault setup, and at Objects, select Secrets.

3. Select Generate/Import and create a secret with any secret name and value as the secret generated in step 1 of the Azure CDN setup.

4. In your organization’s Microsoft Purview account, navigate to Data Map. Select Source management, then select Credentials. Create a credential by selecting New and follow these basic steps, using the following inputs:

   • Enter a Name.
   • At Authentication method, select Basic authentication.
   • For Key Vault connection and Secret name, select the key vault name and enter the secret name you created in step 1 of the Azure CDN setup. For Username, enter the email ID of your Cloudflare account.

Set up a storage account

1. Create an Azure storage account.

2. In the storage account, go to Security + networking, select Access keys and copy the Connection string of the storage account. Update the storage account’s CORS policy (learn more about CORS for Azure Storage).

3. Go to the key vault setup you created, and at Objects, select Secrets.

4. Select Generate/Import and create a secret with any secret name and value as the storage account’s Connection string.

5. In your organization’s Microsoft Purview account, navigate to Data Map. Select Source management, then select Credentials. Create a credential by selecting New and follow these basic steps, using these inputs:

   • Enter a Name.
   • At Authentication method, select Account Key.
   • For Key Vault connection and Secret name, select the key vault name and enter the secret name you created in the previous steps.

Legal disclaimer

Microsoft Priva legal disclaimer