Connect to and manage Salesforce in Microsoft Purview

This article outlines how to register Salesforce, and how to authenticate and interact with Salesforce in Microsoft Purview. For more information about Microsoft Purview, read the introductory article.

Supported capabilities

Metadata Extraction Full Scan Incremental Scan Scoped Scan Classification Labeling Access Policy Lineage Data Sharing Live view
Yes Yes No Yes No No No No No

When scanning Salesforce source, Microsoft Purview supports extracting technical metadata including:

  • Organization
  • Objects including the fields, foreign keys, and unique_constraints

When setting up scan, you can choose to scan an entire Salesforce organization, or scope the scan to a subset of objects matching the given name(s) or name pattern(s).

Known limitations

When object is deleted from the data source, currently the subsequent scan won't automatically remove the corresponding asset in Microsoft Purview.



If your data store is not publicly accessible (if your data store limits access from on-premises network, private network or specific IPs, etc.), you will need to configure a self hosted integration runtime to connect to it.

Required permissions for scan

If users will be submitting Salesforce Documents, certain security settings must be configured to allow this access on Standard Objects and Custom Objects. To configure permissions:

  • Within Salesforce, select Setup and then select Manage Users.
  • Under the Manage Users tree select Profiles.
  • Once the Profiles appear on the right, select which Profile you want to edit and select the Edit link next to the corresponding profile.

For Standard Objects, ensure that the "Documents" section has the Read permissions selected. For Custom Objects, ensure that the Read permissions selected for each custom objects.


This section describes how to register Salesforce in Microsoft Purview using the Microsoft Purview governance portal.

Steps to register

To register a new Salesforce source in your data catalog, follow these steps:

  1. Navigate to your Microsoft Purview account in the Microsoft Purview governance portal.
  2. Select Data Map on the left navigation.
  3. Select Register
  4. On Register sources, select Salesforce. Select Continue.

On the Register sources (Salesforce) screen, follow these steps:

  1. Enter a Name that the data source will be listed within the Catalog.

  2. Enter the Salesforce login endpoint URL as Domain URL. For example, You can use your company' instance URL (such as or My Domain URL (such as

  3. Select a collection from the list.

  4. Finish to register the data source.

    register sources options


Follow the steps below to scan Salesforce to automatically identify assets. For more information about scanning in general, see our introduction to scans and ingestion.

Microsoft Purview uses Salesforce REST API version 41.0 to extract metadata, including REST requests like 'Describe Global' URI (/v41.0/sobjects/),'sObject Basic Information' URI (/v41.0/sobjects/sObject/), and 'SOQL Query' URI (/v41.0/query?).

Authentication for a scan

The supported authentication type for a Salesforce source is Consumer key authentication.

Create and run scan

To create and run a new scan, follow these steps:

  1. If your server is publicly accessible, skip to step two. Otherwise, you'll need to make sure your self-hosted integration runtime is configured:

    1. In the Microsoft Purview governance portal, got to the Management Center, and select Integration runtimes.
    2. Make sure a self-hosted integration runtime is available. If one isn't set up, use the steps mentioned here to set up a self-hosted integration runtime.
  2. In the Microsoft Purview governance portal, navigate to Sources.

  3. Select the registered Salesforce source.

  4. Select + New scan.

  5. Provide the below details:

    1. Name: The name of the scan

    2. Connect via integration runtime: Select the Azure auto-resolved integration runtime if your server is publicly accessible, or your configured self-hosted integration runtime if it isn't publicly available.

    3. Credential: Select the credential to connect to your data source. Make sure to:

      • Select Consumer key while creating a credential.
      • Provide the username of the user that the connected app is imitating in the User name input field.
      • Store the password of the user that the connected app is imitating in an Azure Key Vault secret.
        • If your self-hosted integration runtime machine's IP is within the trusted IP ranges for your organization set on Salesforce, provide just the password of the user.
        • Otherwise, concatenate the password and security token as the value of the secret. The security token is an automatically generated key that must be added to the end of the password when logging in to Salesforce from an untrusted network. Learn more about how to get or reset a security token.
      • Provide the consumer key from the connected app definition. You can find it on the connected app's Manage Connected Apps page or from the connected app's definition.
      • Stored the consumer secret from the connected app definition in an Azure Key Vault secret. You can find it along with consumer key.
    4. Objects: Provide a list of object names to scope your scan. For example, object1; object2. An empty list means retrieving all available objects. You can specify object names as a wildcard pattern. For example, topic?, *topic*, or topic_?,*topic*.

    5. Maximum memory available (applicable when using self-hosted integration runtime): Maximum memory (in GB) available on customer's VM to be used by scanning processes. This is dependent on the size of Salesforce source to be scanned.


      As a rule of thumb, please provide 1GB memory for every 1000 tables

      scan Salesforce

  6. Select Test connection to validate the settings (available when using Azure Integration Runtime).

  7. Select Continue.

  8. Choose your scan trigger. You can set up a schedule or ran the scan once.

  9. Review your scan and select Save and Run.

View your scans and scan runs

To view existing scans:

  1. Go to the Microsoft Purview governance portal. On the left pane, select Data map.
  2. Select the data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.
  3. Select the scan that has results you want to view. The pane shows you all the previous scan runs, along with the status and metrics for each scan run.
  4. Select the run ID to check the scan run details.

Manage your scans

To edit, cancel, or delete a scan:

  1. Go to the Microsoft Purview governance portal. On the left pane, select Data Map.

  2. Select the data source. You can view a list of existing scans on that data source under Recent scans, or you can view all scans on the Scans tab.

  3. Select the scan that you want to manage. You can then:

    • Edit the scan by selecting Edit scan.
    • Cancel an in-progress scan by selecting Cancel scan run.
    • Delete your scan by selecting Delete scan.


  • Deleting your scan does not delete catalog assets created from previous scans.
  • The asset will no longer be updated with schema changes if your source table has changed and you re-scan the source table after editing the description on the Schema tab of Microsoft Purview.

Next steps

Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.