Domains in the Microsoft Purview Data Map

Tip

This article covers domains in the Microsoft Purview Data Map.

In the Microsoft Purview Data Map, a domain is a construct that allows you to distribute organizational responsibility in your Microsoft Purview Data Map. Domains provide structure in your data map so domain administrators can maintain the isolation of collections, data sources, scans, and assigned roles for access control. Previously, only collections filled this role, but we're introducing domains as top-level nodes above the rest of the hierarchy to address a few other scenarios:

  • Decentralize and distribute responsibility by assigning roles at the domain level.
  • Create the possibility for hard logical separations within your Microsoft Purview Data Map.
  • Replace multiple accounts within a tenant to multiple domains within a single Microsoft Purview resource.

Domains will also serve as the container for collections, and assets.

Note

Domains are only available to Microsoft Purview accounts using a tenant-level account (https://purview.microsoft.com).

Default domain

Every Microsoft Purview Data Map starts with a default domain.

When an account is upgraded to the new experience, the primary account's root collection becomes the default domain.

If you haven't upgraded to the new experience yet, take these points into consideration when choosing which account to elevate as your default domain:

  • Data Assets: Choose the account with the most valuable or frequently used data assets, as this will become the default domain after the upgrade.
  • Account Usage: Evaluate how each account is currently being used and its role within your organization. Accounts that are considered "production" would be most viable to select for this purpose.
  • Permissions and Access Controls: Consider the existing permissions and access controls for each account, as they'll be carried over to the upgraded environment (as an isolated Domain). The permissions are applied in the new environment exactly as they are in the original environment. No more permissions are granted.

For more information about the new experience, see our guide on governance in the new Microsoft Purview experience.

Custom domains

You can also create up to four more custom domains in your Microsoft Purview Data Map to better organize and govern your assets in the data map. For more information about creating these custom domains, see the create and manage domains article.

Domain level roles

Alongside all the permissions you can assign at a collection level, a new role can be assigned at the domain level to manage domains, collections, and glossaries:

  • Domain admin - Can assign permissions within a domain and manage its resources.

For more information about how to assign permissions in collections and on a domain level, see governance permissions in the Microsoft Purview portal.

Data map structure

Capabilities and responsibilities are going to be distributed between these three new levels in the data map's structure: tenant/organization level, domain level, and collection level.

  • Tenant level - Classifications, search, browse, managed attributes, integration runtimes, lineage, insights, private endpoints.
  • Domain level - Credentials, term templates, custom scan rule sets, advanced resource sets, pattern rules, policies, assets.
  • Collection level - Data sources, scans, assets.

Important

Data sources and assets can't be duplicated in a tenant.

Domains don't change permissions in Microsoft Purview. Search and browse across a tenant are still managed by the level a user's assigned permissions. In the Microsoft Purview Data Catalog, a user will only have access to metadata if they have data-level access or collection-level access.

For more information about permissions for the Microsoft Purview Data Map and Data Catalog, see the roles and permissions documentation.

Next steps