Provision access to system metadata on entire resource groups or subscriptions using Microsoft Purview DevOps policies

DevOps policies are a type of Microsoft Purview access policies. They allow you to manage access to system metadata on data sources that have been registered for Data policy enforcement in Microsoft Purview. These policies are configured directly in the Microsoft Purview governance portal, and after they're saved, they get automatically published and then enforced by the data source. Microsoft Purview policies only manage access for Microsoft Entra principals.

This how-to guide covers how to register an entire resource group or subscription and then create a single policy that will provision access to all data sources in that resource group or subscription. That single policy will cover all existing data sources and any data sources that are created afterwards. And provisioning access to its system metadata (DMVs and DMFs) using the DevOps policies actions SQL Performance Monitoring or SQL Security Auditing.

Prerequisites

Only these data sources are enabled for access policies on resource group or subscription. Follow the Prerequisites section that is specific to the data sources in these guides:

Microsoft Purview Configuration

Register the data source in Microsoft Purview

Before a policy can be created in Microsoft Purview for a data resource, you must register that data resource in Microsoft Purview Studio. You will find the instructions related to registering the data resource later in this guide.

Note

Azure Purview policies rely on the data resource ARM path. If a data resource is moved to a new resource group or subscription it will need to be de-registered and then registered again in Microsoft Purview.

Configure permissions to enable Data policy enforcement on the data source

Once a resource is registered, but before a policy can be created in Microsoft Purview for that resource, you must configure permissions. A set of permissions are needed to enable the Data policy enforcement. This applies to data sources, resource groups, or subscriptions. To enable Data policy enforcement, you must have both specific Identity and Access Management (IAM) privileges on the resource as well as specific Microsoft Purview privileges:

  • You must have either one of the following IAM role combinations on the resource's Azure Resource Manager path or any parent of it (that is, using IAM permission inheritance):

    • IAM Owner
    • Both IAM Contributor and IAM User Access Administrator

    To configure Azure role-based access control (RBAC) permissions, follow this guide. The following screenshot shows how to access the Access Control section in the Azure portal for the data resource to add a role assignment.

    Screenshot that shows the section in the Azure portal for adding a role assignment.

    Note

    The IAM Owner role for a data resource can be inherited from a parent resource group, a subscription, or a subscription management group. Check which Microsoft Entra users, groups, and service principals hold or are inheriting the IAM Owner role for the resource.

  • You also need to have the Microsoft Purview Data source admin role for the collection or a parent collection (if inheritance is enabled). For more information, see the guide on managing Microsoft Purview role assignments.

    The following screenshot shows how to assign the Data source admin role at the root collection level.

    Screenshot that shows selections for assigning the Data source admin role at the root collection level.

Configure Microsoft Purview permissions to create, update, or delete access policies

To create, update or delete policies, you need to get the Policy author role in Microsoft Purview at root collection level:

  • The Policy author role can create, update, and delete DevOps and Data Owner policies.
  • The Policy author role can delete self-service access policies.

For more information about managing Microsoft Purview role assignments, see Create and manage collections in the Microsoft Purview Data Map.

Note

Policy author role must be configured at the root collection level.

In addition, to easily search Microsoft Entra users or groups when creating or updating the subject of a policy, you can greatly benefit from getting the Directory Readers permission in Microsoft Entra ID. This is a common permission for users in an Azure tenant. Without the Directory Reader permission, the Policy Author will have to type the complete username or email for all the principals included in the subject of a data policy.

Delegate access provisioning responsibility to roles in Microsoft Purview

After a resource has been enabled for Data policy enforcement, any Microsoft Purview user with the Policy author role at the root collection level can provision access to that data source from Microsoft Purview.

Note

Any Microsoft Purview root Collection admin can assign new users to root Policy author roles. Any Collection admin can assign new users to a Data source admin role under the collection. Minimize and carefully vet the users who hold Microsoft Purview Collection admin, Data source admin, or Policy author roles.

If a Microsoft Purview account with published policies is deleted, such policies will stop being enforced within an amount of time that depends on the specific data source. This change can have implications on both security and data access availability. The Contributor and Owner roles in IAM can delete Microsoft Purview accounts. You can check these permissions by going to the Access control (IAM) section for your Microsoft Purview account and selecting Role Assignments. You can also use a lock to prevent the Microsoft Purview account from being deleted through Resource Manager locks.

Register the subscription or resource group for Data Policy Enforcement

The subscription or resource group needs to be registered with Microsoft Purview before you can create access policies. To register your subscription or resource group, follow the Prerequisites and Register sections of this guide:

After you've registered your resources, you'll need to enable the Data Policy Enforcement option. Data Policy Enforcement needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. Go through the secure practices related to Data Policy Enforcement in this guide: How to enable Data Policy Enforcement

In the end, your resource will have the Data Policy Enforcement toggle Enabled, as shown in the screenshot:

Screenshot shows how to register a resource group or subscription for policy by toggling the enable tab in the resource editor.

Create a new DevOps policy

Follow this link for the steps to create a new DevOps policy in Microsoft Purview.

List DevOps policies

Follow this link for the steps to list DevOps policies in Microsoft Purview.

Update a DevOps policy

Follow this link for the steps to update a DevOps policies in Microsoft Purview.

Delete a DevOps policy

Follow this link for the steps to delete a DevOps policies in Microsoft Purview.

Test the DevOps policy

See how to test the policy you created.

Role definition detail

See the mapping of DevOps role to data source actions.

Next steps

See related videos, blogs, and documents.